邪恶八进制信息安全团队技术讨论组 » 论坛原创{ Original Paper } » [原创] 全真同步SHELL 逆向源码～ [查看完整版本]

lovemfc 2007-10-17 23:18

[原创] 全真同步SHELL 逆向源码～

软件作者：lovemfc
信息来源：邪恶八进制信息安全团队（[url]www.eviloctal.com[/url]）


程序原地址为 无花果大哥的网站上。
[url=http://www.cnasm.com/view.asp?classid=51&newsid=281]http://www.cnasm.com/view.asp?classid=51&newsid=281[/url]

我觉得这个SHELL东西比较有意思，就试着写出源码来。
这个小程序，在cnasm.com上已经介绍得很详细了，我就不罗嗦了。

[code]
/*
* [url]www.lovemfc.cn[/url]
* 343789385
*-----------------
* pack.h
* 数据包
*------------------
*/
#define KEY_SREEN 0x1002
#define KEY_NO_CTRL 0x1003
#define KEY_CTRL_C 0x1004
#define KEY_CTRL_BRAK 0x1005


typedef struct head{
DWORD packHead; //0x12345678
DWORD packType; // 0x1002 0x1003 0x1004 0x1005
DWORD SreenBufferSize; //包大小
DWORD var_10004; //0x0
}HEAD;
//16字节

typedef struct key_info{
HEAD packhead;
INPUT_RECORD Key; //20
}KEY_INFO;

typedef struct console_buffer{
UINT wCodePageID;
DWORD Unkown1; //'\0'
DWORD Unkown2; //'\0'
CONSOLE_SCREEN_BUFFER_INFO csb; //22字节
UCHAR Character[8000];
WORD Attribute[8001];
}CONSOLE_BUFFER;

typedef struct sreen_info{
HEAD packhead; //16
CONSOLE_BUFFER consoleBuffer;
}SREEN_INFO;
[/code]
[hr]
[code]
/*
* [url]www.lovemfc.cn[/url]
* 343789385
*-----------------
* client.c
* 客户端, RemoteCMD.exe 的逆向源码
*------------------
*/
#include <winsock2.h>
#include "pack.h"
#pragma comment (lib,"ws2_32.lib")

BOOL WINAPI HandlerRoutine( DWORD dwCtrlType );
BOOL RecvSreen();
BOOL KeyboardEvent( DWORD dwMilliseconds);
void SendKeyInfo( int type , PINPUT_RECORD buffer , int u_size);



//全局

SOCKET hsocket = 0;

HANDLE hConsoleOutput = 0;

COORD dwSize;

PINPUT_RECORD Ctrl_NULL;

struct sockaddr toSockaddr;

UCHAR cmdBuffer[6001] = {0};


void main()
{
WSADATA lpWsaData;

u_short UdpPort;
u_long argit;

struct sockaddr_in bindSockaddr;

SECURITY_ATTRIBUTES safe_attrib;

HANDLE MutexClient = CreateMutex( NULL,FALSE,"RemoteCMD" );
if (GetLastError()==ERROR_ALREADY_EXISTS)
{
MessageBox( 0,"RemoteCMD has running...",NULL,MB_OK );
return;
}

if( WSAStartup( MAKEWORD(1,1), &lpWsaData ) )
{
MessageBox( 0,"WSAStartup fail...",NULL,MB_OK );
CloseHandle( MutexClient );
return;
}

hsocket = socket( AF_INET, SOCK_DGRAM , 0);
if ( hsocket == INVALID_SOCKET )
{
MessageBox( 0,"create socket handle fail...",NULL,MB_OK );
CloseHandle( MutexClient );
WSACleanup();
return;
}
argit = 1;

if( ioctlsocket( hsocket , FIONBIO , &argit ) )
{
MessageBox( 0,"ioctlsocket fail...",NULL,MB_OK );
CloseHandle( MutexClient );
closesocket( hsocket );
WSACleanup();
return;
}

UdpPort = htons(8123);

bindSockaddr.sin_family = AF_INET;
bindSockaddr.sin_port = UdpPort;
bindSockaddr.sin_addr.s_addr = INADDR_ANY;


if( SOCKET_ERROR==bind( hsocket ,(const struct sockaddr *)&bindSockaddr , sizeof(bindSockaddr) ) )
{
MessageBox( 0,"Bind RemoteCMD port fail...",NULL,MB_OK );
CloseHandle( MutexClient );
closesocket( hsocket );
WSACleanup();
return;
}

SetConsoleCtrlHandler( HandlerRoutine,TRUE );

SetConsoleTitle("RemoteCMD V1.0 coder by lovemfc.cn QQ:343789385!");

safe_attrib.nLength = sizeof(SECURITY_ATTRIBUTES);
safe_attrib.lpSecurityDescriptor = NULL;
safe_attrib.bInheritHandle = TRUE;

hConsoleOutput = CreateConsoleScreenBuffer( GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
&safe_attrib,
CONSOLE_TEXTMODE_BUFFER,
NULL);
if (hConsoleOutput == INVALID_HANDLE_VALUE)
{
CloseHandle( MutexClient );
closesocket( hsocket );
WSACleanup();
return;
}

dwSize.X = 80;
dwSize.Y = 100;

SetConsoleScreenBufferSize( hConsoleOutput , dwSize );

SetConsoleActiveScreenBuffer( hConsoleOutput );

while( RecvSreen() )
{
if (!KeyboardEvent( 100 ) )
{
break;
}
}

SetConsoleCtrlHandler( HandlerRoutine , FALSE );

CloseHandle( MutexClient );

closesocket( hsocket );

WSACleanup();

return;
}

BOOL RecvSreen()
{
DWORD fromlen = sizeof(toSockaddr);
DWORD NumberOfcharsWriten;
COORD dwWriteCoord;
SREEN_INFO buffer;

if( 16 > recvfrom( hsocket, (PCHAR)(&buffer) , sizeof(SREEN_INFO) , 0 , &toSockaddr, &fromlen ) )
{
return TRUE;
}
if ( buffer.packhead.packType != KEY_SREEN)
{
return TRUE;
}
if ( buffer.packhead.SreenBufferSize != 24036)
{
return TRUE;
}
if( !memcmp( &buffer.consoleBuffer.wCodePageID , &cmdBuffer , 6000) )
{
return TRUE;
}

dwWriteCoord.X = 0;
dwWriteCoord.Y = 0;

WriteConsoleOutputAttribute( hConsoleOutput , (const WORD *)(&buffer.consoleBuffer.Attribute), 8000 , dwWriteCoord , &NumberOfcharsWriten);

WriteConsoleOutputCharacter( hConsoleOutput , (const char *)(&buffer.consoleBuffer.Character), 8000 , dwWriteCoord , &NumberOfcharsWriten);

SetConsoleScreenBufferSize( hConsoleOutput , buffer.consoleBuffer.csb.dwSize );

SetConsoleCursorPosition( hConsoleOutput , buffer.consoleBuffer.csb.dwCursorPosition);

SetConsoleOutputCP( buffer.consoleBuffer.wCodePageID );
memcpy( &cmdBuffer , &buffer.consoleBuffer , 6000);
return TRUE;
}

BOOL KeyboardEvent( DWORD dwMilliseconds)
{
INPUT_RECORD Buffer;
DWORD NumberOfEventsRead;
HANDLE input;

input = GetStdHandle( STD_INPUT_HANDLE );

if( WAIT_OBJECT_0 == WaitForSingleObject( input , dwMilliseconds ) )
{
if( ReadConsoleInput( input , &Buffer , 1 , &NumberOfEventsRead))
{
if ( Buffer.EventType == KEY_EVENT )
{
SendKeyInfo( KEY_NO_CTRL , &Buffer , sizeof(INPUT_RECORD) );
}
}
}
return TRUE;
}

void SendKeyInfo( int type , PINPUT_RECORD buffer , int u_size)
{
KEY_INFO key_send;
memcpy( &key_send.Key , buffer , u_size );
key_send.packhead.packType = type;
key_send.packhead.packHead = 0x12345678;
key_send.packhead.SreenBufferSize = u_size;
if( *(DWORD *)(toSockaddr.sa_data) !=0 )
{
sendto( hsocket , (const char *)&key_send ,sizeof(KEY_INFO) , 0 , &toSockaddr , sizeof(toSockaddr) );
}
return;
}

BOOL WINAPI HandlerRoutine(
DWORD dwCtrlType
)
{
//code
switch(dwCtrlType)
{
case CTRL_C_EVENT:
SendKeyInfo( KEY_CTRL_C , Ctrl_NULL , 0);
break;
case CTRL_BREAK_EVENT:
SendKeyInfo( KEY_CTRL_BRAK , Ctrl_NULL , 0);
default:
return FALSE;
break;
}
return TRUE;
}
[/code]
[hr]
[code]/*
* [url]www.lovemfc.cn[/url]
* QQ:343789385
*-----------------
* server.cpp
* 服务端,RemoteCMDS.exe 的逆向源码
*------------------
*/


#include <winsock2.h>
#include "pack.h"
#pragma comment (lib,"ws2_32.lib")




BOOL WINAPI HandlerRoutine(DWORD dwCtrlType);
BOOL RecvKeyInfo();
void SendSreenBuffer( int type , CONSOLE_BUFFER *buffer , int u_size);


SOCKET hsocket = 0;
DWORD cout = 0;
HANDLE hConsoleOutput = 0;

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
WSADATA lpWsaData;

struct sockaddr_in bindSockaddr;

SECURITY_ATTRIBUTES safe_attrib;

STARTUPINFO lpStartupInfo;

PROCESS_INFORMATION lpProcessInformation;


u_long argit;

u_short UdpPort;


COORD dwSize;

HANDLE MutexClient = CreateMutex( NULL,FALSE,"RemoteCMDS" );
if (GetLastError()==ERROR_ALREADY_EXISTS)
{
MessageBox( 0,"RemoteCMDS has running...",NULL,MB_OK );
return 0;
}

if( WSAStartup( MAKEWORD(1,1), &lpWsaData ) )
{
MessageBox( 0,"WSAStartup fail...",NULL,MB_OK );
CloseHandle( MutexClient );
return 0;
}


hsocket = socket( AF_INET, SOCK_DGRAM , 0);
if ( hsocket == INVALID_SOCKET )
{
MessageBox( 0,"create socket handle fail...",NULL,MB_OK );
CloseHandle( MutexClient );
WSACleanup();
return 0;
}

argit = 1;

if( ioctlsocket( hsocket , FIONBIO , &argit ) )
{
MessageBox( 0,"ioctlsocket fail...",NULL,MB_OK );
CloseHandle( MutexClient );
closesocket( hsocket );
WSACleanup();
return 0;
}

UdpPort = htons(8124);

bindSockaddr.sin_family = AF_INET;
bindSockaddr.sin_port = UdpPort;
bindSockaddr.sin_addr.s_addr = INADDR_ANY;


if( SOCKET_ERROR == bind( hsocket ,(const struct sockaddr *)&bindSockaddr , sizeof(bindSockaddr) ) )
{
MessageBox( 0,"Bind RemoteCMD port fail...",NULL,MB_OK );
CloseHandle( MutexClient );
closesocket( hsocket );
WSACleanup();
return 0;
}


AllocConsole();

SetConsoleCtrlHandler( HandlerRoutine,TRUE );

safe_attrib.nLength = sizeof(SECURITY_ATTRIBUTES);
safe_attrib.lpSecurityDescriptor = NULL;
safe_attrib.bInheritHandle = TRUE;

hConsoleOutput = CreateConsoleScreenBuffer( GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
&safe_attrib,
CONSOLE_TEXTMODE_BUFFER,
NULL);
if (hConsoleOutput == INVALID_HANDLE_VALUE)
{
CloseHandle( MutexClient );
closesocket( hsocket );
WSACleanup();
return 0;
}

dwSize.X = 80 ;
dwSize.Y = 100;

SetConsoleScreenBufferSize( hConsoleOutput , dwSize );

SetConsoleActiveScreenBuffer( hConsoleOutput );


//GetStartupInfo (lpStartupInfo);
memset((void *)&lpStartupInfo, 0, sizeof(STARTUPINFO));

lpStartupInfo.cb = sizeof(STARTUPINFO);
lpStartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
lpStartupInfo.wShowWindow = SW_HIDE;
lpStartupInfo.hStdError = hConsoleOutput;
lpStartupInfo.hStdOutput = hConsoleOutput;
lpStartupInfo.hStdInput = GetStdHandle( STD_INPUT_HANDLE );

while (TRUE)
{

if(!CreateProcess(0 ,"CMD.EXE", 0 ,0 , 0 , 0 , 0 , 0 , &lpStartupInfo , &lpProcessInformation ) )
{
MessageBox( 0,"create shell fail",NULL,MB_OK );
CloseHandle( MutexClient );
CloseHandle( hConsoleOutput );
closesocket( hsocket );
WSACleanup();
return 0;
}

while (RecvKeyInfo())
{
if( WAIT_TIMEOUT != WaitForSingleObject( lpProcessInformation.hProcess , 100 ) )
{
break;
}
}

TerminateProcess( lpProcessInformation.hProcess ,0 );

CloseHandle( lpProcessInformation.hProcess );

CloseHandle( lpProcessInformation.hThread );
}
return 0;
}

BOOL WINAPI HandlerRoutine(
DWORD dwCtrlType
)
{
//code

switch( dwCtrlType)
{
case CTRL_C_EVENT:
break;
case CTRL_BREAK_EVENT:
break;
default:
return FALSE;
}
return TRUE;
}


BOOL RecvKeyInfo()
{
DWORD NumberOfCharsRead;
struct sockaddr fromSockaddr;
COORD dwReadCoord;
KEY_INFO buffer;
CONSOLE_BUFFER sendBuffer;

int fromlen = sizeof(fromSockaddr);

if(0 <= recvfrom( hsocket, (PCHAR)(&buffer) , sizeof(KEY_INFO) , 0 , &fromSockaddr, &fromlen ) )
{
switch( buffer.packhead.packType )
{
case KEY_NO_CTRL:
WriteConsoleInput( GetStdHandle(STD_INPUT_HANDLE) ,&buffer.Key , 1 , &NumberOfCharsRead );
break;
case KEY_CTRL_C:
GenerateConsoleCtrlEvent( CTRL_C_EVENT , NULL );
break;
case KEY_CTRL_BRAK:
GenerateConsoleCtrlEvent( CTRL_BREAK_EVENT , NULL);
break;
default:
if( ( GetTickCount() - cout) > 1000 )
{
return TRUE;
}else{
cout = GetTickCount();
}
break;
}
}
GetLastError();
dwReadCoord.X = 0;
dwReadCoord.Y = 0;

memset(&sendBuffer.Character , 0x20202020 , 8000);

sendBuffer.wCodePageID = GetConsoleOutputCP();

ReadConsoleOutputAttribute( hConsoleOutput ,(WORD *)&sendBuffer.Attribute , 8000 , dwReadCoord , &NumberOfCharsRead);

ReadConsoleOutputCharacter( hConsoleOutput , (PCHAR)&sendBuffer.Character , 8000 , dwReadCoord , &NumberOfCharsRead);

GetConsoleScreenBufferInfo ( hConsoleOutput , &sendBuffer.csb);

SendSreenBuffer( KEY_SREEN , &sendBuffer , sizeof(CONSOLE_BUFFER));

return TRUE;

}

void SendSreenBuffer( int type , CONSOLE_BUFFER *buffer , int u_size)
{
struct sockaddr_in to;
SREEN_INFO sendBuffer;

memcpy( &sendBuffer.consoleBuffer , buffer , u_size);

sendBuffer.packhead.packHead = 0x12345678;
sendBuffer.packhead.packType = type;
sendBuffer.packhead.SreenBufferSize = u_size;
sendBuffer.packhead.var_10004 = NULL;
sendBuffer.consoleBuffer.Unkown1 = NULL;
sendBuffer.consoleBuffer.Unkown2 = NULL;

to.sin_port = htons(8123);
to.sin_family = AF_INET;
to.sin_addr.s_addr = inet_addr("127.0.0.1");
sendto( hsocket , (const char *)&sendBuffer ,sizeof(SREEN_INFO) , 0 , (const struct sockaddr *)&to , sizeof(to) );

}[/code]

chinafe 2007-10-19 21:12

果然 比管道方式 好用的多

不可思意的是 CMD一直无法 解析的 交互式 指令也可以正常 操作 比如 (Debug)

谢谢 LoveMfc

呵呵 替LoveMfc向管理员 申请开通 荣誉会员.....................................

查看完整版本: [原创] 全真同步SHELL 逆向源码～

© 1999-2008 EvilOctal Security Team