1、1 Data Structure1.1 Request数据包头结构定义typedef struct _InstructionPackHeadInt nInstructionType;DWORD nPackLength;_InstructionPackHead;数据包定义typedef struct _InstructionPack_InstructionPackHead InsHead;char nDataPackContent1; /datapack content struct_InstructionPack;1.1.1 nInstructionTypeint 型。标志位,赋值如下内容:1
2、00:请求发起 cmd 控制线程101:对于 cmd 线程发送实际控制内容200:请求发起文件系统管理线程201:获取文件系统 treelist203:下载文件205:发送上传文件信息207:发送上传文件数据209:请求 list directory211:上传文件结束300:请求发起键盘记录线程301:请求开始记录键盘303:请求停止记录键盘400:请求发起屏幕监视线程500:对于主线程请求获取木马编号,对于功能线程为获取其编号及当前指令名称600:结束当前进程700:控制注册表701:要求获取注册表对应 list703:获取键705:修改项707:修改键1.1.2 nPackLengthD
3、WORD 型。记录包实际数据长度1.1.3 nDataPackContent1char 型,实际数据内容。可变长度。1.2 Response结构同 request1.2.1 nInstructionTypeint 型。标志位,赋值如下内容:102:返回为实际 cmd 控制结果202:返回为实际文件管理结果302:返回为实际键盘记录结果402:返回为实际屏幕数据501:响应 cmd 线程查询502:响应文件管理线程查询503:响应键盘记录线程查询504:响应屏幕数据线程查询505:响应主线程查询507:响应注册表线程查询202:返回 gettreelist 结果204:返回下载文件信息206:返
4、回下载文件数据208:下载文件结束210:返回 listdirectory 结果702:返回注册表对应 list 和键值704:返回键值706:修改结果1.2.2 nPackLengthDWORD 型。记录包实际数据长度1.2.3 nDataPackContent1char 型,实际数据内容。可变长度。2 ListenerQuery typeRequestnInstructionType = 500nPackLength = 0nDataPackContent1 = nullResponsenInstructionType = 505nPackLength = sizeof(int)nData
5、PackContent1 内容为木马编号CloseRequestnInstructionType = 600nPackLength = 0nDataPackContent1 = nullResponse无 responseNew clientRequestnInstructionType = 100 /请求发起 cmd 控制线程200 /请求发起文件系统管理线程300 /请求发起键盘记录线程400 /请求发起屏幕监视线程nPackLength = 0nDataPackContent1 = nullResponse无 response3 CommandQuery typeRequestnInst
6、ructionType = 500nPackLength = 0nDataPackContent1 = nullresponsenInstructionType = 501nPackLength = sizeof(int)nDataPackContent1 内容为木马编号CloseRequestnInstructionType = 600nPackLength = 0nDataPackContent1 = nullResponse无 responseExcuteRequestnInstructionType = 101nPackLength = cmd 命令长度nDataPackContent
7、1 内容为 cmd 命令ResponsenInstructionType = 102nPackLength = cmd 返回结果长度nDataPackContent1 内容为 cmd 返回结果4 FilemanagerQuery typeRequestnInstructionType = 500nPackLength = 0nDataPackContent1 = nullresponsenInstructionType = 502nPackLength = sizeof(int)nDataPackContent1 内容为木马编号CloseRequestnInstructionType = 60
8、0nPackLength = 0nDataPackContent1 = nullResponse无 responseGet file treeRequestnInstructionType = 201nPackLength = 0nDataPackContent1 = nullResponsenInstructionType = 202nPackLength = 数据长度nDataPackContent1 = filetree 的结果List DirectoryRequestnInstructionType = 209nPackLength = 路径长度nDataPackContent1 =
9、需获取 list 的完整路径ResponsenInstructionType = 210nPackLength = 数据长度nDataPackContent1 = list 结果Upload fileRequestnInstructionType = 205 /发送上传文件信息先发送文件名及大小nPackLength = 数据长度nDataPackContent1 = 文件名及文件大小nInstructionType =207 /发送上传文件数据发送文件数据nPackLength = 数据长度nDataPackContent1 = 数据实际缓冲区Response无 responseDownlo
10、ad fileRequest nInstructionType = 204nPackLength = 路径长度nDataPackContent1 = 需下载文件的完整路径ResponsenInstructionType = 206 /发送下载文件信息先发送文件名及大小nPackLength = 数据长度nDataPackContent1 = 文件名及文件大小nInstructionType =208 /发送下载文件数据发送文件数据nPackLength = 数据长度nDataPackContent1 = 数据实际缓冲区5 KeyboardQuery typeRequestnInstructio
11、nType = 500nPackLength = 0nDataPackContent1 = nullResponsenInstructionType = 504nPackLength = sizeof(int)nDataPackContent1 内容为木马编号CloseRequestnInstructionType = 600nPackLength = 0nDataPackContent1 = nullResponse无 responseStart logRequestnInstructionType = 301nPackLength = 0nDataPackContent1 = nullRe
12、sponse无 responseStop logRequestnInstructionType = 303nPackLength = 0nDataPackContent1 = nullResponse无 responseKeylogRequest无 Request,startlog 之后由客户端主动发送ResponsenInstructionType = 302nPackLength = 返回的 log 长度nDataPackContent1 = log 内容。6 ScreenQuery typeCloseStart screenStop screenScreen dataScreen ctrl
