C language virus

For the startup of viruses and Trojans, in addition to displaying and modifying the registry, there is also a way to make the trojan or virus into a Windows service, but this is a bad thing about its versatility, because the service uses winapi, such viruses and Trojans can only run on Windows systems, and the volume of Trojan viruses increases.
Next, we need to convert the existing Trojan program into a Windows service. This requires three steps:
1. Create a new main entry point and register it in the Service Control Manager. In this main function, provide the logical service name and entry point servermain ();
2. Integrate the main function of the entry point of the log horse virus program into the servermain function of the logical service entry point;
3. compile our own service control processor function to respond to SCM commands (Service Control commands ).
Now we will build a trojan program framework based on the above steps.
First, create a new main function. No header file is added or compiled here. Just write the key code, so it should be pseudo code. The code is displayed in red.
Service_status servicestatus; // service status struct
Service_status_handle hstat; // service status handle
Int main ()
{
Service_table_entry ste [] ={{ servicename, servicemain },
{Null, null }}; // servicename is the name of the logical service to be implemented. This can be defined as a variable. servicemain is the service entry point corresponding to the logical service, it is just a placeholder, and the function name can also be customized. Here we can provide multiple logic services. We should provide two logic services for our Trojan.
If (! Startservicectrldispatcher (STE); // register the service in SCM
Return getlasterror ();
Return 0;
}
Next, define the entry point servicemain function of the logical service:
Int winapi servicemain (DWORD argc, DWORD argv [])
{
Servicestatus. dwservicetype = service_win32_own_process; // set or return the service type, which is set to run in your own process. For other types, see msdn
Servicestatus. dwcurrentstate = service_start_pending; // sets or returns the current status of the service, which is being started.
Servicestatus. dwcontrolaccepted = service_accept_pause_continue; // you can set or return to the service for acceptable control. Here, the service can accept the control command to suspend and continue. The control command will be introduced later. You can view msdn. In our Trojan virus, it is only set to accept the pause and continue control, and commands such as close and stop are rejected.
Servicestatus. dwwin32exitcode = error_service_specific_error; // set or return the exit code of the logic service thread. If the value of this data member is the preceding value, you can specify a description value for the next data member, otherwise, the next data member will be ignored.
Servicestatus. dwservicespecificexitcode = 0; // If dwwin32exitcode is error_service_specific_error, set the returned description here
Servicestatus. dwcheckpint = 0; // used for tracking the service, which must be periodically increased by the Service; otherwise, the SCM will report an error when the dwwaithint times out.
Servicestatus. dwwaithint = cs_timeout; // timeout value
Hstat = registerservicectrlhandlerex (servicenmae // name of the registered service, the name of the logical service set in startservicectrldispatcher
, Servicectrlhandlerex // service control processor, which is a callback function written by us.
, Null); // This is a void pointer, which will be passed to the service control processor. Is one of its parameters.
Setservicestate (hstat, & servicestatus); // use the service_state structure defined above to set the service status
If (myfun (argc, argv )! = 0) // myfun is a function of the Trojan virus, which is implemented here.
{
Servicestatus. dwcurrentstate = service_stopen;
Servicestatus. dwservicespecificexitcode = 1;
Setservicestatus (hstat, & servicestatus );
Return 1;
}
Updatestatus (service_stoped, 0 );
Return 0;
}
Void updatestatus (INT newstatus, int checkvalue) // used to update the service status
{
If (checkvalue = 0)
Servicestatus. dwcurrentstate = newstatus;
Setservicestatus (hstat, & servicestatus );
Return;
}
The following defines our Service Control Processor:
Void servicectrlhandlerex (DWORD dwcontrol // The service control code returned by the system. The service to stop is service_control_stop. if the service to stop is service_control_shutdown, you can view msdn
, DWORD dweventtype // usually 0, used for device management
, Lpvoid lpeventdata // usually null
, Lpvoid lpcontext); // It is passed by the third parameter of registerservicectrlhandlerex.
{
Switch (dwcontrol)
{
Case service_control_shutdown:
Break;
Case service_control_pause:
Break;
. // Other control commands to be processed
.
.
Defult:
If (dwcontrol> 127 & dwcontrol
Generally, the service control processor is composed of a switch... case statement. We can set some global variables according to the dwcontrol command to control our program. Here, we can monitor whether our service is shut down by a third-party software or perform other operations. We can register two logical services, except for the service name and servicemain, which are the same as other services, they all execute our Trojan viruses. Start a logic service first. When the started service is shut down or other operations, our processor will receive the corresponding commands, and then I start another service in the processor, when the second service is disabled, the first service can be started to monitor each other.
Now you must have a question: how can we start our service? Who sent the control command?
I. You can manage and control through the control panel-management tools-services, which should be familiar to everyone.
2. Write your own program. This program is the Startup Program of our Trojan. First, open SCM as follows:
SC _handle openmanager (lpctstr lpmachinennme // name of the machine where the SCM is located, generally null, indicating the local system
, Lpctstr lpdatabasename // The value is also null.
, Dwrod dwaccess) // access permission, which can be set to manager_all_access
Then use the SC _handle returned by the above function to call the createservice function to create a logic Service handle, as shown below:
SC _handle createservice (SC _handle hscm, // the SCM handle returned by the openmanager Function
Lptstr lpservicename, // name of the logical Service
Lpctstr lpdisplayname, // registry keyword name
DWORD dwaccess, // access the service handle, which can be service_all_access
DWORD dwservicetype, // Startup type. This team is very important. service_demand_start is manual start. service_boot_start and service_system_start allow the device drive service to start at boot or system startup; service_auto_start indicates that the service is started when the system starts.
Lpctstr lpbinarypathname, // executable program path. The converted trojan virus program is the framework we wrote earlier.
Lpcestr lploadordergroup,
Lpdwrod lpdwtagid,
Lpcestr lpdependencies,
Lpctstr lpservicestartname,
Lpctstr lppassword)
If it succeeds, SC _handle corresponding to dwservicename will be returned, and the service can be controlled through operations on this handle.
Use SC _handle returned by the createservice function to start the service, as follows:
Bool startservice (SC _handle hservice, // SC _handle returned by the createservice function, which specifies the handle of the service to be started
DWORD argc, // argc parameter passed to servicemain Function
Lptstr argv ()]) // The argv parameter passed to the servicemain Function
In this way, the service is started, and now the trojan virus has been executed. The key here is how to run the program that starts the trojan virus.
You can use this function to send a control command to the service to close or stop the service, as shown below:
Bool controlservice (SC _handle hservice, // logic Service handle
DWORD dwcontrolcode, // control code
Lpservice_status lpservicestatus) // returns the service_status struct pointer of the current status.
The call of this function will eventually lead to the execution of the Service Control Processor servicectrlhandlerex registered with the registerservicectrlhandlerex function.
The service control code is as follows:
Service_control_stop
Service_control_pause
Service_control_shutdown
We have converted the trojan virus into a Windows service, and also made our own service startup and control programs. Now we only need to execute the Service Control Program, then the trojan virus starts to run.