本类共有 867 篇文章，今日更新 0 篇

利用服务创建SYSTEM权限CMD

[ 来源：http://www.91now.com/down/ | 作者： | 时间：2007-5-18 17:36:52 | 浏览：人次 ]

#define DEBUGMSG
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#pragma comment (lib,"advapi32.lib")
#define erron GetLastError()
#define Debug(x) OutputDebugString(x)
TCHAR MsgError[50]={0};
SERVICE_STATUS ServiceStatus={0};
SERVICE_STATUS_HANDLE ServiceStatusHandle=NULL;
VOID WINAPI ServiceMain (DWORD dwArgc,TCHAR *lpArgv[]);
VOID WINAPI ServiceHandle (DWORD dwFlags);
BOOL ServiceTest (TCHAR *Command);
int main (int argc,TCHAR *argv[])
{
    SERVICE_TABLE_ENTRY ServiceTableEntry[2]=
    {
        {TEXT("dahubaobao"),ServiceMain},
        {NULL,NULL}
    };
    StartServiceCtrlDispatcher(ServiceTableEntry);
    return 0;
}
VOID WINAPI ServiceMain (DWORD dwArgc,TCHAR *lpArgv[])
{
     TCHAR SysDir[MAX_PATH]={0};
     TCHAR Command[MAX_PATH]={0};
     ServiceStatus.dwServiceType=SERVICE_WIN32;
     ServiceStatus.dwCurrentState=SERVICE_START_PENDING;
     ServiceStatus.dwControlsAccepted=SERVICE_ACCEPT_STOP;
     ServiceStatus.dwServiceSpecificExitCode=0;
     ServiceStatus.dwWin32ExitCode=0;
     ServiceStatus.dwCheckPoint=0;
     ServiceStatus.dwWaitHint=0;
     if ((ServiceStatusHandle=RegisterServiceCtrlHandler(TEXT("dahubaobao"),ServiceHandle))==0)
     {
         #ifdef DEBUGMSG
                _stprintf(MsgError,TEXT("RegisterServiceCtrlHandler() GetLastError reports %d\n"),erron);
                Debug(MsgError);
         #endif
         return ;
     }
     ServiceStatus.dwCurrentState=SERVICE_RUNNING;
     ServiceStatus.dwCheckPoint=0;
     ServiceStatus.dwWaitHint=0;
     if (SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
     {
         #ifdef DEBUGMSG
                _stprintf(MsgError,TEXT("SetServiceStatus() GetLastError reports %d\n"),erron);
                Debug(MsgError);
         #endif
         return ;
     }
     GetSystemDirectory(SysDir,MAX_PATH-1);
     _sntprintf(Command,MAX_PATH-1,TEXT("%s\\cmd.exe /k %s%c"),SysDir,(char *)lpArgv[1],0);
     ServiceTest(Command);
     return ;
}
VOID WINAPI ServiceHandle (DWORD ControlCode)
{
     switch (ControlCode)
     {
             case SERVICE_CONTROL_STOP:
                  ServiceStatus.dwCurrentState=SERVICE_STOPPED;
                  ServiceStatus.dwWin32ExitCode=0;
                  ServiceStatus.dwCheckPoint=0;
                  ServiceStatus.dwWaitHint=0;
                  break;
             default:
                  break;
     }
     if (SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
     {
         #ifdef DEBUGMSG
                _stprintf(MsgError,TEXT("SetServiceStatus() GetLastError reports %d\n"),erron);
                Debug(MsgError);
         #endif
         return ;
     }
     return ;
}
BOOL ServiceTest (TCHAR *Command)
{
     STARTUPINFO si={0};
     PROCESS_INFORMATION pi;
     si.cb=sizeof (STARTUPINFO);
     si.lpDesktop=TEXT("WinSta0\\Default");
     if (!(CreateProcess(NULL,Command,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi)))
     {
         #ifdef DEBUGMSG
                _stprintf(MsgError,TEXT("CreateProcess() GetLastError reports %d\n"),erron);
                Debug(MsgError);
         #endif
         return FALSE;
     }
     return TRUE;
}

上一篇：解析Cookie欺骗实现过程及具体应用

下一篇：蜜罐进阶之Hit@me入侵分析

>> 相关文章

分类导航

本类阅读排行本类推荐排行

随机推荐文章

利用服务创建SYSTEM权限CMD

[ 来源：http://www.91now.com/down/ | 作者： | 时间：2007-5-18 17:36:52 | 浏览： 人次 ]

上一篇：解析Cookie欺骗实现过程及具体应用

下一篇：蜜罐进阶之Hit@me入侵分析

>> 相关文章

广告位

[ 来源：http://www.91now.com/down/ | 作者： | 时间：2007-5-18 17:36:52 | 浏览：人次 ]