瑞星对有人修改注册表监视得不错,但没想到居然对服务放任到这个地步!
附件在:http://b.py99.net/zip/f?v=20073/1144309.zip
运行SCP后系统会添加Service.exe为服务,而Service服务自动启动并打开SVCHOST进程,由于是服务打开的进程,所以SVCHOST用户名为SYSTEM(一般人恐怕不敢动它吧?),不过俺这里只是一个游戏而已,当然不是木马哈。
以下是源代码!
1、SCP(这个程序的作用是添加服务自启动,源代码出自Four F,稍加改动)
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib
include \masm32\Macros\Strings.mac
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
start proc
local hSCManager:HANDLE
local hService:HANDLE
local acDriverPath[MAX_PATH]:CHAR
; Open a handle to the SC Manager database
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
.if eax != NULL
mov hSCManager, eax
push eax
invoke GetFullPathName, $CTA0("Service.exe"), sizeof acDriverPath, addr acDriverPath, esp
pop eax
; Register driver in SCM active database
invoke CreateService, hSCManager, $CTA0("Service"), $CTA0("Nice Melody Beeper"), \
SERVICE_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS, SERVICE_AUTO_START, \
SERVICE_ERROR_NORMAL, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
; Remove driver from SCM database
;invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), \
NULL, MB_ICONSTOP
.endif
invoke ExitProcess, 0
start endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end start
2、service(服务程序,由于服务程序不可见,俺只好由服务程序创建一个SVCHOST进程可见,服务程序则每秒beep一声,源代码出自罗云彬,稍加改动)
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include AdvApi32.inc
includelib AdvApi32.lib
include masm32.inc
include macros.asm
includelib masm32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; DATA
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
stStartupInfo STARTUPINFO <>
processInfo PROCESS_INFORMATION <>
.data?
stSS SERVICE_STATUS <> ;服务的状态
hSS dd ? ;服务的状态句柄
dwOption dd ?
F_STOP equ 0001h ;停止服务
include <Define.inc>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; CODE
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcHandler proc _dwControl
pushad
mov eax,_dwControl
.if eax == SERVICE_CONTROL_STOP
or dwOption,F_STOP
mov stSS.dwCurrentState,SERVICE_STOPPED
invoke SetServiceStatus,hSS,addr stSS
.elseif eax == SERVICE_CONTROL_INTERROGATE
invoke SetServiceStatus,hSS,addr stSS
.endif
popad
ret
_ProcHandler endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ServiceMain proc _dwArgc,_lpszArgv
pushad
invoke RegisterServiceCtrlHandler,addr szServiceName,offset _ProcHandler
mov hSS,eax
mov stSS.dwServiceType,SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS
mov stSS.dwCurrentState,SERVICE_START_PENDING
mov stSS.dwControlsAccepted,SERVICE_ACCEPT_STOP
mov stSS.dwWin32ExitCode,NO_ERROR
invoke SetServiceStatus,hSS,addr stSS
;********************************************************************
; 如果初始化代码比较多,那么需要首先把状态设置为 pending,等完成以后
; 再设置为 Running。(在这里加入初始化代码)
;********************************************************************
mov stSS.dwCurrentState,SERVICE_RUNNING
invoke SetServiceStatus,hSS,addr stSS
;********************************************************************
; 服务的具体执行代码
; 在这里是每隔1秒种让喇叭发声
;********************************************************************
;invoke RtlZeroMemory, addr stStartupInfo, sizeof stStartupInfo
;mov stStartupInfo.wShowWindow, SW_SHOW
;mov stStartupInfo.dwFlags, STARTF_USESHOWWINDOW
;mov stStartupInfo.cb, sizeof stStartupInfo
invoke CreateProcess, 0, CTXT("SVCHOST.EXE"), 0, 0, 0, 0, 0, 0, addr stStartupInfo, addr processInfo
.repeat
invoke MessageBeep,-1
invoke Sleep,1000
.until dwOption & F_STOP
popad
ret
_ServiceMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 主程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WinMain proc
local @stSTE[2]:SERVICE_TABLE_ENTRY
invoke RtlZeroMemory,addr @stSTE,sizeof @stSTE
mov @stSTE[0].lpServiceName,offset szServiceName
mov @stSTE[0].lpServiceProc,offset _ServiceMain
invoke StartServiceCtrlDispatcher,addr @stSTE
ret
_WinMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke _WinMain
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
