我贴出来过一个替换服务添加一个svchost.exe启动的服务的帖子,那个是delphi的,从老大那里弄来的,后来某人很关心我的博客,关心那个帖子,我就写了一个VB版的,贴出来。
DELPHI的那个帖子是http://www.fenlog.com/post/21.html
现在写的是在以前某个模块上改的,上面有很多没有用的常量,不想要的话看一看删掉就是了。
模块代码:
Option Explicit
Private Const READ_CONTROL = &H20000
Private Const STANDARD_RIGHTS_READ = (READ_CONTROL)
Private Const STANDARD_RIGHTS_WRITE = (READ_CONTROL)
Private Const STANDARD_RIGHTS_EXECUTE = (READ_CONTROL)
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const STANDARD_RIGHTS_ALL = &H1F0000
Private Const SC_MANAGER_CONNECT = &H1
Private Const SC_MANAGER_CREATE_SERVICE = &H2
Private Const SC_MANAGER_ENUMERATE_SERVICE = &H4
Private Const SC_MANAGER_LOCK = &H8
Private Const SC_MANAGER_QUERY_LOCK_STATUS = &H10
Private Const SC_MANAGER_MODIFY_BOOT_CONFIG = &H20
Private Const SC_MANAGER_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SC_MANAGER_CONNECT Or SC_MANAGER_CREATE_SERVICE Or SC_MANAGER_ENUMERATE_SERVICE Or SC_MANAGER_LOCK Or SC_MANAGER_QUERY_LOCK_STATUS Or SC_MANAGER_MODIFY_BOOT_CONFIG)
Private Const SERVICE_QUERY_CONFIG = &H1&
Private Const SERVICE_CHANGE_CONFIG = &H2&
Private Const SERVICE_QUERY_STATUS = &H4&
Private Const SERVICE_ENUMERATE_DEPENDENTS = &H8&
Private Const SERVICE_STOP = &H20&
Private Const SERVICE_PAUSE_CONTINUE = &H40&
Private Const SERVICE_INTERROGATE = &H80&
Private Const SERVICE_USER_DEFINED_CONTROL = &H100&
Private Const SERVICE_CONFIG_DESCRIPTION = 1&
Private Const SERVICE_ERROR_NORMAL As Long = 1
Private Const SERVICE_WIN32_OWN_PROCESS = &H10&
Private Const SERVICE_AUTO_START As Long = 2
Private Const SERVICE_START = &H10&
Private Const SERVICE_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or _
SERVICE_QUERY_CONFIG Or _
SERVICE_CHANGE_CONFIG Or _
SERVICE_QUERY_STATUS Or _
SERVICE_ENUMERATE_DEPENDENTS Or _
SERVICE_START Or _
SERVICE_STOP Or _
SERVICE_PAUSE_CONTINUE Or _
SERVICE_INTERROGATE Or _
SERVICE_USER_DEFINED_CONTROL)
Private Const HKEY_LOCAL_MACHINE = &H80000002
Private Const REG_EXPAND_SZ = 2
Private Declare Function OpenSCManager _
Lib "advapi32" Alias "OpenSCManagerW" _
(ByVal lpMachineName As Long, ByVal lpDatabaseName As Long, _
ByVal dwDesiredAccess As Long) As Long
Private Declare Function CreateService _
Lib "advapi32" Alias "CreateServiceW" _
(ByVal hSCManager As Long, ByVal lpServiceName As Long, _
ByVal lpDisplayName As Long, ByVal dwDesiredAccess As Long, _
ByVal dwServiceType As Long, ByVal dwStartType As Long, _
ByVal dwErrorControl As Long, ByVal lpBinaryPathName As Long, _
ByVal lpLoadOrderGroup As Long, ByVal lpdwTagId As Long, _
ByVal lpDependencies As Long, ByVal lpServiceStartName As Long, _
ByVal lpPassword As Long) As Long
Private Declare Function ChangeServiceConfig2 Lib "advapi32" Alias "ChangeServiceConfig2W" (ByVal hService As Long, _
ByVal dwInfoLevel As Long, lpInfo As Any) As Long
Private Declare Function CloseServiceHandle _
Lib "advapi32" (ByVal hSCObject As Long) As Long
Private Declare Function OpenService _
Lib "advapi32" Alias "OpenServiceW" _
(ByVal hSCManager As Long, ByVal lpServiceName As Long, _
ByVal dwDesiredAccess As Long) As Long
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Const Service_Pass As String = ""
Private Const Service_Name As String = "ServiceName" '服务名
Private Const Service_Display_Name As String = "Service Display Name" '服务显示名
Private Const Service_File_Name As String = "C:\WINDOWS\system32\svchost.exe -k netsvcs" '服务的文件路径,要是svchost.exe加载的服务就写这个
Private Const Service_Description As String = "Service_Description" '服务描述
Private Const Service_Dll_Name As String = "c:\a.dll" 'svchost.exe加载的服务,当然要有DLL,这个是DLL
Public Sub CreateSrvFun()
Dim hSCManager As Long
Dim hService As Long, DomainName As String
hSCManager = OpenSCManager(ByVal 0&, ByVal 0&, SC_MANAGER_ALL_ACCESS)
If hSCManager Then
hService = CreateService(hSCManager, StrPtr(Service_Name), _
StrPtr(Service_Display_Name), SERVICE_ALL_ACCESS, _
SERVICE_WIN32_OWN_PROCESS, _
SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, _
StrPtr(Service_File_Name), 0&, _
0&, 0&, StrPtr("LocalSystem"), _
StrPtr(Service_Pass))
If hService Then
ChangeServiceConfig2 hService, SERVICE_CONFIG_DESCRIPTION, StrPtr(Service_Description)
Call WriteDllPath
CloseServiceHandle hService
End If
CloseServiceHandle hSCManager
End If
End Sub
Private Sub WriteDllPath()
Dim Ret As Long
RegCreateKey HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Services\" & Service_Name & "\Parameters", Ret
RegSetValueEx Ret, "ServiceDll", 0, REG_EXPAND_SZ, ByVal Service_Dll_Name, Len(Service_Dll_Name)
RegCloseKey Ret
RegCreateKey HKEY_LOCAL_MACHINE, "SYSTEM\ControlSet003\Services\" & Service_Name & "\Parameters", Ret
RegSetValueEx Ret, "ServiceDll", 0, REG_EXPAND_SZ, ByVal Service_Dll_Name, Len(Service_Dll_Name)
RegCloseKey Ret
End Sub
如果需要自己改一下以下几个地方就好了
Private Const Service_Name As String = "ServiceName" '服务名 Private Const Service_Display_Name As String = "Service Display Name" '服务显示名 Private Const Service_File_Name As String = "C:\WINDOWS\system32\svchost.exe -k netsvcs" '服务的文件路径,要是svchost.exe加载的服务就写这个 Private Const Service_Description As String = "Service_Description" '服务描述 Private Const Service_Dll_Name As String = "c:\a.dll" 'svchost.exe加载的服务,当然要有DLL,这个是DLL
感谢大家对我的支持!~~
还有就是如果关闭文件保护的话,杀软会提示滴~不过别的替换系统文件的方法还是有滴 具体保密 嘿嘿 我一般都是感染Winlogon.exe来获得一个启动点
呵呵。。。
感染winlogon。。。。邪恶没弄过!
其实我感觉这样不好,我们先关闭文件保护,然后替换SVCHOT.EXE调用的X DLL文件,当然要保证DLL文件的正常使用外面自己制作的DLL只是起到转发功能加上外面自己的代码!嘿嘿······