HanDs
管理员

[Visual Studio文章] 利用服务创建SYSTEM权限CMD 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

利用服务创建SYSTEM权限CMD

#define DEBUGMSG
#include
#include
#include
#pragma comment (lib,"advapi32.lib")
#define erron GetLastError()
#define Debug(x) OutputDebugString(x)
TCHAR MsgError[50]=;
SERVICE_STATUS ServiceStatus=;
SERVICE_STATUS_HANDLE
ServiceStatusHandle=NULL;
VOID WINAPI ServiceMain (DWORD dwArgc,TCHAR *lpArgv[]);
VOID WINAPI ServiceHandle (DWORD dwFlags);
BOOL ServiceTest (TCHAR *Command);
int main (int argc,TCHAR *argv[])
{
 
SERVICE_TABLE_ENTRY ServiceTableEntry[2]=
 
{
 
,
 

  };
  StartServiceCtrlDispatcher(ServiceTableEntry);
  return 0;
}
VOID WINAPI ServiceMain (DWORD dwArgc,TCHAR
*lpArgv[])
{
 TCHAR
SysDir[MAX_PATH]=;
 TCHAR
Command[MAX_PATH]=;
 
ServiceStatus.dwServiceType=SERVICE_WIN32;
 
ServiceStatus.dwCurrentState=SERVICE_START_PENDING;
 
ServiceStatus.dwControlsAccepted=SERVICE_ACCEPT_STOP;
 
ServiceStatus.dwServiceSpecificExitCode=0;
 
ServiceStatus.dwWin32ExitCode=0;
 
ServiceStatus.dwCheckPoint=0;
 
ServiceStatus.dwWaitHint=0;
 if
((ServiceStatusHandle=RegisterServiceCtrlHandler(TEXT("dahubaobao"),ServiceHandle))==0)
 
{
 #ifdef
DEBUGMSG
 
_stprintf(MsgError,TEXT("RegisterServiceCtrlHandler() GetLastError reports
%d\n"),erron);
 
Debug(MsgError);
 
#endif
 return
;
 }
 
ServiceStatus.dwCurrentState=SERVICE_RUNNING;
 
ServiceStatus.dwCheckPoint=0;
 
ServiceStatus.dwWaitHint=0;
 if
(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
 
{
 #ifdef
DEBUGMSG
 
_stprintf(MsgError,TEXT("SetServiceStatus() GetLastError reports
%d\n"),erron);
 
Debug(MsgError);
 
#endif
 return
;
 }
 
GetSystemDirectory(SysDir,MAX_PATH-1);
 
_sntprintf(Command,MAX_PATH-1,TEXT("%s\\cmd.exe /k %s%c"),SysDir,(char
*)lpArgv[1],0);
 ServiceTest(Command);
 return ;
}
VOID WINAPI ServiceHandle (DWORD
ControlCode)
{
 switch
(ControlCode)
 
{
 
case
SERVICE_CONTROL_STOP:
 
ServiceStatus.dwCurrentState=SERVICE_STOPPED;
 
ServiceStatus.dwWin32ExitCode=0;
 
ServiceStatus.dwCheckPoint=0;
 
ServiceStatus.dwWaitHint=0;
 
break;
 
default:
 
break;
 }
 if
(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
 
{
 #ifdef
DEBUGMSG
 
_stprintf(MsgError,TEXT("SetServiceStatus() GetLastError reports
%d\n"),erron);
 
Debug(MsgError);
 
#endif
 return
;
 }
 return ;
}
BOOL ServiceTest (TCHAR *Command)
{
 
STARTUPINFO si=;
 PROCESS_INFORMATION
pi;
 si.cb=sizeof
(STARTUPINFO);
 
si.lpDesktop=TEXT("WinSta0\\Default");
 if
(!(CreateProcess(NULL,Command,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi)))
 
{
 #ifdef
DEBUGMSG
 
_stprintf(MsgError,TEXT("CreateProcess() GetLastError reports
%d\n"),erron);
 
Debug(MsgError);
 
#endif
 return
FALSE;
 }
 return TRUE;
}


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
利用 服务 创建 S YS TE M 权限 C MD
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复