中国DOS联盟

Run a batch script to write another batch script into the system service and run it randomly. Is this method feasible, and how to write it? Thanks.

http://www.cn-dos.net/forum/viewthread.php?tid=21426&fpage=1&highlight=%E6%9C%8D%E5%8A%A1

The owner of the post should make more use of the forum's search function!

Hehe~ I saw that post, but that requires relying on third-party software. Can we directly use a batch file to write services into the registry like writing startup items?

I found relevant information in this regard, but when I actually wrote it into a batch script, there were some issues. The path couldn't be written, and also it was said that this service didn't have the function of responding to stop control.

Now many trojans, backdoors, and worm viruses all achieve self-startup by modifying the RUN key values in the registry. This self-startup mode is not very hidden. Generally, people who know a little about security will check the RUN key values when they find that the computer has been hacked. So system services have become a relatively hidden self-startup mode. For example, Slammer Killer uses system services to self-start the virus program.

There are many tools for adding system services now. The most typical one is netservice. But what we are talking about here is adding system services manually, so the use of tools is not within the scope of this article: Many things in WINDOWS are closely related to the registry, and system services are no exception. System services are related to the following several registry items:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
We can completely find the key values of the services registered in the system services and follow suit: Add a new item in any of the above registry columns. The name is the name of the system service you want to add, such as Backdoor. Under BACKDOOR, create a new string. The value name Displayname and the value data are the name of the service to be added, Backdoor. The following table is listed, which will be more intuitive:
Name Type Data Remarks
Displayname REG_SZ Name of the service to be added Name of the service to be added
Description REG_SZ Description of the service Description of the service
ImagePath REG EXPAND SZ Path of the program
Start REG_DWORD 0,2,3,4 2 represents automatic startup, 3 represents manual startup of the service. 4 represents disabling the service, 0 represents the system for the underlying device driver (generally not needed for this)
ErrorControl REG_DWORD 1
Type REG_DWORD 10 or 20 Generally, application programs are 10, and others correspond to 20
ObjectName REG_SZ LocalSystem Display local login
Note: Under XP/2003, the REG EXPAND SZ type can be added completely manually, but under WIN2000, it cannot. So under WIN2000, we have to write a REG ourselves to directly register the system service, so that adding the system under WIN2000 can also be very easy - here we also need to pay attention that the value type of ImagePath in the registry file must be HEX (hexadecimal). We can use WINHEX to convert the absolute path of the program into hexadecimal, and each value is separated by a comma. For example, if my ImagePath key value is C:\winnt\nukegroup.exe, it should be converted to:
63,3A,5C,77,69,6E,6E,74,5C,6E,75,6B,65,2E,65,78,65
Open Notepad and type in the following content:
Windows Registry Editor Version 5.00

"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):63,3A,5C,77,69,6E,6E,74,5C,6E,75,6B,65,2E,65,78,65
"DisplayName"="SRVTEST"
"ObjectName"="LocalSystem"
"Description"="System service test"
Save the above information as addsrv.reg, and we can rely on the command to import the registry to achieve the purpose of adding the system service. We enter regedit /s addsrv.reg in the command console. When the machine restarts, this service is successfully added - but unfortunately: I encountered difficulties in the actual experiment, and the value of ImagePath is garbled.

I can't figure it out no matter how I think. Let's change the garbled code to the absolute path. If we directly write the REG information like this:
"ImagePath"=hex(2):C:\WINNT\NUKEGROUP.EXE
Other key values can be added, but this key value can't? Anyway, we can first add the garbled ImagePath, and then modify it to C:\winnt\nukegroup.exe. This is also possible.

The above is the method of manually adding system services in Windows 2000. The registry structure of Windows 98 is different, but Windows 98 can still realize adding system services through the registry, and it is even simpler.
Add a new string value under the item "HKLM/SOFTWARE/Microsoft/WindowsCurrentVersion/RunServices". For example, if the name of the program is "BACKDOOR", create a string value named "BACKDOOR", and then enter the complete path of the execution program in the data field.
Manually adding a system service is so simple, and manually deleting the system is also the same principle. It is realized through the registry, and I won't say more here. To facilitate readers to have an in-depth understanding of various aspects of system services, I recommend the following articles, hoping to be helpful:
http://www.microsoft.com/china/community/program/originalarticles/TechDoc/WinXPStart.mspx
http://sinbad.zhoubin.com/read.html?board=Win&num=89

For WIN2K, use INF files to add services. For XP 2003, use SC.

Originally posted by bagpipe at 2006-7-26 11:27:
To add a service using an INF file for WIN2K
For XP 2003, use SC directly

:( How to use SC? Specifically, how to use it, guys, teach me please.

sc /?
The building owner should make good use of the system's help function. ~~
Just a reminder,
sc create