Create a service principle and practice called by svchost.exe (1)

1. Advantages and Disadvantages of multiple services sharing a svchost.exe Process

Windows system services are divided into two types: independent processes and shared processes. Only the Server Manager scmservices.exe is available in windows nt. multiple shared services are enabled by msms in windows 2000. Windows 2000 generally has two svchost processes. One is the RPCSSRemote Procedure callrule service, and the other is a svchost.exe shared by many services. In windows XP, there are generally four svchost.exe service processes, while in windows 2003 server, there are more. It can be seen that starting more system built-in services by using the shared process mode from svchost is a trend of ms. This reduces the consumption of system resources to a certain extent, but it also brings about some unstable factors, because the services of any shared process exit the process due to an error, all services in the process will exit. In addition, external store security risks. First, introduce the implementation mechanism of ipvsvchost.exe.
2. Svchost Principle

Svchost itself is only a service host and does not implement any service functions. Services started by Svchost must be implemented in the form of Dynamic Link Libraries. When these services are installed, the executable programs of the services are directed to svchost, when these services are started, svchost calls the dynamic link library of the corresponding services to start the services.
So how does svchost know which dynamic link library is responsible for a service? This is not provided by the parameter section in the executable program path of the service, but by the parameter settings of the Service in the registry, there is a Parameters subkey under the service in the registry. ServiceDll indicates which dynamic link library is responsible for the service. In addition, a ServiceMain () function must be exported to all these service dynamic link libraries to process service tasks.
For example, the location of rpcssRemote Procedure Call in the registry is HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ RpcSs. Its Parameter sub-key Parameters contains the following:
"ServiceDll" = REG_EXPAND_SZ: "% SystemRoot % \ system32 \ rpcss. dll"
When the rpcss Service is started, svchost will call rpcss. dll and execute its ServiceMain () function to execute the specific service.
Since these services are started by svchost using a shared process, why are there multiple svchost processes in the system? Ms divides these services into several groups. Services in the same group share one svchost process. services in different groups use multiple svchost processes, the difference between groups is determined by the parameters behind the executable program of the service.
For example, in the registry, rpcss HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ RpcSs has the following item:
"ImagePath" = REG_EXPAND_SZ: "% SystemRoot % \ system32 \ svchost-k rpcss"
Therefore, rpcss belongs to the rpcss group, which can be seen in the Service Management Console.
All the services in the group and svchost are in the following registry: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost, for example, windows 2000 has four groups of rpcss, netsvcs, wugroup, and BITSgroup, and netsvcs = REG_MULTI_SZ: EventSystem. ias. iprip. irmon. netman. nwsapagent. rasauto. \
Rasman. Remoteaccess. SENS. Sharedaccess. Tapisrv. Ntmssvc. wzcsvc ..
When a svchost.exe service is started, if the ImagePath of the executable program already exists in the Image Library of the Service Manager, the service manager does not start the svchost of the 2nd process, but directly starts the service. In this way, multiple services share a svchost process.
3. Svchost code

Now we basically know the principle of svchost, but we need to write a DLL-type service by myself, which is started by svchost. There are still some problems with the above information. For example, do we receive ANSI or Unicode parameters in the exported ServiceMain () function? Do we need to call RegisterServiceCtrlHandler and StartServiceCtrlDispatcher to Register Service Control and scheduling functions?
View the svchost code to obtain these questions. The code below is the svchost disassembly snippet of windows 2000 + service pack 4. It can be seen that the svchost program is still very simple.
The main function first calls ProcCommandLine () to analyze the command line, obtain the Service Group to be started, and then calls SvcHostOptions () to query the options of the Service Group and all services of the Service Group, use a Data Structure svcTable to save the DLL of these services and their services, call the PrepareSvcTable () function to create the SERVICE_TABLE_ENTRY structure, and direct all processing functions SERVICE_MAIN_FUNCTION to one of your own functions FuncServiceMain (), finally, call the API StartServiceCtrlDispatcher () to register the scheduling functions of these services.
Main Funcion

. Text: 010010B8 public start
. Text: 010010B8 start proc near
. Text: 010010B8 push esi
. Text: 010010B9 push edi
. Text: 010010BA push offset sub_1001EBA; lpTopLevelExceptionFilter
. Text: 010010BF xor edi, edi
. Text: 010010C1 call ds: SetUnhandledExceptionFilter
. Text: 010010C7 push 1; uMode
. Text: 010010C9 call ds: SetErrorMode
. Text: 010010CF call ds: GetProcessHeap
. Text: 010010D5 push eax
. Text: 010010D6 call sub_1001142
. Text: 010010DB mov eax, offset dword_1003018
. Text: 010010E0 push offset unk_1003000; lpCriticalSection
. Text: 010010E5 mov dword_100301C, eax
. Text: 010010EA mov dword_1003018, eax
. Text: 010010EF call ds: InitializeCriticalSection
. Text: 010010F5 call ds: GetCommandLineW
. Text: 010010FB push eax; lpString
. Text: 010010FC call ProcCommandLine
. Text: 01001101 mov esi, eax
. Text: 01001103 test esi, esi
. Text: 01001105 jz short lab_doservice
. Text: 01001107 push esi
. Text: 01001108 call SvcHostOptions
. Text: 0100110D call PrepareSvcTable
. Text: 01001112 mov edi, eax; SERVICE_TABLE_ENTRY returned
. Text: 01001114 test edi, edi
. Text: 01001116 jz short loc_1001128
. Text: 01001118 mov eax, [esi + 10 h]
. Text: 0100111B test eax, eax
. Text: 0100111D jz short loc_1001128
. Text: 0100111F push dword ptr [esi + 14 h]; dwCapabilities
. Text: 01001122 push eax; int
. Text: 01001123 call InitializeSecurity
. Text: 01001128
. Text: 01001128 loc_1001128:; code xref: start + 5Ej
. Text: 01001128; start + 65j
. Text: 01001128 push esi; lpMem
. Text: 01001129 call HeapFreeMem
. Text: 010020.e
. Text: 0100112E lab_doservice:; code xref: start + 4Dj
. Text: 01001_e test edi, edi
. Text: 01001130 jz ExitProgram
. Text: 01001136 push edi; lpServiceStartTable
. Text: 01001137 call ds: StartServiceCtrlDispatcherW
. Text: 0100113D jmp ExitProgram
. Text: 0100113D start endp
Main Funcion end

Because svchost registers a processing function in svchost for all the services in this group, the Service Manager SCM calls FuncServiceMain () every time a service is started. This function uses svcTable to query the DLL used by the Service to be started, call the ServiceMain () function exported by DLL to start the service, and then return.
FuncServiceMain ()

. Text: 01001504 FuncServiceMain proc near; data xref: PrepareSvcTable + 44o
. Text: 01001504
. Text: 01001504 arg_0 = dword ptr 8
. Text: 01001504 arg_4 = dword ptr 0Ch
. Text: 01001504
. Text: 01001504 push ecx
. Text: 01001505 mov eax, [esp + arg_4]
. Text: 01001509 push ebx
. Text: 0100150A push ebp
. Text: 0100150B push esi
. Text: 0100150C mov ebx, offset unk_1003000
. Text: 01001511 push edi
. Text: 01001512 mov edi, [eax]
. Text: 01001514 push ebx
. Text: 01001515 xor ebp, ebp
. Text: 01001517 call ds: EnterCriticalSection
. Text: 0100151D xor esi, esi
. Text: 0100151F cmp dwGroupSize, esi
. Text: 01001525 jbe short loc_1001566
. Text: 01001527 and [esp + 10 h], esi
. Text: 0100152B
. Text: 0100152B loc_100152B:; code xref: FuncServiceMain + 4Aj
. Text: 0100152B mov eax, svcTable
. Text: 01001530 mov ecx, [esp + 10 h]
. Text: 01001534 push dword ptr [eax + ecx]
. Text: 01001537 push edi
. Text: 01001538 call ds: lstrcmpiW
. Text: 0100153E test eax, eax
. Text: 01001540 jz short StartThis
. Text: 01001542 add dword ptr [esp + 10 h], 0Ch
. Text: 01001547 inc esi
. Text: 01001548 cmp esi, dwGroupSize
. Text: 0100154E jb short loc_100152B
. Text: 01001550 jmp short loc_1001566
. Text: 01001552;
. Text: 01001552
. Text: 01001552 StartThis:; code xref: FuncServiceMain + 3Cj
. Text: 01001552 mov ecx, svcTable
. Text: 01001558 lea eax, [esi + esi * 2]
. Text: 0100155B lea eax, [ecx + eax * 4]
. Text: 0100155E push eax
. Text: 0100155F call GetDLLServiceMain
. Text: 01001564 mov ebp, eax; dll ServiceMain Function address
. Text: 01001566
. Text: 01001566 loc_1001566:; code xref: FuncServiceMain + 21j
. Text: 01001566; FuncServiceMain + 4Cj
. Text: 01001566 push ebx
. Text: 01001567 call ds: LeaveCriticalSection
. Text: 0100156D test ebp, ebp
. Text: 0100156F jz short loc_100157B
. Text: 01001571 push [esp + 10 h + arg_4]
. Text: 01001575 push [esp + 14 h + arg_0]
. Text: 01001579 call ebp
. Text: 0100157B
. Text: 0100157B loc_100157B:; code xref: FuncServiceMain + 6Bj
. Text: 0100157B pop edi
. Text: 0100157C pop esi
. Text: 0100157D pop ebp
. Text: 0100157E pop ebx
. Text: 0100157F pop ecx
. Text: 01001580 retn 8
. Text: 01001580 FuncServiceMain endp; sp =-8

FuncServiceMain () end
Because svchost has already called StartServiceCtrlDispatcher to implement the service scheduling function, we don't need to implement the DLL implementation. This is mainly because a process can only call the StartServiceCtrlDispatcher API once. However, you need to use RegisterServiceCtrlHandler to register the response control request function. Finally, our DLL receives unicode strings.
Because this service is loaded by svchost after it is started, no new process is added, but a DLL of svchost, generally, HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost is not used for auditing to check whether the service group has changed. Even if the service group is checked, exceptions may not be detected, therefore, if such a DLL backdoor is added, the disguise is good and concealed.
4. Install services and settings

To start a service by calling svchost, you must have the service name under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost. This can be achieved through the following methods:
1) Add a new service group and add the service name to the group.
2) Add a service name to an existing group
3) directly use a service name in the existing service group, but the service is not installed on the local machine
4) modify the existing service in the existing service group and direct its ServiceDll to itself.
The first two methods can be used by normal services. For example, if you use 1st methods to start the service, you need to create a new svchost process. If the group of services is already running, the service cannot be started immediately after installation, because after the svchost is started, the group information is saved in the memory and the scheduling handler () is registered for all services in the group by calling the API StartServiceCtrlDispatcher, the newly added service cannot register the scheduling handler function. You need to restart the computer or the svchost process in this group. The latter two types may be used by backdoors, especially the last one. If no service is added, the registry settings are changed and cannot be seen from the Service Management Console, if the backdoors are hidden. For example, the EventSystem service points to es. dll by default. If you change ServiceDll to EventSystem. dll, it is difficult to find out.
Therefore, in addition to calling CreateService () to create a service, you must also set ServiceDll for the service. If you use the first two methods, you must also set the registry option of svchost, you are advised to delete the added part when uninstalling it.
For more information about the code, see Appendix 3 ).
Note: ImagePath and ServiceDll are ExpandString and not common strings. Therefore, pay attention when installing the. reg file.
5. DLL service implementation

DLL programming is relatively simple. As long as you implement a ServiceMain () function and a service control program, you can use RegisterServiceCtrlHandler () to register the Service Control Program in the ServiceMain () function, and set the service running status.
In addition to the normal CreateService (), the installation of this service also requires other settings, so it is best to install and uninstall the function.
For ease of installation, the implemented Code provides the InstallService () function for installation. This function can receive the service name as a parameter. If no parameter is provided, the default iprip is used ), if the service to be installed is not in the netsvcs group of svchost, the installation will fail; if the service to be installed already exists, the installation will also fail; after the installation is successful, the program configures the ServiceDll of the service as the current Dll. The provided UninstallService () function can delete any function without any check.
To facilitate installation using rundll32.exe, RundllInstallA () and RundllUninstallA () are provided to call InstallService () and UninstallService () respectively (). The function prototype used by rundll32.exe is:
Void CALLBACK FunctionName (
HWND hwnd, // handle to owner window
HINSTANCE hinst, // instance handle for the DLL
LPTSTR lpCmdLine, // string the DLL will parse
Int nCmdShow // show state );
The corresponding command line is rundll32 DllName, FunctionName [Arguments]
. If the second parameter is provided when the service is started, the created process interacts with the desktop.
For more information about the code, see Appendix 8. Download the source code and DLL file from the http://www.binglesite.net.
// Main service process function
Void _ stdcall ServiceMain (int argc, wchar_t * argv []);
// Report service stat to the service control manager
Int TellSCM (DWORD dwState, DWORD dwExitCode, DWORD dwProgress );
// Service control handler, call back by service control manager
Void _ stdcall ServiceHandler (DWORD dwCommand );
// RealService just create a process
Int RealService (char * cmd, int bInteract );
// Install this dll as a Service host by svchost.exe, service name is given by caller
Int InstallService (char * name );
// UnInstall a Service, be care for call this to delete a service
Int UninstallService (char * name );
// Install this dll as a Service host by svchost.exe, used by RUNDLL32.EXE to call
Void CALLBACK RundllInstallA (HWND hwnd, HINSTANCE hinst, char * param, int nCmdShow );
// UnInstall a Service used by RUNDLL32.EXE to call, be care for call this to delete a service
Void CALLBACK RundllUninstallA (HWND hwnd, HINSTANCE hinst, char * param, int nCmdShow );
// Output the debug infor into log file (or stderr if a console program call me) & dbuplint
Void OutputString (char * lpFmt ,...);
6. code usage

C: \> tlist-s
0 System Process
8 System
240 services.exe Svcs: Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, lanmanworkstation, LmHosts, PlugPlay, ProtectedStorage, TrkWks, Wmi
504 svchost.exe Svcs: RpcSs
1360 svchost.exe Svcs: EventSystem, Netman, RasMan, SENS, TapiSrv
C: \> rundll32 svchostdll. dll, RundllInstall abcd
SvcHostDLL: DllMain called DLL_PROCESS_ATTACH
You specify service name not in Svchost \ netsvcs, must be one of following:
-EventSystem
-Ias
-Iprip
-Irmon
-Netman
-Nwsapagent
-Rasauto
-Rasman
-Remoteaccess
-SENS
-Sharedaccess
-Tapisrv
-Ntmssvc
-Wzcsvc
C: \> rundll32 svchostdll. dll, RundllInstall IPRIP
SvcHostDLL: DllMain called DLL_PROCESS_ATTACH
CreateService (IPRIP) SUCCESS. Config it
Config service IPRIP OK.
C: \> SC start iprip "cmd/k whoami" 1
Nt authority \ SYSTEM
SvcHostDLL: ServiceMain (3, IPRIP) called
SvcHostDLL: RealService called 'COMMAND/k whoam' Interact
SvcHostDLL: CreateProcess (command/k whoami) to 640
C: \> tlist-s
0 System Process
8 System
240 services.exe Svcs: Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, lanmanworkstation, LmHosts, PlugPlay, ProtectedStorage, TrkWks, Wmi
504 svchost.exe Svcs: RpcSs
640 cmd.exe Title: C: \ WINNT \ System32 \ cmd.exe
1360 svchost.exe Svcs: EventSystem, Netman, RasMan, SENS, TapiSrv, IPRIP
C: \> net stop iprip
The IPRIP service was stopped successfully.
C: \> rundll32 svchostdll. dll, RundllUninstall iprip
DeleteService (IPRIP) SUCCESS.
7. Reference

Platform SDK: Tools-Rundll32
1) Inside Win32 Services, Part 2 by: Mark Russinovich, at: http://www.winnetmag.com/Articles/Index.cfm? ArticleID = 8943 & pg = 3
2) Platform SDK: Tools-Rundll32, at: http://msdn.microsoft.com/library/en-us/tools/tools/rundll32.asp