Create a service principle and practice called by svchost.exe

1. Advantages and Disadvantages of multiple services sharing a svchost.exe Process

Windows system services are divided into two types: independent processes and shared processes. In windows nt, only the Server Manager scm(services.exe) has multiple shared services. As the number of built-in services increases, msworks to share many services in windows and is started by svchost.exe. Windows 2000 generally has two svchost processes. One is the RPCSS (Remote Procedure callrule service process, and the other is a svchost.exe shared by many services. In windows XP, there are generally four svchost.exe service processes, while in windows 2003 server, there are more. It can be seen that starting more system built-in services by using the shared process mode from svchost is a trend of ms. This reduces the consumption of system resources to a certain extent, but it also brings about some unstable factors, because the services of any shared process exit the process due to an error, all services in the process will exit. In addition, external store security risks. First, introduce the implementation mechanism of ipvsvchost.exe.


2. Svchost Principle

Svchost itself is only a service host and does not implement any service functions. Services started by Svchost must be implemented in the form of Dynamic Link Libraries. When these services are installed, the executable programs of the services are directed to svchost, when these services are started, svchost calls the dynamic link library of the corresponding services to start the services.

So how does svchost know which dynamic link library is responsible for a service? This is not provided by the parameter section in the executable program path of the service, but by the parameter settings of the Service in the registry, there is a Parameters subkey under the service in the registry. ServiceDll indicates which dynamic link library is responsible for the service. In addition, a ServiceMain () function must be exported to all these service dynamic link libraries to process service tasks.

For example, the location of rpcss (Remote Procedure Call) in the registry is HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRpcSs. Its Parameter sub-key Parameters contains the following:
"ServiceDll" = REG_EXPAND_SZ: "% SystemRoot % system32pcss. dll"
When the rpcss Service is started, svchost will call rpcss. dll and execute its ServiceMain () function to execute the specific service.

Since these services are started by svchost using a shared process, why are there multiple svchost processes in the system? Ms divides these services into several groups. Services in the same group share one svchost process. services in different groups use multiple svchost processes, the difference between groups is determined by the parameters behind the executable program of the service.

For example, in the registry, rpcss HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRpcSs has the following:
"ImagePath" = REG_EXPAND_SZ: "% SystemRoot % system32svchost-k rpcss"
Therefore, rpcss belongs to the rpcss group, which can be seen in the Service Management Console.

All the services in the group and svchost are in the following registry: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost. For example, windows 2000 has four groups of rpcss, netsvcs, wugroup, BITSgroup, netsvcs = REG_MULTI_SZ: EventSystem. ias. iprip. irmon. netman. nwsapagent. rasauto.
Rasman. Remoteaccess. SENS. Sharedaccess. Tapisrv. Ntmssvc. wzcsvc ..

When a svchost.exe service is started, if the ImagePath of the executable program already exists in the Image Library of the Service Manager, the service manager does not start the svchost of the 2nd process, but directly starts the service. In this way, multiple services share a svchost process.


3. Svchost code

Now we basically know the principle of svchost, but we need to write a DLL-type service by myself, which is started by svchost. There are still some problems with the above information. For example, do we receive ANSI or Unicode parameters in the exported ServiceMain () function? Do we need to call RegisterServiceCtrlHandler and StartServiceCtrlDispatcher to Register Service Control and scheduling functions?

View the svchost code to obtain these questions. The code below is the svchost disassembly snippet of windows 2000 + service pack 4. It can be seen that the svchost program is still very simple.

The main function first calls ProcCommandLine () to analyze the command line, obtain the Service Group to be started, and then calls SvcHostOptions () to query the options of the Service Group and all services of the Service Group, use a Data Structure svcTable to save the DLL of these services and their services, call the PrepareSvcTable () function to create the SERVICE_TABLE_ENTRY structure, and direct all processing functions SERVICE_MAIN_FUNCTION to one of your own functions FuncServiceMain (), finally, call the API StartServiceCtrlDispatcher () to register the scheduling functions of these services.

; ================================ Main Funcion ======== ==========================================
. Text: 010010B8 public start
. Text: 010010B8 start proc near
. Text: 010010B8 push esi
. Text: 010010B9 push edi
. Text: 010010BA push offset sub_1001EBA; lpTopLevelExceptionFilter
. Text: 010010BF xor edi, edi
. Text: 010010C1 call ds: SetUnhandledExceptionFilter
. Text: 010010C7 push 1; uMode
. Text: 010010C9 call ds: SetErrorMode
. Text: 010010CF call ds: GetProcessHeap
. Text: 010010D5 push eax
. Text: 010010D6 call sub_1001142
. Text: 010010DB mov eax, offset dword_1003018
. Text: 010010E0 push offset unk_1003000; lpCriticalSection
. Text: 010010E5 mov dword_100301C, eax
. Text: 010010EA mov dword_1003018, eax
. Text: 010010EF call ds: InitializeCriticalSection
. Text: 010010F5 call ds: GetCommandLineW
. Text: 010010FB push eax; lpString
. Text: 010010FC call ProcCommandLine
. Text: 01001101 mov esi, eax
. Text: 01001103 test esi, esi
. Text: 01001105 jz short lab_doservice
. Text: 01001107 push esi
. Text: 01001108 call SvcHostOptions
. Text: 0100110D call PrepareSvcTable
. Text: 01001112 mov edi, eax; SERVICE_TABLE_ENTRY returned
. Text: 01001114 test edi, edi
. Text: 01001116 jz short loc_1001128
. Text: 01001118 mov eax, [esi + 10 h]
. Text: 0100111B test eax, eax
. Text: 0100111D jz short loc_1001128
. Text: 0100111F push dword ptr [esi + 14 h]; dwCapabilities
. Text: 01001122 push eax; int
. Text: 01001123 call InitializeSecurity
. Text: 01001128
. Text: 01001128 loc_1001128:; code xref: start + 5Ej
. Text: 01001128; start + 65j
. Text: 01001128 push esi; lpMem
. Text: 01001129 call HeapFreeMem
. Text: 010020.e
. Text: 0100112E lab_doservice:; code xref: start + 4Dj
. Text: 01001_e test edi, edi
. Text: 01001130