Svchost process and Shared services virus principle

1. The origin of Svchost

Windows system services can now be divided into separate processes and shared processes

In Windows NT, only the Service Manager SCM (Service.exe) has multiple shared services. With the increase of the service of the system, in order to enhance the performance

Started to share many services in Windows2000 and started by Svchost.exe

Svchost.exe itself does not implement any service functionality, but a DLL that needs to be serviced can be loaded by svchost into a service. These DLLs need to implement a function called ServiceMain

For example, in Windows, there is a special service named: RPCSS Remote Procedure Call service in the registry as follows:

Hkey_local_machine\system\currentcontrolset\services\rpcss, RpcSs is a service, under which there is a parameters Zijian. The value of its ServiceDll

The DLL file is pointed out, and the ImageDLL value of RpcSs Zijian indicates the Svchost.exe

In addition, Windows groups these services through a svchost process that is responsible for the services in each group. As a result, multiple svchost processes appear.

Svchost.exe is responsible for all service combination services with this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

So when starting a svchost-owned service, if the target service belongs to the svchost of the service group that is already started, then that svchost process will load the DLL for the service instead of creating a svchost process

2.svchost Load Service Principle

(1). Its entry function analyzes the command line first, gets the service group name according to the service group name in the Hkey_local_machine\system\currentcontrolset\services\ service group name

All services under sub-keys.

(2). After saving the service names in the service group, create a service_table_entryw array, which corresponds to the service entry function of the SVCHOST implementation of a sub-function

(3). Call the StartServiceCtrlDispatcher API to register the calling functions of these services, and then svchost the main thread to wait for the SCM to start the service command

(4). When the SCM calls Svchost's registered child function, the service name is passed in as a parameter, and Svchost looks for the service name based on the previously saved service name group, if it is in the

Its corresponding hkey_local_machine\system\currentcontrolset\services\ service name \ Below looks for the key value under parameters and loads the corresponding DLL into the Svchost

Process. The service name is then passed as a parameter to its ServiceMain function.

In summary, hackers can write a DLL to implement the service function let Svchost load. Implement a very covert DLL virus

Svchost process and Shared services virus principle