Security Tool creation Article 006th: Service Manager

I. Preface

A service is a process that starts when the operating system starts. When the operating system starts, there are two types of programs that start with the system. One is a common Win32 program, and the other is a driver program. Based on this feature of services, malicious programs often disguise themselves as normal services for self-startup. Therefore, in the process of anti-virus, it is necessary to view and manage the service items.

The development principle of the Service Manager is similar to that of the Registry Manager and Process Manager discussed earlier. It is mainly used to enumerate the service and display it in the "List Control" control. Service management is implemented through service-related API functions. With the preparation of several articles earlier in this series, I will not elaborate on MFC here. You can refer to the previous articles for review.

 

Ii. Interface Design

To create a dialog box-based program using MFC, a "list control", two "radio buttons", and three "buttons" controls are required:

Figure 1 Program Interface

Set the control attribute of "list control", select "report" in "View" of "sytles", and then select the "single selection" option. Then add a variable named "m_servicelist" for it and initialize it through programming:

void CServiceManageDlg::InitServiceList(){        //设置“List Control”控件的扩展风格        m_ServiceList.SetExtendedStyle(                m_ServiceList.GetExtendedStyle()                | LVS_EX_GRIDLINES         //有网络格                | LVS_EX_FULLROWSELECT );  //选中某行使整行高亮（只适用于report风格）        //添加列目        m_ServiceList.InsertColumn(0, "序号");        m_ServiceList.InsertColumn(1, "服务名");        m_ServiceList.InsertColumn(2, "显示名");        m_ServiceList.InsertColumn(3, "状态");        //设置列的宽度        m_ServiceList.SetColumnWidth(0, LVSCW_AUTOSIZE_USEHEADER);        m_ServiceList.SetColumnWidth(1, 100);        m_ServiceList.SetColumnWidth(2, 250);        m_ServiceList.SetColumnWidth(3, LVSCW_AUTOSIZE_USEHEADER);}

 

Iii. Service Enumeration To enable Service Enumeration, you must first open the Service Manager, start to enumerate the service, display the enumerated service in the list, and then close the Service handle:

void CServiceManageDlg::ShowServiceList(DWORD dwServiceType){        m_ServiceList.DeleteAllItems();        //打开服务管理器        SC_HANDLE hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);        if ( NULL == hSCM )        {                AfxMessageBox("无法打开服务管理器！");                return ;        }        DWORD dwBufSize = 512 * sizeof(ENUM_SERVICE_STATUS);        DWORD dwByteNeeded, dwServicesReturned, lpResumeHandle = 0;        ENUM_SERVICE_STATUS SerStatus[512] = { 0 };        //服务项的枚举        BOOL bRet = EnumServicesStatus(hSCM,                                       dwServiceType,                                       SERVICE_STATE_ALL,                                       SerStatus,                                       dwBufSize,                                       &dwByteNeeded,                                       &lpResumeHandle);        if ( FALSE == bRet )        {                AfxMessageBox("服务项枚举失败！");                CloseServiceHandle(hSCM);                return ;        }        //在列表中显示枚举出来的服务项        for ( DWORD i = 0; i < dwServicesReturned; i ++ )        {                CString str;                str.Format("%d", i);                m_ServiceList.InsertItem(i, str);                m_ServiceList.SetItemText(i, 1, SerStatus[i].lpServiceName);                m_ServiceList.SetItemText(i, 2, SerStatus[i].lpDisplayName);                switch ( SerStatus[i].ServiceStatus.dwCurrentState )                {                case SERVICE_PAUSED:                {                        m_ServiceList.SetItemText(i, 3, "暂停");                        break;                }                case SERVICE_STOPPED:                {                        m_ServiceList.SetItemText(i, 3, "停止");                        break;                }                case SERVICE_RUNNING:                {                        m_ServiceList.SetItemText(i, 3, "运行");                        break;                }                default:                {                        m_ServiceList.SetItemText(i, 3, "其他");                }                }        }        CloseServiceHandle(hSCM);}

Add the header file "winsvc. H ". Note that if you want to enumerate the Win32 service application when the program starts, you need to add it in oninitdialog:

// TODO: Add extra initialization hereInitServiceList();ShowServiceList(SERVICE_WIN32);

Similarly, if you want to display the driver by default, rewrite the parameter of the showservicelist () function to service_driver. If you do not want to display anything, delete the function in the initialization statement.

 

4. Service Switching For the implementation of the two service switches, add code to the "radio button" control:

void CServiceManageDlg::OnRadioWin32() {        // TODO: Add your control notification handler code here        ShowServiceList(SERVICE_WIN32);}void CServiceManageDlg::OnRadioDriver() {        // TODO: Add your control notification handler code here        ShowServiceList(SERVICE_DRIVER);}

You can enumerate corresponding services based on different parameters.

 

5. Start and Stop services The code for starting and stopping a service is as follows, which is relatively simple and will not be described here:

</pre><p><span style="font-size:14px;"></span><pre name="code" class="cpp">void CManageServiceDlg::OnBtnStart() {        // TODO: Add your control notification handler code here        // 选中服务的的索引        POSITION Pos = m_ServiceList.GetFirstSelectedItemPosition();        int nSelect = -1;        while ( Pos )        {                nSelect = m_ServiceList.GetNextSelectedItem(Pos);        }        if ( -1 == nSelect )        {                AfxMessageBox("请选择要启动的服务");                return ;        }        // 获取选中服务的服务名        char szServiceName[MAXBYTE] = { 0 };        m_ServiceList.GetItemText(nSelect, 1, szServiceName, MAXBYTE);        SC_HANDLE hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);        if ( NULL == hSCM )        {                AfxMessageBox("OpenSCManager Error");                return ;        }        SC_HANDLE hSCService = OpenService(hSCM, szServiceName, SERVICE_ALL_ACCESS);            // 启动服务        BOOL bRet = StartService(hSCService, 0, NULL);        if ( bRet == TRUE )        {                m_ServiceList.SetItemText(nSelect, 3, "运行");        }        else        {                int n = GetLastError();        }        CloseServiceHandle(hSCService);        CloseServiceHandle(hSCM);}void CManageServiceDlg::OnBtnStop() {        // TODO: Add your control notification handler code here        // 选中服务的的索引        POSITION Pos = m_ServiceList.GetFirstSelectedItemPosition();        int nSelect = -1;            while ( Pos )        {                nSelect = m_ServiceList.GetNextSelectedItem(Pos);        }            if ( -1 == nSelect )        {                AfxMessageBox("请选择要停止的服务");                return ;        }            // 获取选中服务的服务名        char szServiceName[MAXBYTE] = { 0 };        m_ServiceList.GetItemText(nSelect, 1, szServiceName, MAXBYTE);            SC_HANDLE hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);        if ( NULL == hSCM )        {                AfxMessageBox("OpenSCManager Error");                return ;        }            SC_HANDLE hSCService = OpenService(hSCM, szServiceName, SERVICE_ALL_ACCESS);        SERVICE_STATUS ServiceStatus;        // 停止服务        BOOL bRet = ControlService(hSCService, SERVICE_CONTROL_STOP, &ServiceStatus);        if ( bRet == TRUE )        {                m_ServiceList.SetItemText(nSelect, 3, "停止");        }        else        {                int n = GetLastError();        }            CloseServiceHandle(hSCService);        CloseServiceHandle(hSCM);}

 

Vi. program testing After the above program is compiled successfully, run and test:

Figure 2 run the program

When the program starts, all Win32 service applications on the local machine are listed. You can click the single-choice button to switch to the display of the driver. Here you can also use the Professional Software Sreng for comparison:

Figure 3 Use Sreng to display services

The two are the same, indicating that our program is no problem.

 

VII. Summary So far, the main framework of the three "static" anti-virus tools has been compiled, and these three tools can be used to hide malicious programs at the application layer. Through the creation of these three tools, we can find that the API functions are powerful. This "tailism" provides great convenience for our programming. Next, we can consider combining these three programs to make the virus detection work more convenient and clear at a glance. If you are interested, try it.

Security Tool creation Article 006th: Service Manager