While reversing the "FindDll" and "AddDll" functions of Svchost.exe , an idea came to my mind. It was to design a DLL with two Svchost services.
For this reason, i had to go deeper into the way both functions work.
Both functions are called by the "GetServiceMainFunctions" function which does the following:
1) Opens the Svchost service parameters registry key. For example, for the "DHCP" service, the registry key "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters" is opened. Under this key, a value named "ServiceDLL" is found. The value represents the DLL pathname of the Svchost service.
2) The circular doubly linked list holding information about all loaded service DLLs is searched for the node with the same DLL name and service name. If the right node isn't found in the list, another function, "AddDll", is called to create a new node. The found or the newly-created node is made to point at the corresponding _SERVICE_ARRAY_ELEMENT.
3) Under the same key is a registry value that the "GetServiceMainFunctions" function queries. Its name is "ServiceMain". It represents an alias name chosen for the "ServiceMain" function of the Svchost service.4) The "GetServiceDllFunction" function is called to load the ServiceDll into the address space of Svchost and resolve the addresses of the "ServiceMain" and "SvchostPushServiceGlobals" functions.
Given the reversed C code in the images above, we will try to design one DLL that has two svchost services.
Hereafter, i will refer to the first service as srv1 and to the second one as srv2. srv1's job is to terminate any Taskmgr instance (just for educational purposes) and srv2's job is to terminate any Regedit instance.
Method 1
Reg file from here.
Source code svchost.h svc.def svc.cpp
Reg file from here.
Source code svchost.h svc.def svc.cpp
This method requires a little registry tweak for srv2.
Reg file from here.
Source code svchost.h svc.def svc.cpp
No comments:
Post a Comment