Friday, September 10, 2010

Designing Two Svchost Services Into One DLL



While reversing the "FindDll" and "AddDll" functions of Svchost.exe , an idea came to my mind. It was to design a DLL with two Svchost services.

For this reason, i had to go deeper into the way both functions work.

Both functions are called by the "GetServiceMainFunctions" function which does the following:

1) Opens the Svchost service parameters registry key. For example, for the "DHCP" service, the registry key "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters" is opened. Under this key, a value named "ServiceDLL" is found. The value represents the DLL pathname of the Svchost service.

2) The circular doubly linked list holding information about all loaded service DLLs is searched for the node with the same DLL name and service name. If the right node isn't found in the list, another function, "AddDll", is called to create a new node. The found or the newly-created node is made to point at the corresponding _SERVICE_ARRAY_ELEMENT.
3) Under the same key is a registry value that the "GetServiceMainFunctions" function queries. Its name is "ServiceMain". It represents an alias name chosen for the "ServiceMain" function of the Svchost service.

4) The "GetServiceDllFunction" function is called to load the ServiceDll into the address space of Svchost and resolve the addresses of the "ServiceMain" and "SvchostPushServiceGlobals" functions.






Given the reversed C code in the images above, we will try to design one DLL that has two svchost services.

Hereafter, i will refer to the first service as srv1 and to the second one as srv2. srv1's job is to terminate any Taskmgr instance (just for educational purposes) and srv2's job is to terminate any Regedit instance.

Method 1
 

The ServiceMain for srv1 will be called "ServiceMain" and the ServiceMain for srv2 will be called "ServiceMain2". So, the Dll will be exporting  ServiceMain, ServiceMain2, and SvchostPushServiceGlobals. Each service will have its own handler. Both services will have the same StopCallback.
 

To install both services, you need the compiled Dll which should then be copied to the "system32" directory and a .reg file. A restart will be needed.

Reg file from here.
Source code svchost.h svc.def svc.cpp
 

Method 2
 

In this method, we will design the DLL such that only two functions, ServiceMain and SvchostPushServiceGlobals are exported. ServiceMain will act as the ServiceMain for both services.

Reg file from here
Source code svchost.h svc.def svc.cpp


Method 3

In this method, we will design the DLL such that only two functions, ServiceMain and SvchostPushServiceGlobals are exported. ServiceMain will act as the ServiceMain for srv1. SvchostPushServiceGlobals will acts as the ServiceMain for srv2 and also provide the shared globals table for both srv1 and srv2.

This method requires a little registry tweak for srv2.

Reg file from here.

Source code svchost.h svc.def svc.cpp

No comments:

Post a Comment