SVChost执行原理学习
来源:互联网 发布:python编译器哪个好 编辑:程序博客网 时间:2024/06/05 19:51
OD直接加载svchost.exe -k rpcss 以命令行参数形式加载
1)svchost.exe加载到内存中
跟进函数 这里我发现 直接看regedit 看不到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost 下的服务,但是跟踪却能看到
(
1)svchost.exe加载到内存中
01002509 >/$ E8 EEFCFFFF call svchost.010021FC0100250E |. 8BFF mov edi,edi01002510 |. 56 push esi01002511 |. 57 push edi01002512 |. 68 A22E0001 push svchost.01002EA2 ; /pTopLevelFilter = svchost.01002EA201002517 |. FF15 94100001 call dword ptr ds:[<&KERNEL32.SetUnhandledExceptionFil>; \SetUnhandledExceptionFilter0100251D |. 6A 01 push 0x1 ; /ErrorMode = SEM_FAILCRITICALERRORS0100251F |. FF15 90100001 call dword ptr ds:[<&KERNEL32.SetErrorMode>] ; \SetErrorMode01002525 |. FF15 8C100001 call dword ptr ds:[<&KERNEL32.GetProcessHeap>] ; [GetProcessHeap0100252B |. 50 push eax0100252C |. E8 61FAFFFF call svchost.01001F9201002531 |. B8 68400001 mov eax,svchost.0100406801002536 |. 68 40400001 push svchost.01004040 ; /pCriticalSection = svchost.010040400100253B |. A3 6C400001 mov dword ptr ds:[0x100406C],eax ; |01002540 |. A3 68400001 mov dword ptr ds:[0x1004068],eax ; |01002545 |. FF15 88100001 call dword ptr ds:[<&KERNEL32.InitializeCriticalSectio>; \InitializeCriticalSection0100254B |. FF15 84100001 call dword ptr ds:[<&KERNEL32.GetCommandLineW>] ; [GetCommandLineW01002551 |. 50 push eax01002552 |. E8 5AFDFFFF call svchost.010022B1 ; 2)对命令行进行解析,获得启动的服务组netsvcs01002557 |. 8BF0 mov esi,eax01002559 |. 85F6 test esi,esi0100255B |. 74 28 je Xsvchost.010025850100255D |. 56 push esi0100255E |. E8 6BFEFFFF call svchost.010023CE ; 3)查询键值等
跟进函数 这里我发现 直接看regedit 看不到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost 下的服务,但是跟踪却能看到
(
01001563 . 8938 mov dword ptr ds:[eax],edi01001565 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4]01001568 . 50 push eax ; /pBufSize01001569 . 57 push edi ; |Buffer => NULL0100156A . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8] ; |0100156D . 50 push eax ; |pValueType0100156E . 57 push edi ; |Reserved => NULL0100156F . FF75 0C push dword ptr ss:[ebp+0xC] ; |ValueName01001572 . 897D FC mov dword ptr ss:[ebp-0x4],edi ; |01001575 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hKey01001578 . FFD6 call esi ; \RegQueryValueExW0100157A . 8BD8 mov ebx,eax ; 查询出该路径下子键名为netsvcs的键值0100157C . 3BDF cmp ebx,edi ; 这里先获得大小·············01001858 . 6A 0E push 0xE0100185A . 5B pop ebx0100185B . FF75 FC push dword ptr ss:[ebp-0x4]0100185E . 57 push edi0100185F . E8 4DFAFFFF call svchost.010012B1 ; 知道了键值大小就分配大小的内存给初始化键值01001864 . 3BC7 cmp eax,edi01001866 . 8945 10 mov dword ptr ss:[ebp+0x10],eax01001869 .^ 0F84 15FDFFFF je svchost.010015840100186F . 8D4D FC lea ecx,dword ptr ss:[ebp-0x4]01001872 . 51 push ecx01001873 . 50 push eax01001874 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]01001877 . 50 push eax01001878 . 57 push edi01001879 . FF75 0C push dword ptr ss:[ebp+0xC]0100187C . FF75 08 push dword ptr ss:[ebp+0x8] ; 这里开始查询 查询出了大量服务0100187F . FFD6 call esi ; ADVAPI32.RegQueryValueExW
查询 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs 的键值
01001FE3 . 50 push eax ; /pHandle01001FE4 . 68 19000200 push 0x20019 ; |Access = KEY_READ01001FE9 . 6A 00 push 0x0 ; |Reserved = 001001FEB . FF76 0C push dword ptr ds:[esi+0xC] ; |Subkey01001FEE . FF75 08 push dword ptr ss:[ebp+0x8] ; |hKey01001FF1 . FF15 30100001 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExW>] ; \RegOpenKeyExW01001FF7 . 85C0 test eax,eax01001FF9 . 0F85 A2000000 jnz svchost.010020A101001FFF . 8D45 08 lea eax,dword ptr ss:[ebp+0x8] ; 遍历几个键值能查询成功就存在键值01002002 . 50 push eax01002003 . 68 5C210001 push svchost.0100215C ; UNICODE "CoInitializeSecurityParam"01002008 . FF75 0C push dword ptr ss:[ebp+0xC]0100200B . E8 E1050000 call svchost.010025F101002010 . 85C0 test eax,eax01002012 . 75 06 jnz Xsvchost.0100201A01002014 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]01002017 . 8946 10 mov dword ptr ds:[esi+0x10],eax0100201A > 837E 10 00 cmp dword ptr ds:[esi+0x10],0x00100201E . 74 5F je Xsvchost.0100207F01002020 . 8D45 08 lea eax,dword ptr ss:[ebp+0x8]01002023 . 50 push eax01002024 . 68 34210001 push svchost.01002134 ; UNICODE "AuthenticationLevel"01002029 . FF75 0C push dword ptr ss:[ebp+0xC]0100202C . E8 C0050000 call svchost.010025F101002031 . 85C0 test eax,eax01002033 . 0F84 CC090000 je svchost.01002A0501002039 . C746 14 04000>mov dword ptr ds:[esi+0x14],0x401002040 > 8D45 08 lea eax,dword ptr ss:[ebp+0x8]01002043 . 50 push eax01002044 . 68 0C210001 push svchost.0100210C ; UNICODE "ImpersonationLevel"01002049 . FF75 0C push dword ptr ss:[ebp+0xC]0100204C . E8 A0050000 call svchost.010025F101002051 . 85C0 test eax,eax01002053 . 0F84 B7090000 je svchost.01002A1001002059 . C746 18 02000>mov dword ptr ds:[esi+0x18],0x201002060 > 8D45 08 lea eax,dword ptr ss:[ebp+0x8]01002063 . 50 push eax01002064 . 68 D4200001 push svchost.010020D4 ; UNICODE "AuthenticationCapabilities"01002069 . FF75 0C push dword ptr ss:[ebp+0xC]0100206C . E8 80050000 call svchost.010025F101002071 . 85C0 test eax,eax01002073 . 0F85 CF080000 jnz svchost.0100294801002079 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]0100207C . 8946 1C mov dword ptr ds:[esi+0x1C],eax0100207F > 8D45 08 lea eax,dword ptr ss:[ebp+0x8]01002082 . 50 push eax01002083 . 68 AC200001 push svchost.010020AC ; UNICODE "DefaultRpcStackSize"01002088 . FF75 0C push dword ptr ss:[ebp+0xC]0100208B . E8 61050000 call svchost.010025F101002090 . 85C0 test eax,eax01002092 . 0F84 C4080000 je svchost.0100295C01002098 > FF75 0C push dword ptr ss:[ebp+0xC] ; /hKey0100209B . FF15 2C100001 call dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey010020A1 > 5E pop esi010020A2 . 8BC3 mov eax,ebx010020A4 . 5B pop ebx010020A5 . 5D pop ebp010020A6 . C2 0800 retn 0x84)创建一个SERVICE_TABLE_ENTRY 数组 元素个数就是该服务组服务的个数
010024BA |> \A1 60400001 mov eax,dword ptr ds:[0x1004060]010024BF |. 8D0480 lea eax,dword ptr ds:[eax+eax*4]010024C2 |. C1E0 02 shl eax,0x2010024C5 |. 50 push eax010024C6 |. 6A 08 push 0x8010024C8 |. E8 E4EDFFFF call svchost.010012B1010024CD |. 3BC3 cmp eax,ebx010024CF |. A3 58400001 mov dword ptr ds:[0x1004058],eax010024D4 |. 74 1C je Xsvchost.010024F2010024D6 |. 8B35 B4400001 mov esi,dword ptr ds:[0x10040B4]010024DC |. 8BD8 mov ebx,eax010024DE |> 66:833E 00 /cmp word ptr ds:[esi],0x0010024E2 |. 74 0E |je Xsvchost.010024F2010024E4 |. 8933 |mov dword ptr ds:[ebx],esi010024E6 |. 56 |push esi010024E7 |. 83C3 14 |add ebx,0x14010024EA |. FFD7 |call edi010024EC |. 8D7446 02 |lea esi,dword ptr ds:[esi+eax*2+0x2]010024F0 |.^ EB EC \jmp Xsvchost.010024DE
)
01002563 |. E8 2DFCFFFF call svchost.01002195 ; 得到服务组下所包含的所以服务,创建一个SERVICE_TABLE_ENTRY结构数组01002568 |. 8BF8 mov edi,eax0100256A |. 85FF test edi,edi0100256C |. 74 06 je Xsvchost.010025740100256E |. 56 push esi0100256F |. E8 1E000000 call svchost.0100259201002574 |> 56 push esi01002575 |. E8 3CF3FFFF call svchost.010018B6 //5)每个服务入口回调函数 都是Svchost.exe内部的同一个固定函数0100257A |. 85FF test edi,edi0100257C |. 74 07 je Xsvchost.01002585 ; 6)注册这些服务的调度函数 最后等待SCM启动服务命令0100257E |. 57 push edi ; /pServiceTable0100257F |. FF15 34100001 call dword ptr ds:[<&ADVAPI32.StartServiceCtrlDispatch>; \StartServiceCtrlDispatcherW01002585 |> 6A 00 push 0x0 ; /ExitCode = 001002587 \. FF15 80100001 call dword ptr ds:[<&KERNEL32.ExitProcess>] ; \ExitProcess
0 0
- SVChost执行原理学习
- svchost.exe启动服务原理
- PhoneGap学习-执行原理
- 学习笔记(一)--php执行原理
- 创建SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践 (引用)
- 创建SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践
- SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践收藏
- 创建SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践
- 【转】创建svchost.exe调用的服务原理与实践
- 创建SvcHost.exe调用的服务原理与实践
- UVALive - 3305 Tour 双调欧几里得旅行商问题
- 【CUDA编程】CUDA一些基本概念
- 你看过房产地图吗?你知道房产标注是如何建立的吗?
- 教你如何写框架------元素管理篇
- ajax提交普通表单或者文件上传的form 带回调函数
- SVChost执行原理学习
- Debugging your JavaScript app using WebStorm
- matlab 大量图片自动更新输出
- 流缓冲区与键盘缓冲区
- C#中的InitializeComponent()方法
- 下载Android源码 curl: (6) Couldn't resolve host 'android.git.kernel.org' 国内解决办法
- iOS GData解析xml
- 微信、陌陌 架构方案分析
- 向日葵的寓意