SVChost执行原理学习

OD直接加载svchost.exe  -k rpcss  以命令行参数形式加载
1）svchost.exe加载到内存中

01002509 >/$  E8 EEFCFFFF   call svchost.010021FC0100250E  |.  8BFF          mov edi,edi01002510  |.  56            push esi01002511  |.  57            push edi01002512  |.  68 A22E0001   push svchost.01002EA2                                  ; /pTopLevelFilter = svchost.01002EA201002517  |.  FF15 94100001 call dword ptr ds:[<&KERNEL32.SetUnhandledExceptionFil>; \SetUnhandledExceptionFilter0100251D  |.  6A 01         push 0x1                                               ; /ErrorMode = SEM_FAILCRITICALERRORS0100251F  |.  FF15 90100001 call dword ptr ds:[<&KERNEL32.SetErrorMode>]           ; \SetErrorMode01002525  |.  FF15 8C100001 call dword ptr ds:[<&KERNEL32.GetProcessHeap>]         ; [GetProcessHeap0100252B  |.  50            push eax0100252C  |.  E8 61FAFFFF   call svchost.01001F9201002531  |.  B8 68400001   mov eax,svchost.0100406801002536  |.  68 40400001   push svchost.01004040                                  ; /pCriticalSection = svchost.010040400100253B  |.  A3 6C400001   mov dword ptr ds:[0x100406C],eax                       ; |01002540  |.  A3 68400001   mov dword ptr ds:[0x1004068],eax                       ; |01002545  |.  FF15 88100001 call dword ptr ds:[<&KERNEL32.InitializeCriticalSectio>; \InitializeCriticalSection0100254B  |.  FF15 84100001 call dword ptr ds:[<&KERNEL32.GetCommandLineW>]        ; [GetCommandLineW01002551  |.  50            push eax01002552  |.  E8 5AFDFFFF   call svchost.010022B1                                  ;  2）对命令行进行解析，获得启动的服务组netsvcs01002557  |.  8BF0          mov esi,eax01002559  |.  85F6          test esi,esi0100255B  |.  74 28         je Xsvchost.010025850100255D  |.  56            push esi0100255E  |.  E8 6BFEFFFF   call svchost.010023CE                                  ;  3）查询键值等

跟进函数   这里我发现  直接看regedit 看不到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost 下的服务，但是跟踪却能看到
（

01001563   .  8938          mov dword ptr ds:[eax],edi01001565   .  8D45 FC       lea eax,dword ptr ss:[ebp-0x4]01001568   .  50            push eax                                               ; /pBufSize01001569   .  57            push edi                                               ; |Buffer => NULL0100156A   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]                         ; |0100156D   .  50            push eax                                               ; |pValueType0100156E   .  57            push edi                                               ; |Reserved => NULL0100156F   .  FF75 0C       push dword ptr ss:[ebp+0xC]                            ; |ValueName01001572   .  897D FC       mov dword ptr ss:[ebp-0x4],edi                         ; |01001575   .  FF75 08       push dword ptr ss:[ebp+0x8]                            ; |hKey01001578   .  FFD6          call esi                                               ; \RegQueryValueExW0100157A   .  8BD8          mov ebx,eax                                            ;  查询出该路径下子键名为netsvcs的键值0100157C   .  3BDF          cmp ebx,edi                                            ;  这里先获得大小·············01001858   .  6A 0E         push 0xE0100185A   .  5B            pop ebx0100185B   .  FF75 FC       push dword ptr ss:[ebp-0x4]0100185E   .  57            push edi0100185F   .  E8 4DFAFFFF   call svchost.010012B1                                  ;  知道了键值大小就分配大小的内存给初始化键值01001864   .  3BC7          cmp eax,edi01001866   .  8945 10       mov dword ptr ss:[ebp+0x10],eax01001869   .^ 0F84 15FDFFFF je svchost.010015840100186F   .  8D4D FC       lea ecx,dword ptr ss:[ebp-0x4]01001872   .  51            push ecx01001873   .  50            push eax01001874   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]01001877   .  50            push eax01001878   .  57            push edi01001879   .  FF75 0C       push dword ptr ss:[ebp+0xC]0100187C   .  FF75 08       push dword ptr ss:[ebp+0x8]                            ;  这里开始查询 查询出了大量服务0100187F   .  FFD6          call esi                                               ;  ADVAPI32.RegQueryValueExW

查询 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs  的键值

01001FE3   .  50            push eax                                            ; /pHandle01001FE4   .  68 19000200   push 0x20019                                        ; |Access = KEY_READ01001FE9   .  6A 00         push 0x0                                            ; |Reserved = 001001FEB   .  FF76 0C       push dword ptr ds:[esi+0xC]                         ; |Subkey01001FEE   .  FF75 08       push dword ptr ss:[ebp+0x8]                         ; |hKey01001FF1   .  FF15 30100001 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExW>]       ; \RegOpenKeyExW01001FF7   .  85C0          test eax,eax01001FF9   .  0F85 A2000000 jnz svchost.010020A101001FFF   .  8D45 08       lea eax,dword ptr ss:[ebp+0x8]                      ;  遍历几个键值能查询成功就存在键值01002002   .  50            push eax01002003   .  68 5C210001   push svchost.0100215C                               ;  UNICODE "CoInitializeSecurityParam"01002008   .  FF75 0C       push dword ptr ss:[ebp+0xC]0100200B   .  E8 E1050000   call svchost.010025F101002010   .  85C0          test eax,eax01002012   .  75 06         jnz Xsvchost.0100201A01002014   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]01002017   .  8946 10       mov dword ptr ds:[esi+0x10],eax0100201A   >  837E 10 00    cmp dword ptr ds:[esi+0x10],0x00100201E   .  74 5F         je Xsvchost.0100207F01002020   .  8D45 08       lea eax,dword ptr ss:[ebp+0x8]01002023   .  50            push eax01002024   .  68 34210001   push svchost.01002134                               ;  UNICODE "AuthenticationLevel"01002029   .  FF75 0C       push dword ptr ss:[ebp+0xC]0100202C   .  E8 C0050000   call svchost.010025F101002031   .  85C0          test eax,eax01002033   .  0F84 CC090000 je svchost.01002A0501002039   .  C746 14 04000>mov dword ptr ds:[esi+0x14],0x401002040   >  8D45 08       lea eax,dword ptr ss:[ebp+0x8]01002043   .  50            push eax01002044   .  68 0C210001   push svchost.0100210C                               ;  UNICODE "ImpersonationLevel"01002049   .  FF75 0C       push dword ptr ss:[ebp+0xC]0100204C   .  E8 A0050000   call svchost.010025F101002051   .  85C0          test eax,eax01002053   .  0F84 B7090000 je svchost.01002A1001002059   .  C746 18 02000>mov dword ptr ds:[esi+0x18],0x201002060   >  8D45 08       lea eax,dword ptr ss:[ebp+0x8]01002063   .  50            push eax01002064   .  68 D4200001   push svchost.010020D4                               ;  UNICODE "AuthenticationCapabilities"01002069   .  FF75 0C       push dword ptr ss:[ebp+0xC]0100206C   .  E8 80050000   call svchost.010025F101002071   .  85C0          test eax,eax01002073   .  0F85 CF080000 jnz svchost.0100294801002079   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]0100207C   .  8946 1C       mov dword ptr ds:[esi+0x1C],eax0100207F   >  8D45 08       lea eax,dword ptr ss:[ebp+0x8]01002082   .  50            push eax01002083   .  68 AC200001   push svchost.010020AC                               ;  UNICODE "DefaultRpcStackSize"01002088   .  FF75 0C       push dword ptr ss:[ebp+0xC]0100208B   .  E8 61050000   call svchost.010025F101002090   .  85C0          test eax,eax01002092   .  0F84 C4080000 je svchost.0100295C01002098   >  FF75 0C       push dword ptr ss:[ebp+0xC]                         ; /hKey0100209B   .  FF15 2C100001 call dword ptr ds:[<&ADVAPI32.RegCloseKey>]         ; \RegCloseKey010020A1   >  5E            pop esi010020A2   .  8BC3          mov eax,ebx010020A4   .  5B            pop ebx010020A5   .  5D            pop ebp010020A6   .  C2 0800       retn 0x8

4）创建一个SERVICE_TABLE_ENTRY 数组  元素个数就是该服务组服务的个数

010024BA  |> \A1 60400001   mov eax,dword ptr ds:[0x1004060]010024BF  |.  8D0480        lea eax,dword ptr ds:[eax+eax*4]010024C2  |.  C1E0 02       shl eax,0x2010024C5  |.  50            push eax010024C6  |.  6A 08         push 0x8010024C8  |.  E8 E4EDFFFF   call svchost.010012B1010024CD  |.  3BC3          cmp eax,ebx010024CF  |.  A3 58400001   mov dword ptr ds:[0x1004058],eax010024D4  |.  74 1C         je Xsvchost.010024F2010024D6  |.  8B35 B4400001 mov esi,dword ptr ds:[0x10040B4]010024DC  |.  8BD8          mov ebx,eax010024DE  |>  66:833E 00    /cmp word ptr ds:[esi],0x0010024E2  |.  74 0E         |je Xsvchost.010024F2010024E4  |.  8933          |mov dword ptr ds:[ebx],esi010024E6  |.  56            |push esi010024E7  |.  83C3 14       |add ebx,0x14010024EA  |.  FFD7          |call edi010024EC  |.  8D7446 02     |lea esi,dword ptr ds:[esi+eax*2+0x2]010024F0  |.^ EB EC         \jmp Xsvchost.010024DE

）

01002563  |.  E8 2DFCFFFF   call svchost.01002195                                  ;  得到服务组下所包含的所以服务，创建一个SERVICE_TABLE_ENTRY结构数组01002568  |.  8BF8          mov edi,eax0100256A  |.  85FF          test edi,edi0100256C  |.  74 06         je Xsvchost.010025740100256E  |.  56            push esi0100256F  |.  E8 1E000000   call svchost.0100259201002574  |>  56            push esi01002575  |.  E8 3CF3FFFF   call svchost.010018B6                                  //5）每个服务入口回调函数 都是Svchost.exe内部的同一个固定函数0100257A  |.  85FF          test edi,edi0100257C  |.  74 07         je Xsvchost.01002585                                   ;  6）注册这些服务的调度函数  最后等待SCM启动服务命令0100257E  |.  57            push edi                                               ; /pServiceTable0100257F  |.  FF15 34100001 call dword ptr ds:[<&ADVAPI32.StartServiceCtrlDispatch>; \StartServiceCtrlDispatcherW01002585  |>  6A 00         push 0x0                                               ; /ExitCode = 001002587  \.  FF15 80100001 call dword ptr ds:[<&KERNEL32.ExitProcess>]            ; \ExitProcess