OD直接加载svchost.exe -k rpcss 以命令行参数形式加载
1)svchost.exe加载到内存中
跟进函数 这里我发现 直接看regedit 看不到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost 下的服务,但是跟踪却能看到
(
1)svchost.exe加载到内存中
01002509 >/$ E8 EEFCFFFF call svchost.010021FC 0100250E |. 8BFF mov edi,edi 01002510 |. 56 push esi 01002511 |. 57 push edi 01002512 |. 68 A22E0001 push svchost.01002EA2 ; /pTopLevelFilter = svchost.01002EA2 01002517 |. FF15 94100001 call dword ptr ds:[<&KERNEL32.SetUnhandledExceptionFil>; \SetUnhandledExceptionFilter 0100251D |. 6A 01 push 0x1 ; /ErrorMode = SEM_FAILCRITICALERRORS 0100251F |. FF15 90100001 call dword ptr ds:[<&KERNEL32.SetErrorMode>] ; \SetErrorMode 01002525 |. FF15 8C100001 call dword ptr ds:[<&KERNEL32.GetProcessHeap>] ; [GetProcessHeap 0100252B |. 50 push eax 0100252C |. E8 61FAFFFF call svchost.01001F92 01002531 |. B8 68400001 mov eax,svchost.01004068 01002536 |. 68 40400001 push svchost.01004040 ; /pCriticalSection = svchost.01004040 0100253B |. A3 6C400001 mov dword ptr ds:[0x100406C],eax ; | 01002540 |. A3 68400001 mov dword ptr ds:[0x1004068],eax ; | 01002545 |. FF15 88100001 call dword ptr ds:[<&KERNEL32.InitializeCriticalSectio>; \InitializeCriticalSection 0100254B |. FF15 84100001 call dword ptr ds:[<&KERNEL32.GetCommandLineW>] ; [GetCommandLineW 01002551 |. 50 push eax 01002552 |. E8 5AFDFFFF call svchost.010022B1 ; 2)对命令行进行解析,获得启动的服务组netsvcs 01002557 |. 8BF0 mov esi,eax 01002559 |. 85F6 test esi,esi 0100255B |. 74 28 je Xsvchost.01002585 0100255D |. 56 push esi 0100255E |. E8 6BFEFFFF call svchost.010023CE ; 3)查询键值等
跟进函数 这里我发现 直接看regedit 看不到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost 下的服务,但是跟踪却能看到
(
01001563 . 8938 mov dword ptr ds:[eax],edi 01001565 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4] 01001568 . 50 push eax ; /pBufSize 01001569 . 57 push edi ; |Buffer => NULL 0100156A . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8] ; | 0100156D . 50 push eax ; |pValueType 0100156E . 57 push edi ; |Reserved => NULL 0100156F . FF75 0C push dword ptr ss:[ebp+0xC] ; |ValueName 01001572 . 897D FC mov dword ptr ss:[ebp-0x4],edi ; | 01001575 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hKey 01001578 . FFD6 call esi ; \RegQueryValueExW 0100157A . 8BD8 mov ebx,eax ; 查询出该路径下子键名为netsvcs的键值 0100157C . 3BDF cmp ebx,edi ; 这里先获得大小 ············· 01001858 . 6A 0E push 0xE 0100185A . 5B pop ebx 0100185B . FF75 FC push dword ptr ss:[ebp-0x4] 0100185E . 57 push edi 0100185F . E8 4DFAFFFF call svchost.010012B1 ; 知道了键值大小就分配大小的内存给初始化键值 01001864 . 3BC7 cmp eax,edi 01001866 . 8945 10 mov dword ptr ss:[ebp+0x10],eax 01001869 .^ 0F84 15FDFFFF je svchost.01001584 0100186F . 8D4D FC lea ecx,dword ptr ss:[ebp-0x4] 01001872 . 51 push ecx 01001873 . 50 push eax 01001874 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8] 01001877 . 50 push eax 01001878 . 57 push edi 01001879 . FF75 0C push dword ptr ss:[ebp+0xC] 0100187C . FF75 08 push dword ptr ss:[ebp+0x8] ; 这里开始查询 查询出了大量服务 0100187F . FFD6 call esi ; ADVAPI32.RegQueryValueExW
查询 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs 的键值
01001FE3 . 50 push eax ; /pHandle 01001FE4 . 68 19000200 push 0x20019 ; |Access = KEY_READ 01001FE9 . 6A 00 push 0x0 ; |Reserved = 0 01001FEB . FF76 0C push dword ptr ds:[esi+0xC] ; |Subkey 01001FEE . FF75 08 push dword ptr ss:[ebp+0x8] ; |hKey 01001FF1 . FF15 30100001 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExW>] ; \RegOpenKeyExW 01001FF7 . 85C0 test eax,eax 01001FF9 . 0F85 A2000000 jnz svchost.010020A1 01001FFF . 8D45 08 lea eax,dword ptr ss:[ebp+0x8] ; 遍历几个键值能查询成功就存在键值 01002002 . 50 push eax 01002003 . 68 5C210001 push svchost.0100215C ; UNICODE "CoInitializeSecurityParam" 01002008 . FF75 0C push dword ptr ss:[ebp+0xC] 0100200B . E8 E1050000 call svchost.010025F1 01002010 . 85C0 test eax,eax 01002012 . 75 06 jnz Xsvchost.0100201A 01002014 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8] 01002017 . 8946 10 mov dword ptr ds:[esi+0x10],eax 0100201A > 837E 10 00 cmp dword ptr ds:[esi+0x10],0x0 0100201E . 74 5F je Xsvchost.0100207F 01002020 . 8D45 08 lea eax,dword ptr ss:[ebp+0x8] 01002023 . 50 push eax 01002024 . 68 34210001 push svchost.01002134 ; UNICODE "AuthenticationLevel" 01002029 . FF75 0C push dword ptr ss:[ebp+0xC] 0100202C . E8 C0050000 call svchost.010025F1 01002031 . 85C0 test eax,eax 01002033 . 0F84 CC090000 je svchost.01002A05 01002039 . C746 14 04000>mov dword ptr ds:[esi+0x14],0x4 01002040 > 8D45 08 lea eax,dword ptr ss:[ebp+0x8] 01002043 . 50 push eax 01002044 . 68 0C210001 push svchost.0100210C ; UNICODE "ImpersonationLevel" 01002049 . FF75 0C push dword ptr ss:[ebp+0xC] 0100204C . E8 A0050000 call svchost.010025F1 01002051 . 85C0 test eax,eax 01002053 . 0F84 B7090000 je svchost.01002A10 01002059 . C746 18 02000>mov dword ptr ds:[esi+0x18],0x2 01002060 > 8D45 08 lea eax,dword ptr ss:[ebp+0x8] 01002063 . 50 push eax 01002064 . 68 D4200001 push svchost.010020D4 ; UNICODE "AuthenticationCapabilities" 01002069 . FF75 0C push dword ptr ss:[ebp+0xC] 0100206C . E8 80050000 call svchost.010025F1 01002071 . 85C0 test eax,eax 01002073 . 0F85 CF080000 jnz svchost.01002948 01002079 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8] 0100207C . 8946 1C mov dword ptr ds:[esi+0x1C],eax 0100207F > 8D45 08 lea eax,dword ptr ss:[ebp+0x8] 01002082 . 50 push eax 01002083 . 68 AC200001 push svchost.010020AC ; UNICODE "DefaultRpcStackSize" 01002088 . FF75 0C push dword ptr ss:[ebp+0xC] 0100208B . E8 61050000 call svchost.010025F1 01002090 . 85C0 test eax,eax 01002092 . 0F84 C4080000 je svchost.0100295C 01002098 > FF75 0C push dword ptr ss:[ebp+0xC] ; /hKey 0100209B . FF15 2C100001 call dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey 010020A1 > 5E pop esi 010020A2 . 8BC3 mov eax,ebx 010020A4 . 5B pop ebx 010020A5 . 5D pop ebp 010020A6 . C2 0800 retn 0x84)创建一个SERVICE_TABLE_ENTRY 数组 元素个数就是该服务组服务的个数
010024BA |> \A1 60400001 mov eax,dword ptr ds:[0x1004060] 010024BF |. 8D0480 lea eax,dword ptr ds:[eax+eax*4] 010024C2 |. C1E0 02 shl eax,0x2 010024C5 |. 50 push eax 010024C6 |. 6A 08 push 0x8 010024C8 |. E8 E4EDFFFF call svchost.010012B1 010024CD |. 3BC3 cmp eax,ebx 010024CF |. A3 58400001 mov dword ptr ds:[0x1004058],eax 010024D4 |. 74 1C je Xsvchost.010024F2 010024D6 |. 8B35 B4400001 mov esi,dword ptr ds:[0x10040B4] 010024DC |. 8BD8 mov ebx,eax 010024DE |> 66:833E 00 /cmp word ptr ds:[esi],0x0 010024E2 |. 74 0E |je Xsvchost.010024F2 010024E4 |. 8933 |mov dword ptr ds:[ebx],esi 010024E6 |. 56 |push esi 010024E7 |. 83C3 14 |add ebx,0x14 010024EA |. FFD7 |call edi 010024EC |. 8D7446 02 |lea esi,dword ptr ds:[esi+eax*2+0x2] 010024F0 |.^ EB EC \jmp Xsvchost.010024DE
)
01002563 |. E8 2DFCFFFF call svchost.01002195 ; 得到服务组下所包含的所以服务,创建一个SERVICE_TABLE_ENTRY结构数组 01002568 |. 8BF8 mov edi,eax 0100256A |. 85FF test edi,edi 0100256C |. 74 06 je Xsvchost.01002574 0100256E |. 56 push esi 0100256F |. E8 1E000000 call svchost.01002592 01002574 |> 56 push esi 01002575 |. E8 3CF3FFFF call svchost.010018B6 //5)每个服务入口回调函数 都是Svchost.exe内部的同一个固定函数 0100257A |. 85FF test edi,edi 0100257C |. 74 07 je Xsvchost.01002585 ; 6)注册这些服务的调度函数 最后等待SCM启动服务命令 0100257E |. 57 push edi ; /pServiceTable 0100257F |. FF15 34100001 call dword ptr ds:[<&ADVAPI32.StartServiceCtrlDispatch>; \StartServiceCtrlDispatcherW 01002585 |> 6A 00 push 0x0 ; /ExitCode = 0 01002587 \. FF15 80100001 call dword ptr ds:[<&KERNEL32.ExitProcess>] ; \ExitProcess
