SVChost执行原理学习

OD直接加载svchost.exe  -k rpcss  以命令行参数形式加载
1）svchost.exe加载到内存中

01002509 >/$  E8 EEFCFFFF   call svchost.010021FC
0100250E  |.  8BFF          mov edi,edi
01002510  |.  56            push esi
01002511  |.  57            push edi
01002512  |.  68 A22E0001   push svchost.01002EA2                                  ; /pTopLevelFilter = svchost.01002EA2
01002517  |.  FF15 94100001 call dword ptr ds:[<&KERNEL32.SetUnhandledExceptionFil>; SetUnhandledExceptionFilter
0100251D  |.  6A 01         push 0x1                                               ; /ErrorMode = SEM_FAILCRITICALERRORS
0100251F  |.  FF15 90100001 call dword ptr ds:[<&KERNEL32.SetErrorMode>]           ; SetErrorMode
01002525  |.  FF15 8C100001 call dword ptr ds:[<&KERNEL32.GetProcessHeap>]         ; [GetProcessHeap
0100252B  |.  50            push eax
0100252C  |.  E8 61FAFFFF   call svchost.01001F92
01002531  |.  B8 68400001   mov eax,svchost.01004068
01002536  |.  68 40400001   push svchost.01004040                                  ; /pCriticalSection = svchost.01004040
0100253B  |.  A3 6C400001   mov dword ptr ds:[0x100406C],eax                       ; |
01002540  |.  A3 68400001   mov dword ptr ds:[0x1004068],eax                       ; |
01002545  |.  FF15 88100001 call dword ptr ds:[<&KERNEL32.InitializeCriticalSectio>; InitializeCriticalSection
0100254B  |.  FF15 84100001 call dword ptr ds:[<&KERNEL32.GetCommandLineW>]        ; [GetCommandLineW
01002551  |.  50            push eax
01002552  |.  E8 5AFDFFFF   call svchost.010022B1                                  ;  2）对命令行进行解析，获得启动的服务组netsvcs
01002557  |.  8BF0          mov esi,eax
01002559  |.  85F6          test esi,esi
0100255B  |.  74 28         je Xsvchost.01002585
0100255D  |.  56            push esi
0100255E  |.  E8 6BFEFFFF   call svchost.010023CE                                  ;  3）查询键值等

跟进函数   这里我发现  直接看regedit 看不到 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost 下的服务，但是跟踪却能看到
（

01001563   .  8938          mov dword ptr ds:[eax],edi
01001565   .  8D45 FC       lea eax,dword ptr ss:[ebp-0x4]
01001568   .  50            push eax                                               ; /pBufSize
01001569   .  57            push edi                                               ; |Buffer => NULL
0100156A   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]                         ; |
0100156D   .  50            push eax                                               ; |pValueType
0100156E   .  57            push edi                                               ; |Reserved => NULL
0100156F   .  FF75 0C       push dword ptr ss:[ebp+0xC]                            ; |ValueName
01001572   .  897D FC       mov dword ptr ss:[ebp-0x4],edi                         ; |
01001575   .  FF75 08       push dword ptr ss:[ebp+0x8]                            ; |hKey
01001578   .  FFD6          call esi                                               ; RegQueryValueExW
0100157A   .  8BD8          mov ebx,eax                                            ;  查询出该路径下子键名为netsvcs的键值
0100157C   .  3BDF          cmp ebx,edi                                            ;  这里先获得大小
·············
01001858   .  6A 0E         push 0xE
0100185A   .  5B            pop ebx
0100185B   .  FF75 FC       push dword ptr ss:[ebp-0x4]
0100185E   .  57            push edi
0100185F   .  E8 4DFAFFFF   call svchost.010012B1                                  ;  知道了键值大小就分配大小的内存给初始化键值
01001864   .  3BC7          cmp eax,edi
01001866   .  8945 10       mov dword ptr ss:[ebp+0x10],eax
01001869   .^ 0F84 15FDFFFF je svchost.01001584
0100186F   .  8D4D FC       lea ecx,dword ptr ss:[ebp-0x4]
01001872   .  51            push ecx
01001873   .  50            push eax
01001874   .  8D45 F8       lea eax,dword ptr ss:[ebp-0x8]
01001877   .  50            push eax
01001878   .  57            push edi
01001879   .  FF75 0C       push dword ptr ss:[ebp+0xC]
0100187C   .  FF75 08       push dword ptr ss:[ebp+0x8]                            ;  这里开始查询 查询出了大量服务
0100187F   .  FFD6          call esi                                               ;  ADVAPI32.RegQueryValueExW

查询 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost etsvcs  的键值

01001FE3   .  50            push eax                                            ; /pHandle
01001FE4   .  68 19000200   push 0x20019                                        ; |Access = KEY_READ
01001FE9   .  6A 00         push 0x0                                            ; |Reserved = 0
01001FEB   .  FF76 0C       push dword ptr ds:[esi+0xC]                         ; |Subkey
01001FEE   .  FF75 08       push dword ptr ss:[ebp+0x8]                         ; |hKey
01001FF1   .  FF15 30100001 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExW>]       ; RegOpenKeyExW
01001FF7   .  85C0          test eax,eax
01001FF9   .  0F85 A2000000 jnz svchost.010020A1
01001FFF   .  8D45 08       lea eax,dword ptr ss:[ebp+0x8]                      ;  遍历几个键值能查询成功就存在键值
01002002   .  50            push eax
01002003   .  68 5C210001   push svchost.0100215C                               ;  UNICODE "CoInitializeSecurityParam"
01002008   .  FF75 0C       push dword ptr ss:[ebp+0xC]
0100200B   .  E8 E1050000   call svchost.010025F1
01002010   .  85C0          test eax,eax
01002012   .  75 06         jnz Xsvchost.0100201A
01002014   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]
01002017   .  8946 10       mov dword ptr ds:[esi+0x10],eax
0100201A   >  837E 10 00    cmp dword ptr ds:[esi+0x10],0x0
0100201E   .  74 5F         je Xsvchost.0100207F
01002020   .  8D45 08       lea eax,dword ptr ss:[ebp+0x8]
01002023   .  50            push eax
01002024   .  68 34210001   push svchost.01002134                               ;  UNICODE "AuthenticationLevel"
01002029   .  FF75 0C       push dword ptr ss:[ebp+0xC]
0100202C   .  E8 C0050000   call svchost.010025F1
01002031   .  85C0          test eax,eax
01002033   .  0F84 CC090000 je svchost.01002A05
01002039   .  C746 14 04000>mov dword ptr ds:[esi+0x14],0x4
01002040   >  8D45 08       lea eax,dword ptr ss:[ebp+0x8]
01002043   .  50            push eax
01002044   .  68 0C210001   push svchost.0100210C                               ;  UNICODE "ImpersonationLevel"
01002049   .  FF75 0C       push dword ptr ss:[ebp+0xC]
0100204C   .  E8 A0050000   call svchost.010025F1
01002051   .  85C0          test eax,eax
01002053   .  0F84 B7090000 je svchost.01002A10
01002059   .  C746 18 02000>mov dword ptr ds:[esi+0x18],0x2
01002060   >  8D45 08       lea eax,dword ptr ss:[ebp+0x8]
01002063   .  50            push eax
01002064   .  68 D4200001   push svchost.010020D4                               ;  UNICODE "AuthenticationCapabilities"
01002069   .  FF75 0C       push dword ptr ss:[ebp+0xC]
0100206C   .  E8 80050000   call svchost.010025F1
01002071   .  85C0          test eax,eax
01002073   .  0F85 CF080000 jnz svchost.01002948
01002079   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]
0100207C   .  8946 1C       mov dword ptr ds:[esi+0x1C],eax
0100207F   >  8D45 08       lea eax,dword ptr ss:[ebp+0x8]
01002082   .  50            push eax
01002083   .  68 AC200001   push svchost.010020AC                               ;  UNICODE "DefaultRpcStackSize"
01002088   .  FF75 0C       push dword ptr ss:[ebp+0xC]
0100208B   .  E8 61050000   call svchost.010025F1
01002090   .  85C0          test eax,eax
01002092   .  0F84 C4080000 je svchost.0100295C
01002098   >  FF75 0C       push dword ptr ss:[ebp+0xC]                         ; /hKey
0100209B   .  FF15 2C100001 call dword ptr ds:[<&ADVAPI32.RegCloseKey>]         ; RegCloseKey
010020A1   >  5E            pop esi
010020A2   .  8BC3          mov eax,ebx
010020A4   .  5B            pop ebx
010020A5   .  5D            pop ebp
010020A6   .  C2 0800       retn 0x8

4）创建一个SERVICE_TABLE_ENTRY 数组  元素个数就是该服务组服务的个数

010024BA  |> A1 60400001   mov eax,dword ptr ds:[0x1004060]
010024BF  |.  8D0480        lea eax,dword ptr ds:[eax+eax*4]
010024C2  |.  C1E0 02       shl eax,0x2
010024C5  |.  50            push eax
010024C6  |.  6A 08         push 0x8
010024C8  |.  E8 E4EDFFFF   call svchost.010012B1
010024CD  |.  3BC3          cmp eax,ebx
010024CF  |.  A3 58400001   mov dword ptr ds:[0x1004058],eax
010024D4  |.  74 1C         je Xsvchost.010024F2
010024D6  |.  8B35 B4400001 mov esi,dword ptr ds:[0x10040B4]
010024DC  |.  8BD8          mov ebx,eax
010024DE  |>  66:833E 00    /cmp word ptr ds:[esi],0x0
010024E2  |.  74 0E         |je Xsvchost.010024F2
010024E4  |.  8933          |mov dword ptr ds:[ebx],esi
010024E6  |.  56            |push esi
010024E7  |.  83C3 14       |add ebx,0x14
010024EA  |.  FFD7          |call edi
010024EC  |.  8D7446 02     |lea esi,dword ptr ds:[esi+eax*2+0x2]
010024F0  |.^ EB EC         jmp Xsvchost.010024DE

）

01002563  |.  E8 2DFCFFFF   call svchost.01002195                                  ;  得到服务组下所包含的所以服务，创建一个SERVICE_TABLE_ENTRY结构数组
01002568  |.  8BF8          mov edi,eax
0100256A  |.  85FF          test edi,edi
0100256C  |.  74 06         je Xsvchost.01002574
0100256E  |.  56            push esi
0100256F  |.  E8 1E000000   call svchost.01002592
01002574  |>  56            push esi
01002575  |.  E8 3CF3FFFF   call svchost.010018B6                                  //5）每个服务入口回调函数 都是Svchost.exe内部的同一个固定函数
0100257A  |.  85FF          test edi,edi
0100257C  |.  74 07         je Xsvchost.01002585                                   ;  6）注册这些服务的调度函数  最后等待SCM启动服务命令
0100257E  |.  57            push edi                                               ; /pServiceTable
0100257F  |.  FF15 34100001 call dword ptr ds:[<&ADVAPI32.StartServiceCtrlDispatch>; StartServiceCtrlDispatcherW
01002585  |>  6A 00         push 0x0                                               ; /ExitCode = 0
01002587  .  FF15 80100001 call dword ptr ds:[<&KERNEL32.ExitProcess>]            ; ExitProcess