Service Control Manager (SCM)

jack_jahan-2 · October 20, 2016, 5:53am

Hi,
I want to implement a driver that protect itself and another driver from “sc delete XXXX” and other command that perform this affect.
I wouldn’t filter registry for inhabit this command, because when driver is running these affects will be delayed until system restart. Then may by my driver is unloading and can’t block it. Also my user’s having Administrator privilege.

I would this mechanism for self-protections like anti-virus.

Is any way to filter OpenService | DeleteService in kernel mode?
such that when user enter sc delete return access deny.

thanks for any reply.

ashish_kohli · October 20, 2016, 6:25am

Can’t we do it in user mode.
I mean API hooking

OSR_Community_User · October 20, 2016, 12:02pm

This is easy, you just register for registry changes. Then you monitor your keys and deny anyone you don’t deleting them. There is an example in the Microsoft library on how to do this.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@chmail.ir
Sent: Thursday, October 20, 2016 5:53 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Service Control Manager (SCM)

Hi,
I want to implement a driver that protect itself and another driver from “sc delete XXXX” and other command that perform this affect.
I wouldn’t filter registry for inhabit this command, because when driver is running these affects will be delayed until system restart. Then may by my driver is unloading and can’t block it. Also my user’s having Administrator privilege.

I would this mechanism for self-protections like anti-virus.

Is any way to filter OpenService | DeleteService in kernel mode?
such that when user enter sc delete return access deny.

thanks for any reply.

NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

jack_jahan-2 · October 22, 2016, 1:27am

@ Tim Kelly
As i saied, "I wouldn’t filter registry for inhabit this command, because when driver is
running these affects will be delayed until system restart. Then may by my
driver is unloading and can’t block it. "
then i wanted a solution on filtering OpenService in Kernel space.

thanks for your suggestion.

Alex_Grig · October 22, 2016, 2:10pm

That’s a fools errand.