How to hook Service management operations?

OSR_Community_User · September 14, 2006, 10:44am

I’m looking for information how hooking the Service management
operations (Start/Stop/Pause etc.)

I guess it may be even application, not kernel layer solution with
hooking services.exe via Detours or CreateRemoteThread().

But I’d very appreciate any hint or reference.

Thanks for help,
MichaelG.

OSR_Community_User · September 14, 2006, 10:54am

Search the archives (or your favorite search engine) for info on hooking. It’s all been said before.

As always, if you can explain what you’re trying to accomplish, then maybe someone can give you a suggestion on how to better solve your problem than hooking.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Grabelkovsky, Michael
Sent: Thursday, September 14, 2006 7:41 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to hook Service management operations?

I’m looking for information how hooking the Service management operations (Start/Stop/Pause etc.)

I guess it may be even application, not kernel layer solution with hooking services.exe via Detours or CreateRemoteThread().

But I’d very appreciate any hint or reference.

Thanks for help,
MichaelG.

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · September 17, 2006, 4:10am

> Subject: RE: How to hook Service management operations?

From: Arlie Davis
> Date: Thu, 14 Sep 2006 07:53:23 -0700
> X-Message-Number: 18
>
> Search the archives (or your favorite search engine) for info on
hooking. > It’s all been said before.
>
> As always, if you can explain what you’re trying to accomplish, then
maybe > someone can give you a suggestion on how to better solve your
problem than > hooking.

Arlie,
Obviously I started from the searching archives and wrote question, when
did not find something interesting… I try to describe my problem.

I need to hook Service Management operations (Start/Stop/Pause etc.)
such as be able prevent (protect from) occasional operations.

Questions:
1. Which interfaces must be hooked?
2. I guess it is something inside services.exe. What must be
intercepted?

The possible mechanisms are known: Detours or CreateRemoteThread(). I
guess driver doesn’t need, but probable…

I’d like any hint or reference about the subject…

Regards,
Michael.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Grabelkovsky,
Michael
Sent: Thursday, September 14, 2006 7:41 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to hook Service management operations?

I’m looking for information how hooking the Service management
operations (Start/Stop/Pause etc.)

I guess it may be even application, not kernel layer solution with
hooking services.exe via Detours or CreateRemoteThread().

But I’d very appreciate any hint or reference.

Thanks for help,
MichaelG.

OSR_Community_User · September 17, 2006, 4:25am

>

I need to hook Service Management operations (Start/Stop/Pause etc.)
such as be able prevent (protect from) occasional operations.

Why? The administrator is the only user that can manipulate services.

If the admin wants to stop your service, you have NO right to code your
software in a way to prevent
that. What next, your going to add your service and driver to ‘safe
mode’ boots?

m.

OSR_Community_User · September 18, 2006, 5:54am

The point is moot… Your still writing malware, via it be malicious or malformed.

Your insistence that your service should never be shutdown shows your level of arrogance.

If you build something like this, and release it commercially, expect to get sued. If you
only release it in-house, expect all the system admins to look at you like you have a
butt-hole on your forehead for the next couple of years after the first time some hidden
bug manifest itself and not even you, the author of it, can shut it down. (that is if you
still have a job)

m.

Matt,
The management logic of huge enterprises is not the same to small firm.

Example: Administrator has NOT rights to manipulate with some critical
services, if it contradicts commonly established management policy.
It is logic of firm with thousands (!) servers ask “Management over
management”…

MM wrote:

>
> I need to hook Service Management operations (Start/Stop/Pause etc.)
> such as be able prevent (protect from) occasional operations.
>
>
Why? The administrator is the only user that can manipulate services.

If the admin wants to stop your service, you have NO right to code
your software in a way to prevent
that. What next, your going to add your service and driver to ‘safe
mode’ boots?

m.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer