how to protect service from being stopped or uninstalled?
how to protect service from being stopped or uninstalled?
how to protect service from being stopped or uninstalled?
for example, when a user tries to stop or uninstall the service, a password dialog box will popup, and ask for a password?
Or can I simply hide the service from the service list?
for example, when a user tries to stop or uninstall the service, a password dialog box will popup, and ask for a password?
Or can I simply hide the service from the service list?
Hiding services is considered "evil" by anti virus companies, so I'd recommend to not even try that. However, you could hook the service APIs which stop/uninstall the services. See "ControlService(Ex)" and "DeleteService".
Please note that people could also just change some entries in the registry which would effectively result in your services being disabled after the next OS reboot. So you'd also have to monitor/block access to the registry key where your service is stored.
Please note that people could also just change some entries in the registry which would effectively result in your services being disabled after the next OS reboot. So you'd also have to monitor/block access to the registry key where your service is stored.
Re: how to protect service from being stopped or uninstalled
Hi:
I´m hooking ControlService, from ADVAPI32.DLL to protect service from being stopped.
I have a 32 bit service and a 64 bit service.
With 32 bit service the hook works perfectly but in 64 bit service does not work.
I searched if there is ADVAPI64.DLL or similar in the system but I have not found anything.
Did you know what is the substitute for ControlService in a 64 bit service?
Thank´s in advance!
I´m hooking ControlService, from ADVAPI32.DLL to protect service from being stopped.
I have a 32 bit service and a 64 bit service.
With 32 bit service the hook works perfectly but in 64 bit service does not work.
I searched if there is ADVAPI64.DLL or similar in the system but I have not found anything.
Did you know what is the substitute for ControlService in a 64 bit service?
Thank´s in advance!
Re: how to protect service from being stopped or uninstalled
There's a ControlServiceEx() API. Maybe that's called in x64? I don't know. You could do a disassembly of ControlService() to check whether it internally forwards to some other API.
Re: how to protect service from being stopped or uninstalled
Thank you Madshi, II will work on this....
Re: how to protect service from being stopped or uninstalled
Hi all:
It does not work!
I used API Monitor (http://www.rohitab.com/apimonitor) and, as I understand, it seems that ControlService is used to stop service. So, the API I`m hooking seems to be te correct one.
I have read here http://www.codeproject.com/Articles/640 ... vices-2013 about Service Isolation. Could I be doing something incorrectly related with this? Maybe the hook is not affecting the service because Service Isolation?
Thank you in advance!
It does not work!
I used API Monitor (http://www.rohitab.com/apimonitor) and, as I understand, it seems that ControlService is used to stop service. So, the API I`m hooking seems to be te correct one.
I have read here http://www.codeproject.com/Articles/640 ... vices-2013 about Service Isolation. Could I be doing something incorrectly related with this? Maybe the hook is not affecting the service because Service Isolation?
Thank you in advance!
Re: how to protect service from being stopped or uninstalled
Does your ControlService() hook get called at all? You do have both a 32bit and 64bit hook dll, correct?
Re: how to protect service from being stopped or uninstalled
No, my ControlService() hook is not get called at all.
But I hook another functions like WSASend, WSASendTo, send and sendto and they work correctly so I supose it is working correctly.
And yes, I have 32bit and 64bit hook dll
But I hook another functions like WSASend, WSASendTo, send and sendto and they work correctly so I supose it is working correctly.
And yes, I have 32bit and 64bit hook dll
Re: how to protect service from being stopped or uninstalled
Try calling ControlService yourself, from a separate test program or so. Does it get hooked then?
Re: how to protect service from being stopped or uninstalled
I will try it tomorrow, at work. I´m at home now and my home PC is 32 bit. My work PC is 64 bit.
Thank you very much for your help.
Thank you very much for your help.
Re: how to protect service from being stopped or uninstalled
I have create the program to call ControlService and yes, it is hooked.
I do not understand what is happening...
I do not understand what is happening...
Re: how to protect service from being stopped or uninstalled
Have you tried hooking ControlServerEx(), too?
I'm not sure if we can trust the "API Monitor" completely. I'm not sure how it works internally, so I can't really say.
I'm not sure if we can trust the "API Monitor" completely. I'm not sure how it works internally, so I can't really say.
Re: how to protect service from being stopped or uninstalled
Hi:
I have finally found the answer! I found this article http://www.nirsoft.net/articles/windows ... anges.html. As you can read:
I don´t understand why Microsoft do it, but I need to do this now in my code:
For Windows Vista and previous:
For Windows 7:
For Windows 8:
Thank you very much for your help.
bye...
I have finally found the answer! I found this article http://www.nirsoft.net/articles/windows ... anges.html. As you can read:
By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, and other system dll files, are now statically linked to these empty api-ms-win-core files.
I don´t understand why Microsoft do it, but I need to do this now in my code:
For Windows Vista and previous:
Code: Select all
HookAPI("ADVAPI32.DLL", "ControlService", ControlServiceCallback, (PVOID*) &ControlServiceNext);
Code: Select all
HookAPI("api-ms-win-service-winsvc-l1-1-0.dll", "ControlService", ControlServiceCallback, (PVOID*) &ControlServiceNext);
Code: Select all
HookAPI("api-ms-win-service-winsvc-l1-2-0.dll", "ControlService", ControlServiceCallback, (PVOID*) &ControlServiceNext);
bye...
Re: how to protect service from being stopped or uninstalled
Ouch. Well, this is good to know, thanks for the heads up!