how to protect service from being stopped or uninstalled?

c++ / delphi package - dll injection and api hooking
Post Reply
kevin2005
Posts: 4
Joined: Wed Sep 26, 2007 2:43 am

how to protect service from being stopped or uninstalled?

Post by kevin2005 »

how to protect service from being stopped or uninstalled?

for example, when a user tries to stop or uninstall the service, a password dialog box will popup, and ask for a password?

Or can I simply hide the service from the service list?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Hiding services is considered "evil" by anti virus companies, so I'd recommend to not even try that. However, you could hook the service APIs which stop/uninstall the services. See "ControlService(Ex)" and "DeleteService".

Please note that people could also just change some entries in the registry which would effectively result in your services being disabled after the next OS reboot. So you'd also have to monitor/block access to the registry key where your service is stored.
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: how to protect service from being stopped or uninstalled

Post by nomen »

Hi:

I´m hooking ControlService, from ADVAPI32.DLL to protect service from being stopped.
I have a 32 bit service and a 64 bit service.
With 32 bit service the hook works perfectly but in 64 bit service does not work.
I searched if there is ADVAPI64.DLL or similar in the system but I have not found anything.
Did you know what is the substitute for ControlService in a 64 bit service?

Thank´s in advance!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to protect service from being stopped or uninstalled

Post by madshi »

There's a ControlServiceEx() API. Maybe that's called in x64? I don't know. You could do a disassembly of ControlService() to check whether it internally forwards to some other API.
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: how to protect service from being stopped or uninstalled

Post by nomen »

Thank you Madshi, II will work on this....
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: how to protect service from being stopped or uninstalled

Post by nomen »

Hi all:

It does not work!
I used API Monitor (http://www.rohitab.com/apimonitor) and, as I understand, it seems that ControlService is used to stop service. So, the API I`m hooking seems to be te correct one.

I have read here http://www.codeproject.com/Articles/640 ... vices-2013 about Service Isolation. Could I be doing something incorrectly related with this? Maybe the hook is not affecting the service because Service Isolation?

Thank you in advance!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to protect service from being stopped or uninstalled

Post by madshi »

Does your ControlService() hook get called at all? You do have both a 32bit and 64bit hook dll, correct?
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: how to protect service from being stopped or uninstalled

Post by nomen »

No, my ControlService() hook is not get called at all.
But I hook another functions like WSASend, WSASendTo, send and sendto and they work correctly so I supose it is working correctly.
And yes, I have 32bit and 64bit hook dll
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to protect service from being stopped or uninstalled

Post by madshi »

Try calling ControlService yourself, from a separate test program or so. Does it get hooked then?
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: how to protect service from being stopped or uninstalled

Post by nomen »

I will try it tomorrow, at work. I´m at home now and my home PC is 32 bit. My work PC is 64 bit.
Thank you very much for your help.
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: how to protect service from being stopped or uninstalled

Post by nomen »

I have create the program to call ControlService and yes, it is hooked.
I do not understand what is happening...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to protect service from being stopped or uninstalled

Post by madshi »

Have you tried hooking ControlServerEx(), too?

I'm not sure if we can trust the "API Monitor" completely. I'm not sure how it works internally, so I can't really say.
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: how to protect service from being stopped or uninstalled

Post by nomen »

Hi:

I have finally found the answer! I found this article http://www.nirsoft.net/articles/windows ... anges.html. As you can read:
By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, and other system dll files, are now statically linked to these empty api-ms-win-core files.


I don´t understand why Microsoft do it, but I need to do this now in my code:

For Windows Vista and previous:

Code: Select all

HookAPI("ADVAPI32.DLL", "ControlService", ControlServiceCallback, (PVOID*) &ControlServiceNext);
For Windows 7:

Code: Select all

HookAPI("api-ms-win-service-winsvc-l1-1-0.dll", "ControlService", ControlServiceCallback, (PVOID*) &ControlServiceNext);
For Windows 8:

Code: Select all

HookAPI("api-ms-win-service-winsvc-l1-2-0.dll", "ControlService", ControlServiceCallback, (PVOID*) &ControlServiceNext);
Thank you very much for your help.
bye...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to protect service from being stopped or uninstalled

Post by madshi »

Ouch. Well, this is good to know, thanks for the heads up!
Post Reply