We have SystemTools Hyena at work and with that tool you can install VNC remote control to another computer. The installation is simple; Hyena just copies VNC files to another computer and then tell the Service Control Maneger to install and start VNC service. This is all nice, when not used wrong. Problem is that VNC doesn't show anything to that remote computers user, so the evil person can monitor what the other user is doing.

Because Hyena is, by default, copying VNC files to c:\winnt\system32\rc folder, one weak defense is to deny all access to that folder. This will stop some people, but then some will change the installation folder... and the installation rocks again.

So the thing I was wondering is to detect installation of winvnc.exe, which is the VNCs service. This way I can make my own service which get loaded instead of winvnc.exe and then it can start listening port 5900 which the real VNC will listen and then repond something interesting when the connection is made :) Ofcourese I need to make sure the service is some incarnation of VNC and what is the real port to listen, but thats the stage two.

The thing is, how to detect when another computer is installing service to yours? It's quite easy if the service is installed locally... but it's no help on this case.

I'm very happy (and more secured) if somebody could point me to a right direction about solving this case.

Happy easter,
Posted on 2003-04-19 06:09:21 by SamiP
Please, if somebody knows something even an idea, I'm very happy to hear it. I am completely lost about this I have tried googleing around, but without any luck and trying to put breakpoints to different service related apis doesn't seem to help either.
Posted on 2003-04-21 10:43:07 by SamiP

Here is a "copy-paste" from one of my proggies that may help you:

enum_service_info db 0dh,0ah,0dh,0ah,"ServiceName : DisplayName",0dh,0ah,0dh,0ah,0
enum_service_info_len equ $ - OFFSET enum_service_info


EnumServices proc uses ebx
LOCAL ServicesReturned :DWORD
LOCAL ResumeHandle :DWORD
LOCAL localbuf[512] :BYTE

ESS_MAX_SIZE EQU ((8 + (7 * 4)) * 700 )

and ResumeHandle, 0
test eax, eax
jz @F
mov hSCM, eax

test eax, eax
jz @ErrEnumClosehSCM
mov pESSalloc, eax

invoke EnumServicesStatus, hSCM, ServiceType, \
ServiceStatus, pESSalloc, ESS_MAX_SIZE, addr Needed, \
addr ServicesReturned, addr ResumeHandle
test eax, eax
jz @ErrEnumClosehSCM
mov ebx, pESSalloc
assume ebx : ptr ENUM_SERVICE_STATUS


; [B]compare [ebx].lpServiceName with the name of your service [\B]

add ebx, sizeof ENUM_SERVICE_STATUS
cmp dword ptr [ebx],0
jnz EnumServNext

invoke VirtualFree, pESSalloc, ESS_MAX_SIZE, MEM_DECOMMIT or MEM_RELEASE
invoke CloseServiceHandle, hSCM
assume ebx : nothing

EnumServices endp

Also, don't forget to check MSDN :)
Posted on 2003-04-21 12:01:49 by Axial
Thanks Axial!

Sad to say but its no much help on this particular case. By enumerating services I can detect that the service is allready installed, and by choice terminate it, but it still gets installed. The thing I did previously is checking which processes are running and then terminate WinVNC if its running.

The thing is that if I install service locally, my prog calls apis like OpenSCManager, CreateService and so on... so I can detect service installation by hooking CreateService api. That way when prog is going to install service and calls CreateService my hook gets that call and I can check which service is going to be installed and do my actions... like install fake VNC service which displays something like "Don't monitor me!" message instead my desktop.

But when other computer is installing service on my computer, the CreateService api is called on that other computer so my hook procedure on my computer never gets called. I have tried to put breakpoint on allmost all service related apis and no one gets called on this case in my computer. Still the other computer installs VNC service correctly on my PC, which I try to prevent.

So the still remaining question is; what really happens when the computer A installs a service to computer B and how to intercept that?

Posted on 2003-04-21 12:29:24 by SamiP