Hi,
I searched the FAQ and this excellent board, and I did find one example of how to stop a service. The relevant fragment was like this:
The part I am interested in is SERVICE_CONTROL_STOP I guess... but I have been unable to get this code to work probably because g_hOpenSrv is doing something up higher in the code and I didn't use that correctly.
Could someone please post a complete asm that stops "service a" and "service b" without making exec calls to net.exe?
I searched the FAQ and this excellent board, and I did find one example of how to stop a service. The relevant fragment was like this:
;===========================
;Look for task scheduler
; - start it if it's stop
; - vice versa
; - Service Name = Schedule
;===========================
invoke lstrcmp, OFFSET buffer, OFFSET serviceSS
test eax, eax
jnz __next
invoke OpenService, g_hSCMngr, OFFSET serviceSS, SERVICE_ALL_ACCESS
mov g_hOpenSrv, eax
invoke StartService, eax, 0, NULL
test eax, eax
jnz __clean
invoke GetLastError
cmp eax, ERROR_SERVICE_ALREADY_RUNNING
jne __clean
invoke ControlService, g_hOpenSrv, SERVICE_CONTROL_STOP, OFFSET srvStat
__clean:
invoke CloseServiceHandle, g_hOpenSrv
__next:
The part I am interested in is SERVICE_CONTROL_STOP I guess... but I have been unable to get this code to work probably because g_hOpenSrv is doing something up higher in the code and I didn't use that correctly.
Could someone please post a complete asm that stops "service a" and "service b" without making exec calls to net.exe?
http://undocumented.ntinternals.net
NtLoadDriver
NTSYSAPI
NTSTATUS
NTAPI
NtLoadDriver(
IN PUNICODE_STRING DriverServiceName );
DriverServiceName
Registry path in system format. Path must begin with "\\registry\\machine\\SYSTEM\\CurrentControlSet\\Services\\..." where "..." is driver symbolic name.
Key must have at least 2 values:
"ImagePath" System path to file, in UNICODE format
"Type" Set to 1.
Requirements:
Library: ntdll.lib
Privilege: SeLoadDriverPrivilege
NtUnloadDriver
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadDriver(
IN PUNICODE_STRING DriverServiceName );
DriverServiceName
Registry path in system format.
Requirements:
Library: ntdll.lib
Privilege: SeLoadDriverPrivilege
NtLoadDriver
NTSYSAPI
NTSTATUS
NTAPI
NtLoadDriver(
IN PUNICODE_STRING DriverServiceName );
DriverServiceName
Registry path in system format. Path must begin with "\\registry\\machine\\SYSTEM\\CurrentControlSet\\Services\\..." where "..." is driver symbolic name.
Key must have at least 2 values:
"ImagePath" System path to file, in UNICODE format
"Type" Set to 1.
Requirements:
Library: ntdll.lib
Privilege: SeLoadDriverPrivilege
NtUnloadDriver
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadDriver(
IN PUNICODE_STRING DriverServiceName );
DriverServiceName
Registry path in system format.
Requirements:
Library: ntdll.lib
Privilege: SeLoadDriverPrivilege
Originally posted by clean
;===========================
;Look for task scheduler
; - start it if it's stop
; - vice versa
; - Service Name = Schedule
;===========================
invoke lstrcmp, OFFSET buffer, OFFSET serviceSS
test eax, eax
jnz __next
[b]
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CONNECT
mov g_hSCMngr,eax
[/b]
invoke OpenService, g_hSCMngr, OFFSET serviceSS, SERVICE_ALL_ACCESS
mov g_hOpenSrv, eax
invoke StartService, eax, 0, NULL
test eax, eax
jnz __clean
invoke GetLastError
cmp eax, ERROR_SERVICE_ALREADY_RUNNING
jne __clean
invoke ControlService, g_hOpenSrv, SERVICE_CONTROL_STOP, OFFSET srvStat
__clean:
invoke CloseServiceHandle, g_hOpenSrv
[b]
invoke CloseServiceHandle, g_hSCMngr
[/b]
__next:
I'm at Win98 right now, so I cannot check it (I don't know if SC_MANAGER_CONNECT will suffice), but I'm quite positive this will work.
Hi
I wrote an OpenSCManager Controller tool kind of thing which enumerates all Win32 and Driver Services currently registered on a system and allows you to stop and start either type of service. The app returns each field with descriptive text of the two Service Control Manager structures, ENUM_SERVICE_STATUS_PROCESS and SERVICE_STATUS_PROCESS. These structures are used with EnumServicesStatusEx and QueryServiceStatusEx to get the name and information about a service, it was my purpose to clarify what each of the fields in the structures represented for further work and create a basic SCM controller.
The info is returned in 2 tabbed listviews, if you right click on any service (types SERVICE_DRIVER or SERVICE_WIN32) you can Stop/Start a service with the method you described. For some drivers the listview will update to show a SERVICE_START_PENDING or SERVICE_STOP_PENDING flag in the 'CurrentState' field after doing this, but can be refreshed to show the current running status.
The code includes the winsvc.h header file for the Service Control Manager and may serve as as a mild introduction to the SCM, hope it helps.
Kayaker
I wrote an OpenSCManager Controller tool kind of thing which enumerates all Win32 and Driver Services currently registered on a system and allows you to stop and start either type of service. The app returns each field with descriptive text of the two Service Control Manager structures, ENUM_SERVICE_STATUS_PROCESS and SERVICE_STATUS_PROCESS. These structures are used with EnumServicesStatusEx and QueryServiceStatusEx to get the name and information about a service, it was my purpose to clarify what each of the fields in the structures represented for further work and create a basic SCM controller.
The info is returned in 2 tabbed listviews, if you right click on any service (types SERVICE_DRIVER or SERVICE_WIN32) you can Stop/Start a service with the method you described. For some drivers the listview will update to show a SERVICE_START_PENDING or SERVICE_STOP_PENDING flag in the 'CurrentState' field after doing this, but can be refreshed to show the current running status.
The code includes the winsvc.h header file for the Service Control Manager and may serve as as a mild introduction to the SCM, hope it helps.
Kayaker
Thanks. Though I'm still at the same place I started, all service killing code I see anywhere crashes when I compile it myself - the exe you provide works, and I can compile the code without errors, , but the resulting exe from *my* compile crashes and never works. :/
Anyway the first person who posts a full, working, compilable in masm32, piece of code that kills "process a" and "process b", will get a beer on me. I don't want to list services or start them or anything else, just kill them. Though since I can't actually buy you a beer, I will instead buy you a book or your choice from amazon or whereever, or just donate some money to you via paypal.
The real thing I'm trying to do is kill a list of common trojans that install themselves as services (such as hacker defender) - I can already kill the processes, but I want to kill the services as well. Every attempt I've made to integrate the posted code into my own code compiles fine but then the EXE crashes when I actually try to run it.
So can anyone help me? I know my humble offering of reward isn't much, but hey for some of you coding gods it's an easy free book/donation/whatever you want in exchange :)
thanks!
Anyway the first person who posts a full, working, compilable in masm32, piece of code that kills "process a" and "process b", will get a beer on me. I don't want to list services or start them or anything else, just kill them. Though since I can't actually buy you a beer, I will instead buy you a book or your choice from amazon or whereever, or just donate some money to you via paypal.
The real thing I'm trying to do is kill a list of common trojans that install themselves as services (such as hacker defender) - I can already kill the processes, but I want to kill the services as well. Every attempt I've made to integrate the posted code into my own code compiles fine but then the EXE crashes when I actually try to run it.
So can anyone help me? I know my humble offering of reward isn't much, but hey for some of you coding gods it's an easy free book/donation/whatever you want in exchange :)
thanks!
minor correction, but i meant hypothetical "service a" and "service b" - processes weren't a problem, i'm just having trouble with services. thanks!
Originally posted by clean
The real thing I'm trying to do is kill a list of common trojans that install themselves as services (such as hacker defender) - I can already kill the processes, but I want to kill the services as well. Every attempt I've made to integrate the posted code into my own code compiles fine but then the EXE crashes when I actually try to run it.
The real thing I'm trying to do is kill a list of common trojans that install themselves as services (such as hacker defender) - I can already kill the processes, but I want to kill the services as well. Every attempt I've made to integrate the posted code into my own code compiles fine but then the EXE crashes when I actually try to run it.
What does it say when it crashes?
Have you tried to debug your application? WHERE exactly does it crash (on OpenService call, on ControlService call, somewhere else)?
---------------------------
z.exe - Application Error
---------------------------
The instruction at "0x77e7650d" referenced memory at "0x631af1ab". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel
---------------------------
ollydebug says "access violation in kernel32 ignored on request" and keeps flashing that and is stuck (when i did shift+f7, animate into).... though see the thing is I'm not a pro, or i would have had this working hours ago.
z.exe - Application Error
---------------------------
The instruction at "0x77e7650d" referenced memory at "0x631af1ab". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel
---------------------------
ollydebug says "access violation in kernel32 ignored on request" and keeps flashing that and is stuck (when i did shift+f7, animate into).... though see the thing is I'm not a pro, or i would have had this working hours ago.
sorry, to clarify, my program is this:
it compiles great, but crashes with the error i gave above..
; my test, should kill task scheduler ... just crashes :(
.386
.model flat, stdcall
option casemap:none
include C:\masm32\include\kernel32.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\windows.inc
include C:\masm32\include\shell32.inc
include C:\masm32\include\advapi32.inc
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\shell32.lib
includelib C:\masm32\lib\advapi32.lib
includelib C:\masm32\lib\urlmon.lib
.CODE
serviceSS db "Schedule", 0
buffer db 256 dup(?)
g_hOpenSrv dd ?
g_hSCMngr dd ?
srvStat SERVICE_STATUS<>
start:
invoke lstrcmp, OFFSET buffer, OFFSET serviceSS
test eax, eax
jnz __next
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CONNECT
mov g_hSCMngr,eax
invoke OpenService, g_hSCMngr, OFFSET serviceSS, SERVICE_ALL_ACCESS
mov g_hOpenSrv, eax
;invoke StartService, eax, 0, NULL
;
;test eax, eax
;jnz __clean
;
;invoke GetLastError
;cmp eax, ERROR_SERVICE_ALREADY_RUNNING
;jne __clean
invoke ControlService, g_hOpenSrv, SERVICE_CONTROL_STOP, OFFSET srvStat
__clean:
invoke CloseServiceHandle, g_hOpenSrv
invoke CloseServiceHandle, g_hSCMngr
__next:
END start
it compiles great, but crashes with the error i gave above..
Originally posted by clean
ollydebug says "access violation in kernel32 ignored on request" and keeps flashing that and is stuck (when i did shift+f7, animate into)...
ollydebug says "access violation in kernel32 ignored on request" and keeps flashing that and is stuck (when i did shift+f7, animate into)...
OK, but where does it cause the AV? On OpenService?
fyi, from the debugger, it looks like it's hanging up on this:
invoke lstrcmp, OFFSET buffer, OFFSET serviceSS
test eax, eax
jnz __next
it runs that once, then on the jnz, it jumps into the compare again...? maybe __next is pointing to the wrong thing or doesn't work in masm32... hm i'll try changing it to "foo:"
invoke lstrcmp, OFFSET buffer, OFFSET serviceSS
test eax, eax
jnz __next
it runs that once, then on the jnz, it jumps into the compare again...? maybe __next is pointing to the wrong thing or doesn't work in masm32... hm i'll try changing it to "foo:"
ok that wasn't it.
though i found the crash problem i think... i just added an exitprocess at the end and now it doesn't crash. however, it still doesn't kill the service :(
though i found the crash problem i think... i just added an exitprocess at the end and now it doesn't crash. however, it still doesn't kill the service :(
; kills the task scheduler service (except it doesnt work yet)
.386
.model flat, stdcall
option casemap:none
include C:\masm32\include\kernel32.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\windows.inc
include C:\masm32\include\shell32.inc
include C:\masm32\include\advapi32.inc
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\shell32.lib
includelib C:\masm32\lib\advapi32.lib
includelib C:\masm32\lib\urlmon.lib
.CODE
serviceSS db "Schedule", 0
buffer db 256 dup(?)
g_hOpenSrv dd ?
g_hSCMngr dd ?
srvStat SERVICE_STATUS<>
start:
invoke lstrcmp, OFFSET buffer, OFFSET serviceSS
test eax, eax
jnz __next
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CONNECT
mov g_hSCMngr,eax
invoke OpenService, g_hSCMngr, OFFSET serviceSS, SERVICE_ALL_ACCESS
mov g_hOpenSrv, eax
invoke ControlService, g_hOpenSrv, SERVICE_CONTROL_STOP, OFFSET srvStat
__clean:
invoke CloseServiceHandle, g_hOpenSrv
invoke CloseServiceHandle, g_hSCMngr
__next:
quit:
invoke ExitProcess,NULL
END start
Make the following change and try again:
[b].DATA?
buffer db 256 dup(?)
g_hOpenSrv dd ?
g_hSCMngr dd ?
srvStat SERVICE_STATUS<>[/b]
.CODE
serviceSS db "Schedule", 0
start:
Originally posted by clean
though i found the crash problem i think... i just added an exitprocess at the end and now it doesn't crash. however, it still doesn't kill the service :(
though i found the crash problem i think... i just added an exitprocess at the end and now it doesn't crash. however, it still doesn't kill the service :(
Hmm, try to open SCManager with SC_MANAGER_ALL_ACCESS. Then, check every return value for error (call GetLastError when a service function returns NULL).
not sure i know what you mean, i tried
s/SC_MANAGER_CONNECT/SC_MANAGER_ALL_ACCESS/
and also tried
s/SERVICE_ALL_ACCESS/SC_MANAGER_ALL_ACCESS/
but neither change made a difference. hm. i don't get it.
s/SC_MANAGER_CONNECT/SC_MANAGER_ALL_ACCESS/
and also tried
s/SERVICE_ALL_ACCESS/SC_MANAGER_ALL_ACCESS/
but neither change made a difference. hm. i don't get it.
Try to remove the lstrcmp/test/jnz block from the beginning of your program and try again.
YES! THAT WAS IT!!! Thanks Morris!!
I love this place. So many good coders here.
Yeah I even saw the debugger choking on that but didn't realize it wasn't needed. I'm not even sure why that was in there, I just copied it from one of the examples.
Awesome! So hey pm or email me or post here if you want, something you might want, a book from amazon, a gadtet from thinkgeek.com, or whatever.. or your email address if you prefer a "gift certificate".. something under $50 would totally fit what I can afford to offer :) I am very grateful for your help - thanks :)
I love this place. So many good coders here.
Yeah I even saw the debugger choking on that but didn't realize it wasn't needed. I'm not even sure why that was in there, I just copied it from one of the examples.
Awesome! So hey pm or email me or post here if you want, something you might want, a book from amazon, a gadtet from thinkgeek.com, or whatever.. or your email address if you prefer a "gift certificate".. something under $50 would totally fit what I can afford to offer :) I am very grateful for your help - thanks :)