..------------------------------------..
..    w0rk in svchost.exe context     ..
..____________________________________..


1. introduction

   Services,  appeared  in  last  micro$oft  releases  (2k, xp),  sets our
   development on new level.Coding of resident appz becomes more easy. Now
   its not necessary to know lotz of aspectz  about current OS realization
   and write difficult  progz, debug them hardly.. Now it's more easy. You
   write  some strings of  code and your new vir is done.  Ya man, it's so
   bored ;)

   Microsoft makes our life easier if you user, coder, or justa virmaker.

   There is a lotz of information about coding services in web.  Ask uncle
   Google and he'll gives u about 1k of linkz. Good manz you also can find
   on rsdn.ru and etc.

   But  all infaz,  which i found  was only about coding services, running
   as separate process. But in system exists nice file svchost.exe,  which
   works like storage  of almost all system services. So why we can't plug
   in it? MSDN keeps quiet, microsoft also.  Its not good, so this article
   about using svchost "for phun and profit" ;)


2. about svchost.exe

   There  is  no  difficult  in  writing this progz. All information about
   working  and  stoped   services  are stored   in   registry   in    key
   HKLM\System\CurrentControlSet\Services   always.  If   you   look there
   attentively,  you'll  c  in  value  ImagePath  of some sub-keys string:
   "%SystemRoot%\system32\svchost.exe -k netsvcs",   or  smthn.   This  is
   exactly  that  infa,  which we  need.  This cmd means that service from
   group netsvcs need to be loaded in svchost context.  Address of running
   module  stored  in  key  Parameters\ServiceDLL.  So,  this  is  a  main
   different between normal and  services like this - they must be a  dllz
   and have function for exportin' ServiceMain.

   Information about booting groups of services you can find in this key:
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost.

   There  are  some  values like REG_MULTI_SZ  in  which  stored  names of
   services.Every group loads in separate process with name 'svchost.exe'.
   So, this  is why  you can see some svchost processes in  taskmanager on
   ctrl-alt-del.

   Type REG_MULTI_SZ is somethin' like string. Every value in it ends with
   '\0'. The end of all string is '\0\0'. Tiny xmpl:

   "hello\0mother\0fucker\0\0"


3. example of code.           

   Now let's discover code structure of service. As i told above, its must
   be dll with  exportin' function SreviceMain. On success our code starts
   listenin tcp  port 9000  and  sends string "hello\n" on every connect.

   I  don't paste here  picez of code, cuz  its easy (anyway  you can find
   it  in  includez  dir). The  only  one remark: when  you fill structure
   SERVICE_STATUS,     in     field    dwServceType    you   must    write 
   "SERVICE_WIN32_SHARE_PROCESS".  Also,  if u  don't wanna bypass shuting
   down your service on getin command "stop"  you should also set value of
   dwControlsAccepted to SERVICE_ACCEPT_STOP and,sure, ignore incoming sys
   messages.

   Now  let's discover loader code.  When we writing  service, we  specify
   values     SERVICE_WIN32_SHARE_PROCESS,      SERVICE_AUTO_START     and
   SERVICE_ERROR_IGNORE. It means what system shouldn't run our service in
   separate  process,  also it must load us into  memory on every boot and
   ignore  all error messages.  Name of executable file in registry should
   be "%SystemRoot%\\System32\\svchost.exe -k netsvcs",  cuz we wanna load
   from group netsvcs.

   So, in registry now we have to create new key for our service:
   HKLM\System\CurrentControlSet\Services\OUR_SERVICE_NAME_HERE.  Here  we
   should  create  a   param  "Description"  -  it's  better than use call
   ChangeServiceConfig2.

   Next, as  i  already told, in branch Parameters we must write real file
   name of our service dll. Inside this key in value ServiceDLL we have to
   specify full path to our sercvice dll. In my xmpl it's equal this str:
   "%SystemRoot%\\System32\\Services.dll".

   And the last  step  -  adding our new system service in  booting group.
   Goto key  HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost and
   add our  ervice in  group, which we write in executable name after '-k'
   arg.  And don't forget about REG_MULTI_SZ format.

   Well, that's all :)


4. testing            

   At first we must reboot our box. Now check logz - if there is no errors
   from svchost it means all loaded done.

   Now we can check that our xmpl service works in 2 ways:
     - type in shell 'tasklist /svc'
     - connect to local host on port 9000.


5. outroduction

   Its strange,why micro$0ft dun tells us howto write servicez like this..
   So, there is nothing difficult  here.  Sure, suffers system "security",
   cuz we  can  damage  code of other processes, workin in our  context by
   our buggzy code.

   How you can use this shit now? Uh.. just use your fantasy, cuz there is
   a lotz of thingz to do with it.

   P.S. write  function,  which  removes  services  like this as your home
   task ;)

   P.P.S. all code writen on MSVC++ 6.0
