我知道一个合法的Windows应用程序,一个家长控制软件,作为服务安装,但该服务未列在服务列表中,您在services.msc中看到的列表。
但它列在任务管理器中,但不在服务器列表中。
我知道它是一个服务器,因为它在Registry部分中包含所有其他服务,但是,services.msc控制台不会列出它。
我已经研究了几天没有回答。
我发现了类似的问题,但在答案中他们建议使用复杂的路径,例如编写设备驱动程序: How to hide windows service from task manager in windows desktop
然而,这些家伙用服务做到了。 他们是怎么做到的?
这是注册表项:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00
"DisplayName"="Some display name"
"ObjectName"="LocalSystem"
"Description"="Some description"
"FailureActions"=hex:00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv\Security]
"Security"=hex:01,00
为了便于阅读,一些二进制内容被截断。
这是在Windows 7 32位上。
遵循Harry Jonhston的建议:
**sc sdshow "ThatTrickySoftware"**
D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;
;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
所以,好吧,我想这是预期的,虽然它没有被列为服务,但它作为一项服务运行,因为它是由Windows自动启动的,但是没有任何线索,Windows可以运行这个应用程序。< / p>
另外,注意,可执行文件列在TaskManager的Process标签中,然而,它是牢不可破的,我无法杀死它,如果我试图杀死进程就没有任何反应
答案 0 :(得分:16)
好的,我可以重现这种行为:通过向服务提供与神秘服务相同的权限,我可以使它从services.msc中的列表中消失。
sc sdset myservice D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
所以这完全取决于权限。
好的,让我们展开那个安全描述符字符串。这有点棘手,因为SDDL权限和等效的安全管理器权限之间的映射似乎没有在MSDN或SDK标头中详细记录;幸运的是,Wayne Martin已经为我们完成了繁重的工作,并将结果发布在博客文章Service Control Manager Security for non-admins中。
D: - this part is the DACL, the permissions on the service.
拒绝条目始终排在第一位,这也意味着它们优先于允许条目:
(D;;DCLCWPDTSD;;;IU) - deny (D) interactive users (IU) the following rights:
DC - SERVICE_CHANGE_CONFIG (the right to change the service configuration)
LC - SERVICE_QUERY_STATUS (the right to query the service status)
WP - SERVICE_STOP (the right to stop the service)
DT - SERVICE_PAUSE_CONTINUE (the right to pause and continue the service)
SD - DELETE (the right to delete the service)
(D;;DCLCWPDTSD;;;SU) - deny services (SU) the same set of rights as above
(D;;DCLCWPDTSD;;;BA) - deny the Administrators group (BA) the same as above
允许条目与默认权限相同。 (它们的顺序不同,但允许条目的顺序并不重要。)
(A;;CCLCSWLOCRRC;;;IU) - allow the interactive user the following rights:
CC - SERVICE_QUERY_CONFIG (the right to query the service configuration)
LC - overridden by the deny entry
SW - SERVICE_ENUMERATE_DEPENDENTS (the right to see service dependencies)
LO - SERVICE_INTERROGATE (the right to send SERVICE_CONTROL_INTERROGATE)
CR - SERVICE_USER_DEFINED_CONTROL (the right to send a user defined control)
RC - READ_CONTROL (the right to see the permissions)
(A;;CCLCSWLOCRRC;;;SU) - allow services the following rights:
same as for the interactive user
(A;;CCLCSWRPWPDTLOCRRC;;;SY) - allow local system the following rights:
same as for the interactive user, plus:
RP - SERVICE_START (the right to start the service)
WP - overridden by the deny entry for BA
DT - overridden by the deny entry for BA
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) - allow the Administrators group:
same as for local system, plus:
DC - overridden by the deny entry
LC - overridden by the deny entry
SW - overridden by the deny entry
SD - overridden by the deny entry
WD - WRITE_DAC (permission to change the permissions)
WO - WRITE_OWNER (permission to take ownership)
最后,我们有SACL。这与服务的默认值相同。
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
S: - indicates that this is a SACL
AU - indicates that this is an audit entry
FA - indicates that failed attempts to access the object should be audited
WD - controls whose failed attempts should be audited; the Everyone SID
CCDCLCSWRPWPDTLOCRSDRCWDWO - the kinds of access attempts to audit
- appears to include every right that applies to services
所以基本上只是说&#34;审核所有访问此服务的失败尝试&#34;。
应该可以显着简化这些权限,例如,删除被拒绝权限覆盖的所有允许权限。实际上,您可能真正需要的唯一访问权限可能是本地系统的SERVICE_START和SERVICE_QUERY权限,甚至可能不是那些。 : - )
另一方面,权限的复杂性并不重要,因此测试更改可能并不值得。
PS:要恢复默认权限,您可以说:
sc sdset myservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
答案 1 :(得分:1)
假设 serviceName (std::wstring)拥有服务的名称,而 hService (HANDLE)是服务的句柄,则以下代码将隐藏服务:
PSECURITY_DESCRIPTOR secDescPtr;
ULONG secDescSize = 0;
if (ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(D;;DCWPDTSD;;;IU)(D;;DCWPDTSD;;;SU)(D;;DCWPDTSD;;;BA)(A;;CCSWLOCRRC;;;IU)(A;;CCSWLOCRRC;;;SU)(A;;CCSWRPWPDTLOCRRC;;;SY)(A;;CCDCSWRPWPDTLOCRSDRCWDWO;;;BA)",
SDDL_REVISION_1,
&secDescPtr,
&secDescSize) == TRUE)
{
wprintf(L"Security Descriptor conversion ok");
if (SetServiceObjectSecurity(hService, DACL_SECURITY_INFORMATION, secDescPtr) == TRUE)
{
wprintf(L"Service %s hidden",serviceName);
ret = true;
}
else
{
switch (GetLastError())
{
case ERROR_ACCESS_DENIED:
wprintf(_T("Service Security setup failed - Access Denied"));
break;
case ERROR_INVALID_HANDLE:
wprintf(_T("Service Security setup failed - Invalid Handle"));
break;
case ERROR_INVALID_PARAMETER:
wprintf(_T("Service Security setup failed - Invalid Parameter"));
break;
case ERROR_SERVICE_MARKED_FOR_DELETE:
wprintf(_T("Service Security setup failed - Service Marked For Delete"));
break;
}
}
}
else
{
wprintf(_T("Security Descriptor conversion failed"));
}