OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Friday, September 3 2010 17:14.26 CDT

Modified: Friday, September 3 2010 17:20.07 CDT

Printer Friendly ...

svchost from A to Zinc

Author: waleedassar

# Views: 2695

I will be using olly debugger for the purpose of reversing svchost.

Starting with the main function ,it does the following
1)Parsing svchost commandline using a function called BuildCommandOptions.
which returns a pointer to a structure of type INSTANCE_PARAMS.
struct INSTANCE_PARAMS
{
wchar_t* cmdline;
wchar_t* cmdline2;
bool gpFound;
wchar_t* svc_gp;
unsigned long CoInitia;
unsigned long Authentica;
unsigned long Impersona;
unsigned long AuthenticaCapa;
unsigned long RpcStack;
};
2)calling function BuildServiceArray ,this function takes the pointer returned by BuildCommandOptions as an argument and creates an array of structures of type _SERVICE_ARRAY_ELEMENT
struct _SERVICE_ARRAY_ELEMENT
{
wchar_t* srv_name;
_SRV_DLL_INFO* srv_dll_info;
char* SvcMainName;
unsigned long Count;
FUNCPTR d;
};
Original post herehttp://waleedassar.blogspot.com/2010/09/svchost-from-to-zinc.html

There are 29,954 total registered users.

Recently Created Topics
Disassembling Motoro...	Jun/13
ida plugin writing f...	Jun/02
New version of RE-Go...	May/29
Decompiling raw bina...	May/22
Incorrect bitness wh...	May/20
PaiMei stalker modul...	May/19
Attach to program us...	May/13
IDA PRO how to make ...	May/12
FACT: OpenRCE is dead.	May/08
Int 3 anti debug?	May/05

Recent Forum Posts
Good Binary Code Pro...	alton
Int 3 anti debug?	SteveIRQL
Attach to program us...	SteveIRQL
Ollydbg 2.0 - Plugin...	openrce...
IDA PRO how to make ...	codeinject
FACT: OpenRCE is dead.	codeinject
IDA Resource Viewer ...	r2x64
FACT: OpenRCE is dead.	djnemo
FACT: OpenRCE is dead.	codeinject
FACT: OpenRCE is dead.	pedram

Recent Blog Entries
	lowpriority	Apr/13
OllyMigrate Plugin for Olly...
	everdox	Mar/08
2 anti-trace mechanisms spe...
	everdox	Mar/07
Advanced debugging techniques
	everdox	Mar/06
Branch tracing and LBR acce...
	everdox	Mar/05
Using pre-paged in virtual ...
More ...

Recent Blog Comments
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
	newlulu on:	Jun/10
Branch tracing and LBR acce...
	newlulu on:	Jun/10
Advanced debugging techniques
	newlulu on:	Jun/10
2 anti-trace mechanisms spe...
	newlulu on:	Jun/10
OllyMigrate Plugin for Olly...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit