svchost from A to Zinc
 Walied (waleedassar) <waliedassar gmail com> |
Friday, September 3 2010 17:14.26 CDT |
I will be using olly debugger for the purpose of reversing svchost.
Starting with the main function ,it does the following
1)Parsing svchost commandline using a function called BuildCommandOptions.
which returns a pointer to a structure of type INSTANCE_PARAMS.
struct INSTANCE_PARAMS
{
wchar_t* cmdline;
wchar_t* cmdline2;
bool gpFound;
wchar_t* svc_gp;
unsigned long CoInitia;
unsigned long Authentica;
unsigned long Impersona;
unsigned long AuthenticaCapa;
unsigned long RpcStack;
};
2)calling function BuildServiceArray ,this function takes the pointer returned by BuildCommandOptions as an argument and creates an array of structures of type _SERVICE_ARRAY_ELEMENT
struct _SERVICE_ARRAY_ELEMENT
{
wchar_t* srv_name;
_SRV_DLL_INFO* srv_dll_info;
char* SvcMainName;
unsigned long Count;
FUNCPTR d;
};
Original post herehttp://waleedassar.blogspot.com/2010/09/svchost-from-to-zinc.html
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |