获取由 StartServiceCtrlDispatcher 调用的未记录 API 的信息

逆向工程 视窗 风袋 调用栈
2021-06-29 09:16:13

我试图了解StartServiceCtrlDispatcher. 具体来说,我试图弄清楚它如何确定它是否被 SCM 调用。所以我用 C# 编写了一个简单的服务,并将其称为控制台应用程序。我从 WinDbg 启动它并在ADVAPI32!StartServiceCtrlDispatcherWStub. 然后我进入了几次调用,直到得到以下堆栈跟踪:

0:000> kP
Child-SP          RetAddr           Call Site
00000000`0037e578 00007ffa`101a52be RPCRT4!RpcStringBindingComposeW+0xff
00000000`0037e580 00007ffa`101abedf sechost!ScClientBindToServer+0x76
00000000`0037e690 00007ffa`101a8751 sechost!ScOpenServiceChannelHandle+0x1f
00000000`0037e6d0 00007ffa`009796f0 sechost!StartServiceCtrlDispatcherW+0x3c
00000000`0037e710 00007ffa`0097c0af System_ServiceProcess_ni+0x296f0
00000000`0037e7e0 00007ff9`a0730104 System_ServiceProcess_ni+0x2c0af
00000000`0037e880 00007ff9`ffe84113 0x00007ff9`a0730104
00000000`0037e8d0 00007ff9`ffe83fde clr!CallDescrWorkerInternal+0x83
00000000`0037e910 00007ff9`ffe889a3 clr!CallDescrWorkerWithHandler+0x4a
00000000`0037e950 00007ff9`fff591aa clr!MethodDescCallSite::CallTargetWorker+0x251
00000000`0037eb00 00007ff9`fff5999a clr!RunMain+0x1e7
00000000`0037ece0 00007ff9`fff59893 clr!Assembly::ExecuteMainMethod+0xb6
00000000`0037efd0 00007ff9`fff59372 clr!SystemDomain::ExecuteMainMethod+0x506
00000000`0037f5e0 00007ff9`fff592c6 clr!ExecuteEXE+0x3f
00000000`0037f650 00007ff9`fff59d84 clr!_CorExeMainInternal+0xae
00000000`0037f6e0 00007ffa`011e7ced clr!CorExeMain+0x14
00000000`0037f720 00007ffa`0128ea5b mscoreei!CorExeMain+0xe0
00000000`0037f770 00007ffa`107115cd MSCOREE!CorExeMain_Exported+0xcb
00000000`0037f7a0 00007ffa`10a343d1 KERNEL32!BaseThreadInitThunk+0xd
00000000`0037f7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:000> !clrstack
OS Thread Id: 0x2ae4 (0)
        Child SP               IP Call Site
000000000037e738 00007ffa100795b3 [InlinedCallFrame: 000000000037e738] System.ServiceProcess.NativeMethods.StartServiceCtrlDispatcher(IntPtr)
000000000037e738 00007ffa009796f0 [InlinedCallFrame: 000000000037e738] System.ServiceProcess.NativeMethods.StartServiceCtrlDispatcher(IntPtr)
000000000037e710 00007ffa009796f0 DomainBoundILStubClass.IL_STUB_PInvoke(IntPtr)
000000000037e7e0 00007ffa0097c0af System.ServiceProcess.ServiceBase.Run(System.ServiceProcess.ServiceBase[])
000000000037e880 00007ff9a0730104 ConsoleAndSCMPatternDemo.Program.Main(System.String[]) [c:\Users\Justin\Documents\Visual Studio 2013\Projects\ConsoleAndSCMPatternDemo\ConsoleAndSCMPatternDemo\Program.cs @ 21]
000000000037ebb0 00007ff9ffe84113 [GCFrame: 000000000037ebb0]

我有两个问题:

  1. 这是什么sechost.dll似乎具有 AdvApi32 功能。
  2. 在哪里可以找到有关以下 API 调用的文档:
    • ScClientBindToServer
    • ScOpenServiceChannelHandle

谷歌也没有提供很好的信息。

0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇内存和 IDA 会话中类似于“@YAXPAX@”的工件 下一篇重新组装 Silverlight 运行时