can i hide service?

Question

can i hide service?

oiramario opened this issue 3 years ago · 2 comments

thanks for your great work!
at this moment, i cannot find the interface of hide service.

Answer 1 · 2022-06-23T21:05:59.000Z

// CServiceRecord structure.
struct record_t
{
    ptr_t a0;
    ptr_t a1;
    ptr_t a2;
    ptr_t next;
    ptr_t a3;
    ptr_t a4;
    ptr_t a5;
    ptr_t name;
};

// Windows 10 20H2 signature.
static const std::vector<uint8_t> srv_db_pattern{
    0x48, 0x8B, 0x1D, 0x00, 0x00, 0x00, 0x00,   // mov     rbx, qword ptr cs:g_ServicesDB
    0x48, 0x85, 0xDB,                           // test    rbx, rbx
    0x74, 0x00,                                 // jz      short loc_7FF78BAE1E61
    0x48, 0x8B, 0x4B, 0x38,                     // mov     rcx, [rbx+38h]  ; String1
    0x48, 0x8B, 0xD7,                           // mov     rdx, rdi        ; String2
    0x48, 0xFF, 0x15, 0x00, 0x00, 0x00, 0x00    // call    cs:__imp__wcsicmp
};

I tested it and it worked.
I think you could add this feature to hidden because i love it.

reference: https://github.com/archercreat/srvhide

Answer 2 · 2022-06-25T07:17:23.000Z

Hi,

Unfortunately right now there is no such ability to hide a service from SCM, I implemented years ago similar technique but didn't merge it yet, but who knows maybe will do it in the future. But thank you for the reference

JK