-
March 7th, 2005, 12:08 AM
#1
Interactive services scanner and the registry
Hi
Motivation
The security issue is older and known (Win NT,Win 2000, Win XP,
Win XP SP1, ~SP2), but anyway, my motivation is two-fold:
First, I wanted to look a bit closer how to deal with the registry
using c/c++, because of this thread[1]. I wanted to apply this in
some security context:
Interactive Services[2].
Typically, services are console applications that are designed
to run unattended without a graphical user interface. However,
some services may require occasional interaction with a user.
This does lead to security implications, eg.[3] (Note: that one is
older).
Current State
There are ways to restrict interactive services[4] on Windows 2000/XP
systems. In addition, SP2 partly rewrote services not to be interactive
anymore[5].
A simple (remote) scanner
This might not be the most clever way to scan for interactive services
(I could think of an "active" approach, like "Is the task scheduler there?",
or more general an, let us call it here, "IPC fingerprinting"), but I
wanted to apply some registry scans with something "useful".
All we need to know is given here[6].
The idea is simple: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services,
I check all the "[Service]Type" REG_DWORDs assigned to a service. If they
match the SERVICE_INTERACTIVE_PROCESS criterion, I print it out.
In addition, I check the "StartType" value in order to determine whether the
service is configured to be started automatically or not.
Code:
#include <windows.h>
#include <stdio.h>
int main() {
HKEY phkResult; // address of buffer for main key (Services)
HKEY psubkey; // address of buffer for sub keys (under Services)
DWORD subkey_Index; // index of the subkey
char Name[1024]; // buffer for subkey name
DWORD cbName = sizeof(Name); // size of subkey buffer
FILETIME ftLastWriteTime; // address for time key last written to
DWORD Type; // ServiceType
DWORD cbType = sizeof Type; // size of Type
char DisplayName[1024]; // DisplayName
DWORD Start; // StartType
char StartType[5][1024]={{"SERVICE_BOOT_START"},{"SERVICE_SYSTEM_START"},
{"SERVICE_AUTO_START"},{"SERVICE_DEMAND_START"},{"SERVICE_DISABLED"}};
// connect to local registry at key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
if( RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services",0,KEY_ENUMERATE_SUB_KEYS,&phkResult)
!= ERROR_SUCCESS) return 1; // return if not successfull.
// enumerate all subkeys, which correspond to all available services
subkey_Index=0;
while(1==1){
// check for existing subkeys
if( RegEnumKeyEx(phkResult, subkey_Index, Name, &cbName, 0, NULL, NULL, &ftLastWriteTime) != ERROR_SUCCESS) break;
cbName = sizeof(Name); // reset size of Name
// if there are still some, create a connection to the next subkey
if( RegOpenKeyEx(phkResult, Name, 0, KEY_QUERY_VALUE, &psubkey)!= ERROR_SUCCESS) break;
// get the "Type" value: if SERVICE_INTERACTIVE_PROCESS is set, we have found an interactive service
if( RegQueryValueEx(psubkey, "Type", 0, NULL, (BYTE*)&Type, &cbType) == ERROR_SUCCESS)
if (Type && SERVICE_INTERACTIVE_PROCESS) {
// gather information about this service
if (RegQueryValueEx(psubkey, "DisplayName", 0, NULL, (BYTE*)DisplayName, &cbName)!= ERROR_SUCCESS) break;
if (RegQueryValueEx(psubkey, "Start", 0, NULL, (BYTE*)&Start, &cbType)!= ERROR_SUCCESS) break;
printf("%s\t%s\n",StartType[Start],DisplayName);
}
if( RegCloseKey(psubkey)!= ERROR_SUCCESS) return 1; // return if not successfully disconnected
subkey_Index++;
} // while enumeration: break set within loop
// disconnect from local registry
if( RegCloseKey(phkResult)!= ERROR_SUCCESS) return 1; // return if not successfully disconnected
return 0;
}
First remark: I added a small script kiddie protection to the code.
Second remark: I have also a version of a remote scanner, which works
if, if and if
PM me, if you would like to have a compiled version and/or the remote
scanner.
Typical output:
Code:
SERVICE_DISABLED NetMeeting Remote Desktop Sharing
SERVICE_DEMAND_START Windows Installer
SERVICE_DEMAND_START Network Connections
SERVICE_DEMAND_START Protected Storage
SERVICE_DISABLED Task Scheduler
SERVICE_DISABLED Secondary Logon
SERVICE_AUTO_START SmartLinkService
SERVICE_AUTO_START Print Spooler
Some questions
How relevant do you think are security issues related to interactive
services (..., Task scheduler, ...) on different platforms?
Do you know scanners, which are based on different methods than the one
I presented?
Do you think this particular scanner presented here has any use?
Cheers
[1] http://www.antionline.com/showthread...&postid=827016
[2] http://msdn.microsoft.com/library/de...e_services.asp
[3] http://msdn.microsoft.com/library/de...re08192002.asp
[4] http://www.winguides.com/registry/display.php/1132
[5] http://www.microsoft.com/technet/pro.../sp2maint.mspx
[6] http://msdn.microsoft.com/library/de...cification.asp
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|