Data Security: Resource

START SPYWARE FROM WINDOWS SERVICE

 Search Resources
Hot Words
Key Words
In Field



 By Chris Gudy
Start Spyware from Windows Service
Rigorously speaking, service is also a normal way to start programs. We emphasis it, because, at first, this method is so complicated that few common users understand, and secondly, it can start all types of binary executables in Windows. As we know, spyware is usually favor in technology that is new, unknown by most people, and difficult to learn. Although service as a terminology appeared accompanied with Windows 98, in Windows 2K/XP it is actually defined again, gains new or more complete explanation, and is used as an important mechanism in construction of operation system. So, as a matter of fact, service is an inseparable technology in Windows 2K/XP. Many crucial functionalities of operating system, including kernel driver, are loaded with service mechanism. As a new and core technology, it does not disappear in near future. If you are a programmer of Windows application, even though you never care spyware, to research service is deserved. Otherwise, you might miss many functionalities and features of operating system.

The causes that make developers of spyware choose service as way of automatic starting in Windows 2K/XP is different in various projects. Up to sum, the followings might be considered usually.
  • Service is activated before other automatic starting ways. If you want to run a program before your competitors, for example, an anti-spyware, to utilize service is definitely a correct choice. The items in service might be activated on order with their settings or priorities, but there is no other mechanism to offer a quicker starting that service. In general, you can start your programs before user logging without particular technique if you put them in service. In other words, before users see the logon dialog, your programs probably have been done.
  • Common users lack knowledge about service. Spyware should avoid using general technology. So, in all methods of normal automatic starting, service is an ideal candidate. Common users and even common developers never use service to start their projects. Instead of it, they prefer sub-key Run of registry, or other similar more understanding places. For most of them, to foresee a program of spyware is started from service, to analyze how it works, and to identify what it is seem impossible, because they have little experience and knowledge about service.
  • Service is a resource of operating system. Like other automatic starting ways, theoretically, the settings of service will be discovered at last despite that it might take longer time. However, because service is absolutely a mechanism to start routines of operating system, namely, most of its entries are in relation to operating system, any operations to change an item in service, either modification or dropping, will be radical dangerous. Except for professional persons, users are never recommended to operate the settings about service in registry manually. That is, even if your settings of automatic starting are doubted, because they are a part of service, or say, neighbor of system information, they still have chance to survive, because it might confront more severe conclusion to try to cancel unknowing objects in service.
  • Service is a new technology together with Windows 2K/XP. In contrast with other ways of automatic starting, it not only is more helpful to disguise, but also has longer expected lifetime. Some old automatic starting methods is facing to be thrown off, for example, after Windows 2K traditional autoexec.bat and config.sys are already ignored. If you are designing how to start automatically, you surely want your method to work for a long time. Of course, all application developers cannot know the detail specifications of operating system about next generation, but they should effort to observe the trend of software development If you make a mistake in direction unfortunately, for example, you insist on starting your programs from a Win.ini file but never research other substituting ways, your users will decrease dramatically when a new version that completely ignores this autostart file is becoming popular. For this reason, developers who do not want to give up the market of future have to pay attention on service.

Before developers utilize service to start program automatically, it is necessary to go through the fundamental knowledge of service. Basically, in Windows 2K/XP, there is a software component that is called Service Control Manager (SCM). It works like a server and manages all the services in the Windows registry. By this definition, we get two points: the first is all services is managed by a server, namely SCM; the second is all information of service is stored in registry. Maybe you need more definition of service itself. As its name, service is the name for all programs that can run as a server. In other words, service is a type of program that can response the request from client. In the view of SCM, service is a program that can be managed, no matter whether it offers service to client. Because this mechanism is designed to manager service, namely server program, any program under control of SCM is dealt with service in operating system, even if it is not a server.

In general, service is a binary executable. Many types of programs can play the role of service. A service program may contain executable code for one or more services. The common types are as followings.
  • SERVICE_FILE_SYSTEM_DRIVER: File system driver service.
  • SERVICE_KERNEL_DRIVER: Driver service.
  • SERVICE_WIN32_OWN_PROCESS: Service that runs in its own process.
  • SERVICE_WIN32_SHARE_PROCESS: Service that shares a process with one or more other services.

Now you surely agree that service mechanism provides a wide supporting for you to choose a flexible file type. Do not worry that it cannot implement your file type. Moreover, you maybe doubt whether it offer a bunch of options for time of starting. Indeed, automatic starting is the real destination for spyware to employ the service mechanism. Based on different file type, developers have different options to decide when file launches. To start automatically, the usual cases are as followings.
  • SERVICE_AUTO_START: A service started automatically by the service control manager during system startup.
  • SERVICE_BOOT_START: A device driver started by the system loader. This value is valid only for driver services.
  • SERVICE_DEMAND_START: A service started by the service control manager when a process calls the StartService function.
  • SERVICE_DISABLED: A service that cannot be started. Attempts to start the service result in the error code ERROR_SERVICE_DISABLED.
  • SERVICE_SYSTEM_START: A device driver started by the IoInitSystem function. This value is valid only for driver services.

Obviously, there are two kinds of way to activate a service. One is to start automatically at booting; another is to use Win32 API function, such as StartService or IoInitSystem. Do not forget why we research service here. Spyware needs a purely automatic starting. It is impossible to imagine that spyware is activated through functions like StartService or IoInitSystem in others programs. Therefore, if developers decide to start their spyware with service, they have to set it as SERVICE_AUTO_START or SERVICE_BOOT_START.

Windows 2K/XP offer an interface of management for service, by which users can view or control the relative settings. For example, to control the services startup, you may employ the Computer Management application at Control Panel\Administration Tools\Computer Management. You can use it to check all services.

In addition, from the description of SCM we know that all information about service is saved in registry. Namely, only if we can get the exact position of service data, it is possible to add, modify, and delete service data directly on registry. Comparing with using software tools, to operate service data on registry directly is more complex and more dangerous, and needs more knowledge. But, some merits prove it is deserved. For example, registry offers more space than Win32 API functions for service data. Many anti-spyware use this way to delete startup settings of spyware.