Process Hacker and Windows discussion

 
rammerlabs
Member
Posts: 4
Joined: 04 Jan 2019 17:22

Default Services Filter Issue

06 Apr 2021 12:34

There is an issue with new filtering ability from 24c83ff commit.
Some services running in shared processes on certain (for example 8.1, 1607) versions of Windows are not covered by the filter.
The reason is in the mechanism for obtaining the executable module filename (ServiceDLL) of the service - for example, the EventLog service in the above versions of Windows does not store the name of its executable module in HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Parameters\ and of course PH cannot obtain "VerifySignerName" and cannot get information about the file signature.
However, the path to the file name of the executable module of such services can be obtained in another way, a little more time consuming.
You need to get to LDR_DDAG_NODE (LDR_DATA_TABLE_ENTRY.DdagNode) when enumerating process modules, then enumerate all services tags through LDR_DDAG_NODE.ServiceTagList field for all modules in the process of interest, and then comparing the ServiceTag value to find the module corresponding to the requested service. Of course, you can simplify the task and carry out this entire procedure only for individual services.
The disadvantage of this method will be the mandatory presence of administrator rights, but still better than nothing.
PS: I dont have github account, so cannot create an issue or pull request.
 
User avatar
dmex
Admin
Posts: 1640
Joined: 17 Jan 2011 05:43

Re: Default Services Filter Issue

06 Apr 2021 16:55

rammerlabs wrote: 06 Apr 2021 12:34
You need to get to LDR_DDAG_NODE (LDR_DATA_TABLE_ENTRY.DdagNode) when enumerating process modules, then enumerate all services tags through LDR_DDAG_NODE.ServiceTagList field for all modules in the process of interest, and then comparing the ServiceTag value to find the module corresponding to the requested service.
If we wanted to go this route the I_QueryTagInformation function would return the information. It's however using information copied via ReadProcessMemory from the process' TEB which can be easily hidden and isn't as reliable as using the registry since those modifications are logged and monitored.
rammerlabs wrote: 06 Apr 2021 12:34
the EventLog service in the above versions of Windows does not store the name of its executable module in HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Parameters\ and of course PH cannot obtain "VerifySignerName" and cannot get information about the file signature.
The name on Windows 8 is located in the root key so I've fixed the lookup in the latest nightly :thumbup: