https://github.com/archercreat/srvhide
Simple tool to dump/hide services in services.exe process.
https://github.com/archercreat/srvhide
cmkr cpp reverse-engineering
Last synced: 9 months ago
JSON representation
Simple tool to dump/hide services in services.exe process.
- Host: GitHub
- URL: https://github.com/archercreat/srvhide
- Owner: archercreat
- License: unlicense
- Created: 2022-01-20T14:45:21.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2022-04-22T09:28:05.000Z (almost 4 years ago)
- Last Synced: 2025-05-07T21:46:21.464Z (11 months ago)
- Topics: cmkr, cpp, reverse-engineering
- Language: CMake
- Homepage:
- Size: 18.6 KB
- Stars: 14
- Watchers: 3
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# SrvHide
Simple tool to dump/hide services in `services.exe` process. Once hid the service won't show in `services.msc`. The tool is based on [this](https://www.codeproject.com/Articles/46670/Service-Hiding) blogpost.
## Results
```
C:\Users\john-vm\Desktop\srvhide>srvhide.exe -d
[+] Services.exe PID: 664
[+] Check driver loaded: Success
[+] Protect current process: Success
[*] Services.exe - 0x7ff68a3f0000 - 0xb0000
[+] g_ServicesDB location - 0x7ff68a4905b8
[+] g_ServicesDB - 0x2325260ec70
[*] 0x2325260ec70 - 1394ohci
[*] 0x2325260f030 - 3ware
[*] 0x2325260f4b0 - AarSvc
[*] 0x2325260f690 - ACPI
[*] 0x2325260f8d0 - AcpiDev
...
[*] 0x232528fa420 - UserDataSvc_80c26
[*] 0x232528fa9f0 - WpnUserService_80c26
[*] 0x232528f65b0 - MpKslb488759d
```
```
C:\Users\john-vm\Desktop\srvhide>srvhide.exe -s 3ware
[+] Services.exe PID: 648
[+] Check driver loaded: Success
[+] Protect current process: Success
[*] Services.exe - 0x7ff7ecb70000 - 0xb0000
[+] g_ServicesDB location - 0x7ff7ecc105b8
[+] g_ServicesDB - 0x1f87a40e830
[+] Match found. Removing..
```
## Disclaimer
This tool is just a proof of concept develped while learning how windows stores service information.
The `services.exe` is a protected process (`PPL`) and can not be tampered simply from usermode. `SrvHide` uses `BlackBone` driver for reading/writing target process memory.
## Build
```
git clone --recurse-submodules https://github.com/archercreat/srvhide.git
cd srvhide
cmake -B build
cmake --build build
```
Once built, copy `BlackBoneDrv10.sys` to `srvhide.exe` directory.
## Usage
```
.\build\Debug\srvhide.exe
Usage: SrvHide: Hide service in services.exe [options]
Optional arguments:
-h --help shows help message and exits
-v --version prints version information and exits
-s --service Service name to hide [default: ""]
-d --dump Dump services database [default: false]
```