Often Malware makes itself as a service on the running system.
We can find the services which are running under a process with the command
c:\Tools>tasklist /svc
Image Name PID Services
========================= ======== =======
System Idle Process 0 N/A
System 4 N/A
smss.exe 380 N/A
csrss.exe 456 N/A
wininit.exe 500 N/A
services.exe 584 N/A
lsass.exe 600 ProtectedStorage, SamSs
lsm.exe 608 N/A
svchost.exe 764 DcomLaunch, PlugPlay
VBoxService.exe 808 VBoxService
svchost.exe 856 RpcSs
svchost.exe 892 WinDefend
svchost.exe 1012 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe 1056 AudioEndpointBuilder, EMDMgmt, Netman,
PcaSvc, SysMain, TabletInputService,
TrkWks, UxSms, WdiSystemHost, WPDBusEnum,
wudfsvc
svchost.exe 1072 AeLookupSvc, Appinfo, BITS, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
audiodg.exe 1136 N/A
svchost.exe 1160 gpsvc
SLsvc.exe 1180 slsvc
svchost.exe 1208 EventSystem, FDResPub, LanmanWorkstation,
netprofm, nsi, SLUINotify, SSDPSRV,
SstpSvc, upnphost, W32Time, WebClient
svchost.exe 1364 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
TermService
spoolsv.exe 1496 Spooler
svchost.exe 1520 BFE, DPS, MpsSvc
svchost.exe 280 PolicyAgent
taskeng.exe 288 N/A
svchost.exe 648 WerSvc
SearchIndexer.exe 1888 WSearch
csrss.exe 2500 N/A
winlogon.exe 2532 N/A
taskeng.exe 2884 N/A
dwm.exe 3868 N/A
explorer.exe 3904 N/A
MSASCui.exe 3996 N/A
VBoxTray.exe 4004 N/A
sidebar.exe 4012 N/A
wuauclt.exe 3328 N/A
cmd.exe 3464 N/A
tasklist.exe 3704 N/A
WmiPrvSE.exe 2828 N/A
c:\Tools>
We can get a whole list of details from PsService.exe
http://technet.microsoft.com/en-us/sysinternals/bb897542.aspx
c:\Tools>PsService.exe
PsService v2.24 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: AeLookupSvc
DISPLAY_NAME: Application Experience
Processes application compatibility cache requests for applications as they are launched
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0 ms
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0 ms
We can also use Serviwin from http://www.nirsoft.net/utils/serviwin.html to get all the details about services.
We can also user servicelist from http://www.pathsolutions.com/support/tools.asp
c:\Tools>ServiceList.exe -t \\bala-pc
Service Name Display Name State Win Own Process Win Shared Process Kernel Device Driver
File System Driver Desktop Interactive Process Start Stop Pause Continue System
Shutdown
AeLookupSvc Application Experience Running X X X
ALG Application Layer Gateway Service Stopped X
Appinfo Application Information Running X X X
We can also user a native utility such as.
c:\Tools>net start
These Windows services are started:
Application Experience
Application Information
Background Intelligent Transfer Service
Base Filtering Engine
COM+ Event System
We can also user another tool called SvcUtil
http://www.joeware.net/freetools/tools/svcutil/index.htm
c:\Tools>svcutil.exe "Application Experience"
SvcUtil V02.04.00cpp Joe Richards (joe@joeware.net) June 2005
SERVICE_NAME: AeLookupSvc
DISPLAY NAME: Application Experience
TYPE : 32 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
c:\Tools>
We can find details about common Services and functions in the link
http://msdn2.microsoft.com/en-us/library/ms681921
http://www.theeldergeek.com/services_guide.htm#Services
http://msdn2.microsoft.com/en-us/library/ms685942
Drivers
we can see the drives on the system with the help of DriverView from http://www.nirsoft.net/utils/driverview.html
Here all Non-Microsoft Drivers will be highlighted.
This tool does the same thing over Command Line.
http://download.microsoft.com/download/win2000platform/drivers/1.0/NT5/EN-US/drivers.exe
c:\Tools>drivers.exe
ModuleName Code Data Bss Paged Init LinkDate
------------------------------------------------------------------------------
ntoskrnl.exe 942080 290816 0 1966080 262144 Thu Oct 14 20:08:16 2010
hal.dll 73728 16384 0 36864 16384 Sat Jan 19 10:57:20 2008
kdcom.dll 4096 4096 0 4096 4096 Sat Jan 19 13:01:53 2008
mcupdate_GenuineIntel.dll 4096 4096 0 364544 4096 Sat Jan 19 12:59:43 2008
PSHED.dll 12288 12288 0 8192 8192 Sat Jan 19 13:01:21 2008
BOOTVID.dll 8192 4096 0 0 4096 Sat Jan 19 12:57:15 2008
CLFS.SYS 77824 12288 0 131072 8192 Sat Jan 19 10:58:01 2008
CI.dll 520192 303104 0 61440 4096 Fri Feb 22 10:30:56 2008
We can find the services which are running under a process with the command
c:\Tools>tasklist /svc
Image Name PID Services
========================= ======== =======
System Idle Process 0 N/A
System 4 N/A
smss.exe 380 N/A
csrss.exe 456 N/A
wininit.exe 500 N/A
services.exe 584 N/A
lsass.exe 600 ProtectedStorage, SamSs
lsm.exe 608 N/A
svchost.exe 764 DcomLaunch, PlugPlay
VBoxService.exe 808 VBoxService
svchost.exe 856 RpcSs
svchost.exe 892 WinDefend
svchost.exe 1012 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe 1056 AudioEndpointBuilder, EMDMgmt, Netman,
PcaSvc, SysMain, TabletInputService,
TrkWks, UxSms, WdiSystemHost, WPDBusEnum,
wudfsvc
svchost.exe 1072 AeLookupSvc, Appinfo, BITS, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
audiodg.exe 1136 N/A
svchost.exe 1160 gpsvc
SLsvc.exe 1180 slsvc
svchost.exe 1208 EventSystem, FDResPub, LanmanWorkstation,
netprofm, nsi, SLUINotify, SSDPSRV,
SstpSvc, upnphost, W32Time, WebClient
svchost.exe 1364 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
TermService
spoolsv.exe 1496 Spooler
svchost.exe 1520 BFE, DPS, MpsSvc
svchost.exe 280 PolicyAgent
taskeng.exe 288 N/A
svchost.exe 648 WerSvc
SearchIndexer.exe 1888 WSearch
csrss.exe 2500 N/A
winlogon.exe 2532 N/A
taskeng.exe 2884 N/A
dwm.exe 3868 N/A
explorer.exe 3904 N/A
MSASCui.exe 3996 N/A
VBoxTray.exe 4004 N/A
sidebar.exe 4012 N/A
wuauclt.exe 3328 N/A
cmd.exe 3464 N/A
tasklist.exe 3704 N/A
WmiPrvSE.exe 2828 N/A
c:\Tools>
We can get a whole list of details from PsService.exe
http://technet.microsoft.com/en-us/sysinternals/bb897542.aspx
c:\Tools>PsService.exe
PsService v2.24 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: AeLookupSvc
DISPLAY_NAME: Application Experience
Processes application compatibility cache requests for applications as they are launched
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0 ms
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0 ms
We can also use Serviwin from http://www.nirsoft.net/utils/serviwin.html to get all the details about services.
We can also user servicelist from http://www.pathsolutions.com/support/tools.asp
c:\Tools>ServiceList.exe -t \\bala-pc
Service Name Display Name State Win Own Process Win Shared Process Kernel Device Driver
File System Driver Desktop Interactive Process Start Stop Pause Continue System
Shutdown
AeLookupSvc Application Experience Running X X X
ALG Application Layer Gateway Service Stopped X
Appinfo Application Information Running X X X
We can also user a native utility such as.
c:\Tools>net start
These Windows services are started:
Application Experience
Application Information
Background Intelligent Transfer Service
Base Filtering Engine
COM+ Event System
We can also user another tool called SvcUtil
http://www.joeware.net/freetools/tools/svcutil/index.htm
c:\Tools>svcutil.exe "Application Experience"
SvcUtil V02.04.00cpp Joe Richards (joe@joeware.net) June 2005
SERVICE_NAME: AeLookupSvc
DISPLAY NAME: Application Experience
TYPE : 32 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
c:\Tools>
We can find details about common Services and functions in the link
http://msdn2.microsoft.com/en-us/library/ms681921
http://www.theeldergeek.com/services_guide.htm#Services
http://msdn2.microsoft.com/en-us/library/ms685942
Drivers
we can see the drives on the system with the help of DriverView from http://www.nirsoft.net/utils/driverview.html
Here all Non-Microsoft Drivers will be highlighted.
This tool does the same thing over Command Line.
http://download.microsoft.com/download/win2000platform/drivers/1.0/NT5/EN-US/drivers.exe
c:\Tools>drivers.exe
ModuleName Code Data Bss Paged Init LinkDate
------------------------------------------------------------------------------
ntoskrnl.exe 942080 290816 0 1966080 262144 Thu Oct 14 20:08:16 2010
hal.dll 73728 16384 0 36864 16384 Sat Jan 19 10:57:20 2008
kdcom.dll 4096 4096 0 4096 4096 Sat Jan 19 13:01:53 2008
mcupdate_GenuineIntel.dll 4096 4096 0 364544 4096 Sat Jan 19 12:59:43 2008
PSHED.dll 12288 12288 0 8192 8192 Sat Jan 19 13:01:21 2008
BOOTVID.dll 8192 4096 0 0 4096 Sat Jan 19 12:57:15 2008
CLFS.SYS 77824 12288 0 131072 8192 Sat Jan 19 10:58:01 2008
CI.dll 520192 303104 0 61440 4096 Fri Feb 22 10:30:56 2008
No comments:
Post a Comment