How to accurately find out fake System Processes

No virus or Trojan exists in the system and cannot be completely isolated from the process. Even if the hidden technology is used, it can still find clues from the process. Therefore, viewing active processes in the system is the most direct method for detecting viruses and Trojans. However, there are so many processes running in the system at the same time, which are normal system processes, which are Trojan processes, and how can we find out the counterfeit system processes? Let's take a look.

1. Three Methods for hiding virus processes

When we confirm that there is a virus in the system, but we can't find a strange process when we view the process in the system through the "Task Manager", this shows that the virus has taken some hidden measures, there are three methods to summarize:

1.1.

The normal processes in the system include svchost.exe‑assumer.exe‑i}e.exe‑winlogon.exe and so on. You may have discovered such processes in the system: svch0st.exe‑demoe.exe‑i‑er.exe‑winlogin.exe. What are the differences? This is a common trick used by viruses to confuse users' eyes. Generally, they will change the o of the normal process name in the system to 0, l to I, I to j, and then become their own process name. The difference is only one word, but the meaning is completely different. If you have more than one snapshot or less than one snapshot, for example, assumer.exeand I %e.exe, it is easy to mix up, and then the current I %er.exe is even more messy. If the user is not careful, it is generally ignored, and the virus process has escaped.

1.2 pivoting

If the user is more careful, the above moves will be useless, and the virus will be corrected. As a result, the virus also learns to be smart and understands how to steal the bar and change the bar. If the name of a process is svchost.exe, It is not inferior to that of a normal system process. Is this process safe? In fact, it only utilizes the defect that "Task Manager" cannot view executable files of processes. We know that the executable file of the svchost.exe process is located in the "C: WINDOWSsystem32" Directory (C: WINNTsystem32 directory for Windows2000). If the virus copies itself to the "C: example, and normal system processes. Can you tell which process is a virus?

1.3 let the dead go

In addition to the two methods described above, the virus also has the ultimate trick. The so-called zombie is that the virus uses the process Insertion Technology to insert dll files required for virus operation into normal system processes. On the surface, there is no suspicious situation, in essence, system processes have been controlled by viruses. Unless we use professional Process detection tools, it is very difficult to find viruses hidden in them.

2. system process Obfuscation

Many system processes are mentioned above. What are the functions and operating principles of these system processes? Next we will explain these system processes one by one. I believe that after familiarizing myself with these system processes, we will be able to successfully crack the virus's "fake and fake" and "steal the bar.

2.1 svchost.exe

The process name that is often impersonated by viruses is svch0st.exe?schvost.exe=scvhost.exe. With the increasing number of windows system services, the svchost.exe process allows you to easily share a large number of services to save your system resources. System services are implemented in the form of dynamic link library (DLL). They direct executable programs to scvhost, and cvhost calls the dynamic link library of the corresponding service to start the service. You can open "Control Panel"> "Administrative Tools"> service, double-click the "ClipBook" service, and find the corresponding executable file path in its property panel is "C: WINDOWSsystem32clipsrv.exe ". Double-click the "Alerter" service to find that the executable file path is "C: WINDOWSsystem32svchost.exe-k LocalService", and the executable file path of the "Server" service is "C: WINDOWSsystem32svchost.exe-k netsvcs ". This adjustment saves the trouble of system resources. Because multiple svchost.exe instances are generated in the system, they are actually system services.

There are generally two svchost.exe processes in the windows2000system. One is the RPCSS (RemoteProcedureCall) service process, and the other is the www.2cto.com worker service process. The executable file path of the worker. If it is out of the "C: WINDOWSsystem32" directory, it can be determined as a virus.

2.2 assumer.exe

The process name that is often impersonated by viruses is icycler.exe‑expiorer.exe‑police.exe. Assumer.exe is a frequently used "Resource Manager ". "Then, the lost items are returned again. The role of the assumer.exe process is to allow us to manage resources in the computer.