The SVCHOST. EXE process is used to clear the maximum backdoor of a Trojan.

Source: Internet
Author: User

The SVCHOST. EXE process is used to clear the maximum backdoor of a Trojan.
(From http://hi.baidu.com/reyman/blog/item/0fd9815124e1ca19377abed9.html)
To clear the Trojan.

Svchost.exe is an important file in the NT core system and is indispensable for Windows 2000/XP. The svchost process provides many system services, such as Logical Disk Manager and Remote Procedure Call (RPC) DHCP Client, automatic updates, Background Intelligent Transfer Service, COM + Event System, Internet Connection Sharing, network connections, Portable Media Serial Number Service, Remote Access Auto Connection Manager, Remote Access Connection Manager, removable storage, Routing and Remote Access, System Event Notification, telephony, wireless C Onfiguration and so on.

For the dynamic link libraries loaded using svchost.exe in the service, we can click a service listed above in the service to see. For example, if you want to view the Automatic Updates service, you can right-click it and view its attributes. In the same situation, if the reader wants to use svchost.exe for the desired service, you can use the same method as above to observe it.

The intelligent reader can see how important svchost.exe is to the system. It is also because of the importance of svchost.exe. Therefore, viruses and Trojans try their best to use it and attempt to confuse users with its characteristics to infect, intrude, and destroy users. How can we determine which virus process is used? The normal svchost.exe file should exist in the "C: \ WINDOWS \ System32" directory. Be careful if the file appears in other directories. In addition, for the purpose of using svchost.exe to implement process spoofing, hackers may use confusing names, such as converting the letter O to the number 0 (0 ).ProgramThe name is changed to svch0st.exe. If you do not observe it, it is easy to escape the eyes of ordinary users.

In general, we can use the following method to check whether svchost.exe is running on our computer. The call path of the svchost.exe file can be viewed through "Computer Management> System Tools> system information> software environment> running tasks.

Here is only an example. Suppose Windows XP is infected with w32.welchia. worm. The normal svchost file exists in the "C: \ WINDOWS \ System32" directory. Be careful if the file appears in other directories. "W32.welchia. the worm virus exists in the "C: \ WINDOWS \ system32wins" directory. By using the method described above, you can easily view the execution file paths of all svchost processes, once it is found that the execution path is abnormal, it should be detected and processed immediately.

Now we have some questions, but we do not know which service calls the dynamic link library file. Is there any way to solve this problem? If there is no place to find, how does Windows know which one to call? As you know, Windows stores all the system information and application information in the system registry, so we can find it in the registry.

The following uses the Remote Procedure Call (RPC) service as an example to see how the svchost process calls the DLL file. In windiws, open the service, and then open the "Remote Procedure Call (RPC)" attribute dialog box. You can see that the path of the executable file of the Remote Procedure Call (RPC) service is "C: \ winnt \ system32 \ svchost-k rpcss ", which indicates that the Remote Procedure Call (RPC) service relies on svchost to call the" RPCSS "parameter, the parameter content is stored in the system registry. Enter “regedit.exe in the running dialog box and press Enter. Open the Registry Editor and find the "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ RPCSS" item. Then, find the "ImagePath" item of the type "reg_expand_sz, the key value is "% SystemRoot % \ system32 \ svchost-k rpcss" (this is the Service Startup Command seen in the service window ), in addition, there is a key named "servicedll" in the "Parameters" subitem, and its value is "% SystemRoot % \ system32 \ RPCSS. DLL, where "RPCSS. DLL is the dynamic link library file to be used by the Remote Procedure Call (RPC) service. In this way, the svchost process can start the service by reading the registry information of the "RPCSS" service.

In a similar situation, if a program has been used for testing, and svchost.exe is used to start its own dynamic link library file (such as making a trojan as a dynamic link library file), we can find the path of the DLL Trojan here and reveal it to the rest of the world. To learn how many system services each svchost process provides, enter the "tlist-s" command in the Command Prompt window of Windows 2000, this command is provided by Windows 2000 support tools. However, the effect shown here is the same as that shown in the service, but it is only a DOS interface. TIPS: in Windows XP, the "tasklist/svc" command will receive the same effect.

Next, we have used svchost.exe to launch the trojan program. Here, I chose portless backdoor v1.2for demonstration. This is a backdoor program that uses svchost.exe to start and usually does not open the port. It can be used for anti-connection (the same type of backdoor as the bits of Xiao Rong ). To find out why svchost.exe is used for startup, we should take a snapshot of the registry before running the software. Here, I chose regshot 1.61e5 final and named the initial snapshot 1.hiv. Then we upload portlessinst.exe and svchostdll. dll (do not rename) to the system directory (% winnt % \ system32 directory ).

Next, run the command line and install it with “portlessinst.exe-install activestring password. The activestring here is the verification string entered after connecting to the port opened by the system, the password here is the password you need to enter when you connect to the port opened by the backdoor. For example, input portlessinst.exe-install Smiler wind_003 to install the tool. Let's take a look at the changes in the registry. Load 1. HIV into 1 st shot in regshot, then take a snapshot of 2st shot in the current registry, and then use compare for comparison. The comparison result is as follows:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ portless \ fdsnqbtsuni ': "tjnkbu" HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ portless \ wfttphuc: "tofixdo" HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ SECURITY \ Security:

01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1c

00 01 00 00 00 02 80 14 00 FF 01 0f 00 01 01 00 00 00 00 01 00 00 00

00 00 02 00 70 00 04 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00

00 00 05 12 00 00 00 63 00 6f 00 00 00 1C 00 FF 01 0f 00 01 02 00 00

00 00 00 05 20 00 00 00 20 02 00 00 00 6D 00 00 00 00 18 00 8d 01 02

00 01 01 00 00 00 00 05 0b 00 00 20 02 00 00 00 00 1C 00 FD 01

02 00 01 02 00 00 00 00 00 05 20 00 00 23 02 00 00 6D 00 00 00 01

01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 05 12 00 00 00

HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ Parameters \ servicedll: "C: \ winnt \ system32 \ svchostdll. dll"

HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ Parameters \ Program: "svchostdll.exe"

HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ Parameters \ Interactive: 0x00000000

HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ type: 0x00000020 HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ Start: 0x00000002 HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ errorcontrol: 0x00000001 HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ ImagePath: "% SystemRoot % \ system32 \ svchost.exe-K netsvcs"

HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ displayname: "Intranet services" HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ iprip \ objectname: "LocalSystem" HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ SECURITY \ Security:

01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1c

00 01 00 00 00 02 80 14 00 FF 01 0f 00 01 01 00 00 00 00 01 00 00 00

00 00 02 00 70 00 04 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00

00 00 05 12 00 00 00 63 00 6f 00 00 00 1C 00 FF 01 0f 00 01 02 00 00

00 00 00 05 20 00 00 00 20 02 00 00 00 6D 00 00 00 00 18 00 8d 01 02

00 01 01 00 00 00 00 05 0b 00 00 20 02 00 00 00 00 1C 00 FD 01

02 00 01 02 00 00 00 00 00 05 20 00 00 23 02 00 00 6D 00 00 00 01

01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 05 12 00 00 00

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ Parameters \ servicedll: "C: \ winnt \ system32 \ svchostdll. DLL "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ Parameters \ Program:" svchostdll.exe "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ Parameters \ Interactive: 0x00000000

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ type: 0x00000020 HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ Start: 0x00000002 HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ errorcontrol: 0x00000001 HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ ImagePath: "% SystemRoot % \ system32 \ svchost.exe-K netsvcs" HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ displayname: "Intranet services" HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ iprip \ objectname: "LocalSystem"

As you can see, portless backdoor v1.2 registers itself as a service iprip and uses the startup parameter "% SystemRoot % \ system32 \ svchost.exe-K netsvcs ", it uses the DLL file "C: \ winnt \ system32 \ svchostdll. DLL ". Here, we can find portless, disable the services it uses, delete the corresponding DLL file, and kill the extra key values in the registry, you can get portless in three ways, five in two ways! Now everyone knows how to clear the backdoor loaded with SVCHOST ?!
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.