The function of the SVCHOST.EXE process and the relevant knowledge of the knowledge (ZT)

xiaoxiao2021-03-06  21

SVCHOST.EXE process features and related knowledge of knowledge (Documentation category: C ) 2004-10-8

Svchost.exe is a very important process in the Windows operating system family based on the NT kernel. Many viruses, Trojan resident systems are closely related to this process, so in-depth understanding of this process is very necessary. This article mainly introduces the functionality of the SVCHOST process, as well as knowledge related to this process.

SVCHOST Process Overview Microsoft's definition of the SVCHOST process is: svchost.exe is a universal host process name of the service running from the Dynamic Link Library (DLL). The SVCHOST.EXE file is located in the "% systemroot% / system32 folder. When the system starts, SVCHOST will check the service section in the registry to build a list of services that need to be loaded.

Multiple instances of SVCHOST can run simultaneously. Each SVCHOST session can contain a set of services to run different services according to the different services of the start-up mode and location of the SVCHOST, which can be better controlled and more convenient to debug.

The SVCHOST group is identified by the registry [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / SVCHOST] item. Each value under this registry represents a separate SVCHOST group and is displayed as a separate instance when we view the activity process. The key value here is the value of the REG_MULTI_SZ type, and the service name (as shown in Figure 1) is included in the SVCHOST group.

Figure 1 SVCHOST in the registry

In fact, SVCHOST is only a host, which does not implement any functions. If you need to use SVCHOST to initiate a service implemented in a DLL form, the DLL carrier Loader points to SVCHOST, and calls the DLL of the service by SVCHOST when the service is activated. The DLL file that uses SVCHOST to start a service is determined by the parameters in the registry. There is a "parameters" subkey under the registry key that you need to start the service, where the "servicedll" key value indicates which service is The DLL file is responsible, and this DLL file must export a servicemain () function to provide support for handling service tasks.

Tip: Different versions of Windows systems have different quantities of SVCHOST processes. In general, Windows 2000 has two SVCHOST processes, while Windows XP has four or more SVCHOST processes.

SVCHOST process instance explains to view a list of running services in SVCHOST, you can enter the "tasklist / svc" command in the Windows XP command prompt window, enter the carriage return (if you are using Windows 2000, you can use Support Tools to provide TLIST The tool is viewed, the command is "TLIST -S"). The tasklist command displays a list of active processes, / the SVC command switch specifies a list of events in each process. As can be seen from the figure, the SVCHOST process starts a lot of system services, such as RPCSS (Remote Procedure Call), DHCP (DHCP Client), Netman (NetWork Connections), etc. (Figure 2).

Figure 2 Service list of SVCHOST

Here we use RPCSS services as an example to specifically understand the relationship between SVCHOST processes and services. Running regedit, open the Registry Editor, and select the [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / RPCSS] branch, there is a key name "serviceDLL" in the "parameters" child, its value is "% systemroot% / system32 /rpcss.dll ". This indicates that the RPCSS.dll dynamic link library file under the "% systemroot% / system32" directory is called when the system starts the RPCSS service. Next, double-click Administrative Tools → Services from the control panel to open the service console. Double-click the "Remote Procedure Call (RPC" service item in the right pane, open its Properties dialog, you can see the path to the RPCSS service is "C: / Windows / System32 / SVCHOST -K RPCSS", This shows that the RPCSS service is started by SVCHOST, "- K rpcss" means that this service is included in the RPCSS service group of SVCHOST.

SVCHOST Trojan Analysis From the previous introduction We already know, in the registry [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / Current-Version / SVCHOST] branch, there are many services in the group and groups of SVCHOST startup, a lot Trojans and viruses are using this to achieve automatic loading. They usually have:

· Add a new group to add a service name in the group; • Add a service name in the existing group or use an un installed service in the existing group; • Modify the service in the existing group, pointing its servicedll to yourself DLL file.

For example, PortLess Backdoor is a typical back door tool that is loaded with the SVCHOST process. So how do you detect and clear? For Trojan, viruses like Portless Backdoor. Take Windows XP as an example, first we can use the process tool such as "process spy" to view module information in the SVCHOST process (Figure 3), and compare the previous module information, there is a suspicious DLL file in the SVCHOST process. "SVCHOSTDLL.DLL". At the same time, a new service "Intranet Services" will be seen in the Manage Tools → Services list. This service name is: iPrip, started by svchost, "- k Netsvcs" means this service is included in Netsvcs Service group.

Tip: In Windows 2000, the IPRIP service listener of the system is transmitted by the route update information sent by the router using the Routing Information Protocol version 1 (RIPv1), and the name displayed in the service list is "RIP Listener".

转载请注明原文地址:https://www.9cbs.com/read-39648.html

New Post(0)