Now that some code exist to hide a service directly from the service manager (see this), here's some code to detect many of the other hiding method.

Hidden service detector (hsd) will try to get a service list from five different sources: the startard service manager (EnumServicesStatus), from the registry (RegOpenKey and RegSaveKeyA), by calling EnumServicesStatus from a mapped-view of advapi32.dll and finally by reading directly the ServiceDatabase doubly linked list the memory of services.exe. After getting the lists, hsd will compare them and display any hidden services.



EnumServicesStatus is the stadard way to enumerate the services list, and is usually hooked by rootkits. hsd is able to detect when hxdef is hooking this function because at this time the return value no longer comply with what MSDN says.

RegOpenKey is the standard way to read registry keys, and is usually hooked by rootkits. hsd will tell you if the 'SubKeys' returned by RegQueryInfoKey is really the number of sub keys that can be read in HKLM\SYSTEM\CurrentControlSet\Services. Many rootkit does not hook the latest function, so the real number of subkeys is returned by a call to RegQueryInfoKey but less keys can be accessed if a rootkit is hiding some.

RegSaveKeyA is a way to save a key hive to a file. The format of this file is not officialy documented but I included the headers to be able to read it. This function is not often hooked by rootkits but some codes are avaliable to do so (https://www.rootkit.com/newsread.php?newsid=272 see this> and more recently this). For those who are not sure if they must add such code into thier rootkit, do it, you won't loose your time.

hsd will map a copy of advapi32.dll via MapViewOfFile and call EnumServicesStatus from there. No rootkit that I know is actually fixing the images when it is read from the disk to reflect the memory image, and I really want to see it when one will do! This method is used by IceSword to detect hidden services, I actually took the idea from there so thanks to whoever the idea is from. An alternative way to do almost the same thing would be to read the file via ReadFile instead of mapping it, in one piece or byte per byte, and I believe then it would be really hard to fixup.

Walking the ServiceDatabase is not really easy since it is not exported, but with some determination I managed to find a pretty unique byte pattern to locate it. Any service that is running on the system will be referenced in this list - untill a rootkit unlink it. Unlinked services won't be detected by hsd, so this is why you should do this instead of any lame hooking :)

I could have added much more things in hsd but I think that will do the job until some new, more powerfull rootkits is released :)

Until I can upload it somewhere else, I will host hsd.rar on lycos, sorry for the 4 kb/s speed ;)

EiNSTeiN_

read comments (1) / write comment

recent comments:

'+ ''+ ''+ ''+ ''+ ''; document.write(s); } hsd.rar

i.m.weasel

12.Jan:22:26

views: 5511   printer-friendly version