OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: April 1, 2011 13:50 CDT by charlie .

Hi all,
I was investigating a malware , it injects into svchost.exe but i'm not able to find which svchost.exe its injecting into as the machine has several svchost threads.
I'm using sys internal process explorer , but i can only search on dllname and handle, which i wouldn't be knowing in this case.
Any other tools,tricks or easy ways to do this ?

thanks in advance
Charlie

prot0man		April 2, 2011 13:29.53 CDT
Assuming it's not injecting code to run a DLL (which would make this easy since you can look at the loaded dll's for each process using sysinternals), you have two options (that I know of): 1) When you're running this malware in a debugger, set a breakpoint near OpenProcess--this will inevitably be called if the malware is in fact doing process injection, and the function takes the PID of the process as an argument. If you know the PID, you know the process. 2) Use a tool that facilitates searching process memory or debugger (like windbg) to scan each instance of svchost for a sequence of bytes that are being injected.

computergeek01		April 11, 2011 15:30.49 CDT
Forgive me if this is a bonehead statement, I'm new to this forum and don't really know how things are around here. I wanted to point out to the OP that svchost.exe is, as the name implies, a host for services. "Injecting" into svchost is as simple as "svchost.exe -progsvc". This argument can be seen under properties in Process Explorer -> Image Tab -> Command Line. Finding malware starts with getting some piece of information to work off of, this could be an .exe that crashed, a dll that failed to load, a file that your AV scanner spotted etc ad infinum. Depending on what that piece of information is, you may be headed in the wrong direction right from the start. So the question is what do you have to work off of? EDIT: prot0mans points are all valid by the way, so don't discount his post.

charlie		April 13, 2011 14:05.36 CDT
my work is to kill malware thread or process in memory while it is injected in svchost, while keeping the svchost as it is. Thats my final goal . To begin with i need to find out how easy is to find the injected process manually.

palaniyappan		April 19, 2011 07:05.12 CDT
You can use process explorer to simply view the list of dlls loaded into the address space of a particular process's address space.. You can also use process explorer to view the process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time with out closing the handle of the process which it opened for injection.

tnagareshwar		April 19, 2011 13:14.30 CDT
You can use SpyDllRemover which makes it easy to detect such DLLs ! http://securityxploded.com/spydllremover.php

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit