2

Is it possible if per say you installed an "evil_service," to use svchost to run it? Will it run any service?

0siris
  • 91
  • 8

1 Answers1

2

Yes, it's possible and there are known attacks based on svchost.exe file/service.

Windows processes are essential for usual operation of OS. Some processes require special privileges or resources, which a regular user may not have. This is exactly what malware writers are looking for. The following are processes commonly used by malwares (Source : https://blog.checkpoint.com/2016/04/26/how-ransomware-and-malware-use-microsoft-windows-known-binaries/):

svchost.exe – A system process that hosts multiple Windows services in the Windows NT family of operating systems. Svchost is essential in implementing shared service processes, where a number of services can share a process to reduce resource consumption.

explorer.exe – Previously known as Windows Explorer, this is a file manager application, included in releases of the Microsoft Windows OS from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the OS, which presents many user interface items on the monitor such as the taskbar and desktop.

Sdbinst.exe – This process is part of the Microsoft Desktop Optimization Pack (MDOP), which contains Application Virtualization (App-V). MDOP enables the user to make applications available for customers without installing them directly on their computers. App-V transforms applications into centrally managed services that are never installed and do not conflict with other applications.

Sdbinst.exe allows the creator of the application to push updates via .sdb files. The process manages this behavior by serving as middle-ware between the application and the OS. For this purpose, sdbinst.exe runs code received from the creator with admin privileges.

Further you may refer below site to see how an attacker hide him self behind a legitimate windows process: https://safe-cyberdefense.com/load-inject-malicious-dll-using-microsoft-tools/

Sayan
  • 2,033
  • 1
  • 11
  • 21
  • Thank you, I appreciate those links you posted as well. They were very informative and definitely help me make sense of the process. – 0siris Jun 22 '18 at 16:16