10
What kind malware/spyware could someone put into a service that doesn't have it's own process on windows? I mean services that use svchost.exe for example, like this:
Could a service spy on my keyboard input? Take screenshots? Send/receive data over the internet? Infect other processes or files? Delete files? Kill processes?
Forivin
Posted 2014-05-20T21:45:39.663
Reputation: 464
18
What is a service?
A service is an application, no more, no less. The advantage is that a service can run without a user session. This allows things like databases, backups, the ability to login, etc to run when needed and without a user logged in.
What is svchost?
According to Microsoft: “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. Could we have that in english please?
Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability… but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.
So, essentially a service which uses svchost is just calling a .dll and can do pretty much anything with the right credentials and/or permissions.
If I remember correctly, there are viruses and other malware that do hide behind the svchost process, or name the executable svchost.exe to avoid detection.
Keltari
Posted 2014-05-20T21:45:39.663
Reputation: 57 019
1
To take it one step further, if you use Process Explorer and you hover over the svchost instance it will tell you what services it is hosting.
– Scott Chamberlain – 2014-05-21T05:07:33.387@ScottChamberlain You can also just right click and Go to Service(s) in the built-in task manager on any recent version of Windows (Vista+). – Bob – 2014-05-21T12:22:09.787
1
The Windows 8 Taskmanager makes it even easier: http://250kb.de/u/140522/p/ZFP0uJMz2yVJ.png
– Forivin – 2014-05-22T18:28:47.140@Forivin I'm curious how you managed to get a PNG to load in an upwards direction. And how you managed to get that to 1.5 MB - a PNG of mostly flat colours like that should be a couple hundred kB, max. – Bob – 2014-06-15T09:29:18.107
@Bob You're actually not the first one to ask me that. :p
I'm too lazy to find out why, but I created this screenshot by using AltGr+Print (loads a bitmap screenshot of the current window in the clipboard) and then pasted into an empty png file using Paint, so it's likely that it still is a bitmap (with a wrong extension). That would explain the size and maybe also the upwards loading. ;) – Forivin – 2014-06-18T12:45:25.597
If you really wanna know, open the file with a notepad and check the first 4 bytes, if they are not �PNG, then it's not a png. – Forivin – 2014-06-18T12:50:57.173
1
One of the easiest ways to determine what processes are running under svchost is to use:
Tweaking.com - svchost.exe Lookup Tool V1.5.0
http://www.tweaking.com/content/page/tweaking_com_svchost_exe_lookup_tool.html
Works well.
Wayne De Rick
Posted 2014-05-20T21:45:39.663
Reputation: 11
5Anything its programmed to do. A service could do all the things you mention if its programmed to do so. – Ramhound – 2014-05-20T22:23:39.593