Monday, March 05, 2007

Getting service information during IR

During his BlackHat DC presentation last week, Kevin Mandia said that the persistence method used by many malware authors seems to have shifted to Windows Services. During the presentation, he mentioned using psservice.exe from MS/SysInternals to get information about the services on a system, and said that psservice.exe doesn't show the executable image used by the service, and that you'd have to get that information from the Registry.

Well, maybe not. Kevin's a really bright guy, and very busy. There are ways to get the executable image path...using WMI for example. Writing a quick Perl script (and then compiling using Perl2Exe so that it can be used easily with the FRUC/FSP), one can get the following:

Name : wltrysvc
Display : Dell Wireless WLAN Tray Service
Start : LocalSystem
Desc : Provides automatic configuration for the 802.11 adapter using the Broadcom supplicant.
PID : 716
Path : C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe
Mode : Auto
State : Running
Status : OK
Type : Own Process

Pretty cool, eh? Path the executable image, PID, start mode and state. Of course, CSV output is easier to parse...and yes, this program does come included on the DVD accompanying my book.

3 comments:

leadZERO said...

You should take a look at the "sc" (Service Control) utility included with every version of Windows based on Windows NT.

List all active services: sc query
List service configuration (including image path): sc qc
List all services and drivers: sc query state= all

H. Carvey said...

Ryan,

Thanks for the comment.

I'm on XP SP2 and running the commands you provided:

sc query - no path information; pretty much the same thing as psservice.exe

sc qc - returns path information, but you must enter a service name; you'd have to enumerate a list of services first, and then iterate through each one with the "sc qc name" command; also, the results do not include a PI

sc query state= all - no path information

Sc.exe is indeed a useful tool, but keep in mind that most IR occurs under duress, so making the information collection (and analysis) process as easy as possible is also desirable.

hogfly said...

Harlan,
Will your script get the command line options of the process?

i.e, nc -l -p 3000