» Home » Hidden Service Detector

Hidden Service Detector

Author: EiNSTeiN_  EiNSTeiN@g3nius.org
Created: Between September 2005 and January 2006

Hidden service detector (hsd) will try to get a service list from five different sources: the startard service manager api (EnumServicesStatus), from the registry (RegOpenKey and RegSaveKeyA), by calling EnumServicesStatus from a mapped-view of advapi32.dll and finally by reading directly the ServiceDatabase doubly-linked list the memory of services.exe. After getting the lists, hsd will compare them and display any hidden services.

1. A call to EnumServicesStatus is the standard way to get a list of services, so this function is commonly hooked by rootkits to hide services. Additionally, hsd is able to detect if hxdef is hooking this function because this particular rootkit change the returned value of the function in a way that does not comply with MSDN specifications. Note that the author of hxdef was contacted about this misbehavior, so most recent versions of hxdef may be fixed.

2. The function RegOpenKey is the standard way to read registry keys, and may be hooked by rootkits to hide any services entry from HKLM\SYSTEM\CurrentControlSet\Services. Hsd will open this registry key and retrieve a list of services. Additionally, hsd is able to detect whether the 'SubKeys' field returned by RegQueryInfoKey is really the number of keys that can be read in HKLM\SYSTEM\CurrentControlSet\Services. Rootkits usually do not hook RegQueryInfoKey so this function may return the real number of keys in the registry wheras enumerating the keys will not display the hidden keys; this way we can calculate the number of hidden keys.

3. Calling RegSaveKeyA is a way to save a registry hive to a file. The format of this file is not officialy documented but headers are included with hsd to be able to interpret it. Hsd will save the contents of HKLM\SYSTEM\CurrentControlSet\Services to a file, then parse the file to retrieve a list of services.

4. Hsd will map a copy of advapi32.dll via a call to MapViewOfFile and will call EnumServicesStatus from the mapped copy. No rootkit known to the date of this writing actually fix the image of an executable when it is read from the disk to reflect the in-memory image, this allow hsd to call the function directly from the mapped view to avoid potential inline hooking. This method is used by IceSword to detect hidden services, the idea was actually ripped from it.

5. Hsd will read the ServiceDatabase to retrieve a list of services; this is usually the most reliable list of services. The ServiceDatabase is a doubly-linked list located in the memory of services.exe, it contains information on all services installed on the system. Walking the ServiceDatabase is not really easy since it is not exported, but it can be found by searching for a unique byte pattern. Any service that is running on the system will be referenced in this list, until a rootkit unlink it, because unlinked services won't ever be detected by hsd.

2007-2011, g3nius.org | support at g3nius dot org