» Home » Hidden Service Detector » Usage

Hidden Service Detector

Two tests should be enough to detect whether a rootkit has indecfed a system:

> hsd.exe -cmi
> hsd.exe -gs

You should not mix registry-related detection (-gs switch) with service manager-related detection (-cmi switch) because registry-related detection will always retrieve some services that the service manager seems to ignore, so in order to avoid false-positive, you should limit your tests to the two tests above.

Here's the console output:
C:\>hsd

Hidden Services Detector
	Coded by EiNSTeiN_

  usage: hsd -a -cgsmi -qv -wd

	-q: Quiet, display infos only about hidden things
	-v: Verbose, print extended infomation when scanning
		NOTE: Both quiet and verbose switches can't be set at the same time

	-a: Scan for hidden services with [a]ll possible method

	-c: Get services from the servi[c]e manager
	-g: Get services from the re[g]istry
	-s: Get services with Reg[S]aveKey() method
	-m: Get services with [M]apViewOfFile() method
	-i: Get services from serv[i]ces.exe memory

	-f: Display [f]ull services list
		NOTE: Hidden service and device driver are always displayed

Service Manager:
  Get the service list from a standard call to EnumServicesStatus.

Registry:
  Get the service list by reading HKLM\SYSTEM\CurrentControlSet\Services
  in the registry.

RegSaveKey:
  Get the service list by dumping the HKLM\SYSTEM\CurrentControlSet\Services
  hive to a file with a call to RegSaveKeyA.

MapViewOfFile:
  Get the service list by calling EnumServicesStatus from a mapped view of
  advapi32.dll

Services.exe's list:
  List services by reading the internal list of services in services.exe.

C:\>
2007-2011, g3nius.org | support at g3nius dot org