» Home » Hidden Service Detector » Usage
Hidden Service Detector
Two tests should be enough to detect whether a rootkit has indecfed a system:
> hsd.exe -cmi
> hsd.exe -gs
You should not mix registry-related detection (-gs switch) with service manager-related detection (-cmi switch) because registry-related detection will always retrieve some services that the service manager seems to ignore, so in order to avoid false-positive, you should limit your tests to the two tests above.
Here's the console output:
Hidden Services Detector
Coded by EiNSTeiN_
usage: hsd -a -cgsmi -qv -wd
-q: Quiet, display infos only about hidden things
-v: Verbose, print extended infomation when scanning
NOTE: Both quiet and verbose switches can't be set at the same time
-a: Scan for hidden services with [a]ll possible method
-c: Get services from the servi[c]e manager
-g: Get services from the re[g]istry
-s: Get services with Reg[S]aveKey() method
-m: Get services with [M]apViewOfFile() method
-i: Get services from serv[i]ces.exe memory
-f: Display [f]ull services list
NOTE: Hidden service and device driver are always displayed
Get the service list from a standard call to EnumServicesStatus.
Get the service list by reading HKLM\SYSTEM\CurrentControlSet\Services
in the registry.
Get the service list by dumping the HKLM\SYSTEM\CurrentControlSet\Services
hive to a file with a call to RegSaveKeyA.
Get the service list by calling EnumServicesStatus from a mapped view of
List services by reading the internal list of services in services.exe.