Wednesday, October 23, 2013

Daily Blog #122: Question regarding Persistence via Svchost

Hello Reader,
              Harlan Carvey had a question from this weeks answer:
"I have a question about the description of the SvcHost key, particularly when compared to what's listed here:
http://support.microsoft.com/kb/314056

I'm not sure that the SvcHost is, in itself, a persistence mechanism, as without the service existing beneath the Services key, the entry is just a place holder."

The description in the winning entry for this key was:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
This registry key contains a list of processes that should be run as services under the svchost.exe program.  These will be automatically loaded by the operating system so this is a prime target for malware executables."

The description from the MSDN documentation states:
"The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service"

From looking at the key within my system it would appear as though the service is added to a group that is tored as a  keyvalue under svchost. What I don't know and what I want to test is can you add an item to the grouping list without also defining it as a service separately or will it execute whatever is named that in the local path.  I will test this and let you know tomorrow!