RE FORUM

[REVERSE ENGINEERING] => General Discussion => Topic started by: Z!L0G80 on February 09, 2015, 07:47:18 PM

Title: malware register as service
Post by: Z!L0G80 on February 09, 2015, 07:47:18 PM

cau mam tu takovou sracku(TrojLydra-U) co se registruje jako service
 [MACHINE\SYSTEM\CurrentControlSet\Services\msorcvp]
  "DependOnGroup" = ""
  "DependOnService" = "RpcSs"
  "Description" = "This service manages TCP/IP packets at Internet"
  "DisplayName" = "TCPIP route manager"
  "Group" = "PlugPlay"
  "ObjectName" = "LocalSystem"
  "ImagePath" = "c:\windows\msorcvp.exe"
  "ErrorControl" = 0x00000001 (1)
  "PlugPlayServiceType" = 0x00000003 (3)
  "Start" = 0x00000002 (2)
  "Type" = 0x00000120 (288)

a zajimalo byme kcemu slouzi to "PlugPlayServiceType" = 0x00000003 (3) jestli to ma nejaky ucel a kcemu se to da vyuzit ?
jinak tenhle servicetype v systemu ma pouze eventlog ,ze by nejaka forma pluginuu ??
googlim a nic :/
tak trebe jesli nekdo nevi nebo odkazy :)

Title: Re: malware register as service
Post by: pr0p4g4nd4 on February 13, 2015, 12:17:57 PM

to co hladas sa nikde nevyskytuje, ziadny popis, skratka nic. jedine miesto kde som take nieco nasiel, bolo vo "WindowsResearchKernel-WRK" (v casti "WindowsResearchKernel-WRK\WRK-v1.2\public\internal\base\inc\pnpmgr.h") - bohuzial neviem odkial to mam, takze neviem ani, ze ci neexistuje nejaka rozsirena verzia toho, kde by mozno nejaky popis bol.

Title: Re: malware register as service
Post by: Z!L0G80 on February 14, 2015, 01:03:31 PM

jo wrk sem nasel tez ,takze asi tak bud jeto nanic nebo to slouzi ktomu aby sluzba bezela jako sitova tj. v me pripadne umoznuje enumovat network resources a scanuje lan shares