Solve : Find_Suspicious_SVCHOST_Paths.bat?

1.	Solve : Find_Suspicious_SVCHOST_Paths.bat?
Answer» Hi I made this batch script in order to identify if there is a virus or trojan with svchost.exe name svchost.exe is good and functions like a container for relevant services svchost.exe is only a virus if it’s living outside C:\Windows\System32 Code: [Select]echo off REM First release on 01/03/2017 04:45 REM Updated on 07/03/2017 04:05 Set "ProcessName=SVCHOST" Set "Tmp_Services=%Tmp%\%~n0.txt" If Exist "%Tmp_Services%" Del "%Tmp_Services%" Set "ProcessLog=%Tmp%\%ProcessName%.log" If Exist "%ProcessLog%" Del "%ProcessLog%" Set "Legits_Services_SVCHOST=%~dp0Legits_Services_%ProcessName%.txt" Set "Legit_Location=%windir%\system32\svchost.exe" Set "LogFile=%~dp0%ProcessName%_ProcessList.txt" Set "Suspicious_LogFile=%~dp0%ComputerName%_%ProcessName%_Suspicious_Paths.txt" Title Finding all instances and paths of "%ProcessName%" by Hackoo 2017 If Exist "%LogFile%" Del "%LogFile%" Set /A Counter=0 setlocal enableDelayedExpansion for /F "skip=1" %%a in ('WMIC Path win32_process where "name like '%%%ProcessName%%%'" get commandline') do ( for /F "delims=" %%b in ("%%a") do ( Color 0A set /A Counter+=1 set "p=%%b" for /f %%f in ('echo !p! ^\|Findstr /LI "%Legit_Location%"') do ( echo [!Counter!] : !p! ) ( echo "!p!" )>>"%LogFile%" ) ) Powershell.exe Get-WmiObject Win32_Process ^\| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^\| Out-File -Append "%ProcessLog%" -Encoding ascii TYPE "%ProcessLog%" \| find /i "%Legit_Location%" > "%Tmp_Services%" ( echo( echo Those are legitimes services of "%ProcessName%.exe" Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" )>con ( echo( echo Those are legitimes services of "%ProcessName%.exe" Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" )>> "%Tmp_Services%" CMD /U /C Type "%Tmp_Services%" > "%Legits_Services_SVCHOST%" echo( Echo All instances of "%ProcessName%" in this path "%Legit_Location%" are legitimes services echo( echo Hit any KEY to look for a SUSPICIOUS "%ProcessName%" paths Findstr /LVI "%Legit_Location%" "%LogFile%" > "%Suspicious_LogFile%" PAUSE>nul Start "" "%Suspicious_LogFile%" Start "" "%Legits_Services_SVCHOST%" & exit ::*******************************************************************************************Do you have a question? Quote from: Squashman on March 07, 2017, 07:29:49 AM Do you have a question? Yes ! I have just tested this script under Windows 7 (32 bits) ! I wonder if there is another legit location of svchost.exe on (64 bits machines) ? for example should i check it on sysWOW64** location or not ? Thank you !

Answer»

Hi
I made this batch script in order to identify if there is a virus or trojan with svchost.exe name

svchost.exe is good and functions like a container for relevant services
svchost.exe is only a virus if it’s living outside C:\Windows\System32

Code: [Select]echo off
REM First release on 01/03/2017 04:45
REM Updated on 07/03/2017 04:05
Set "ProcessName=SVCHOST"
Set "Tmp_Services=%Tmp%\%~n0.txt"
If Exist "%Tmp_Services%" Del "%Tmp_Services%"
Set "ProcessLog=%Tmp%\%ProcessName%.log"
If Exist "%ProcessLog%" Del "%ProcessLog%"
Set "Legits_Services_SVCHOST=%~dp0Legits_Services_%ProcessName%.txt"
Set "Legit_Location=%windir%\system32\svchost.exe"
Set "LogFile=%~dp0%ProcessName%_ProcessList.txt"
Set "Suspicious_LogFile=%~dp0%ComputerName%_%ProcessName%_Suspicious_Paths.txt"
Title Finding all instances and paths of "%ProcessName%" by Hackoo 2017
If Exist "%LogFile%" Del "%LogFile%"
Set /A Counter=0
setlocal enableDelayedExpansion
for /F "skip=1" %%a in ('WMIC Path win32_process where "name like '%%%ProcessName%%%'" get commandline') do (
for /F "delims=" %%b in ("%%a") do (
Color 0A
set /A Counter+=1
set "p=%%b"
for /f %%f in ('echo !p! ^|Findstr /LI "%Legit_Location%"') do (
echo [!Counter!] : !p!
)
( echo "!p!" )>>"%LogFile%"
)
)

Powershell.exe Get-WmiObject Win32_Process ^| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^| Out-File -Append "%ProcessLog%" -Encoding ascii
TYPE "%ProcessLog%" | find /i "%Legit_Location%" > "%Tmp_Services%"

(
echo(
echo Those are legitimes services of "%ProcessName%.exe"
Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe"
)>con

(
echo(
echo Those are legitimes services of "%ProcessName%.exe"
Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe"
)>> "%Tmp_Services%"
CMD /U /C Type "%Tmp_Services%" > "%Legits_Services_SVCHOST%"
echo(
Echo All instances of "%ProcessName%" in this path "%Legit_Location%" are legitimes services
echo(
echo Hit any KEY to look for a SUSPICIOUS "%ProcessName%" paths
Findstr /LVI "%Legit_Location%" "%LogFile%" > "%Suspicious_LogFile%"
PAUSE>nul
Start "" "%Suspicious_LogFile%"
Start "" "%Legits_Services_SVCHOST%" & exit
::*********************************************************************************************Do you have a question? Quote from: Squashman on March 07, 2017, 07:29:49 AM

Do you have a question?

Yes ! I have just tested this script under Windows 7 (32 bits) !
I wonder if there is another legit location of svchost.exe on (64 bits machines) ?
for example should i check it on sysWOW64 location or not ?
Thank you !

Solve : Find_Suspicious_SVCHOST_Paths.bat?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment