使用volatility——扫描互斥体和隐藏服务，隐藏服务本质上和隐藏进程一样

隐藏服务本质上和隐藏进程没有区别！

svcscan原理：

因此，要找到隐藏的服务就需要使用svcscan，同时结合sc query看到的可见服务进行对比，以发现隐藏服务！

 

?

1 2 3

PS D:\Application\volatility3-stable\moddmp_out> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\17\6\be2.vmem\be2.vmem" svcscan >service.result.txt Volatility Foundation Volatility Framework 2.6 PS D:\Application\volatility3-stable\moddmp_out> notepad.exe .\service.result.txt

 结果类似：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Offset: 0x6e1e90 Order: 1 Start: SERVICE_DISABLED Process ID: - Service Name: Abiosdsk Display Name: Abiosdsk Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: -   Offset: 0x6e1f20 Order: 2 Start: SERVICE_DISABLED Process ID: - Service Name: abp480n5 Display Name: abp480n5 Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: -   Offset: 0x6e1fb0 Order: 3 Start: SERVICE_BOOT_START Process ID: - Service Name: ACPI Display Name: Microsoft ACPI Driver Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_RUNNING Binary Path: \Driver\ACPI

 

最后，补充下互斥体扫描（注意仅仅是扫描，是否恶意还要进一步判断）使用：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem mutantscan -s Volatility Foundation Volatility Framework 2.6 Offset(P)              #Ptr     #Hnd Signal Thread           CID Name ------------------ -------- -------- ------ ---------- --------- ---- 0x00000000000962c0        1        1      1 0x00000000 0x00000000007c0840        1        1      1 0x00000000 0x00000000009d86e0        1        1      1 0x00000000 0x00000000009d90d8        1        1      1 0x00000000 0x0000000000eda878        1        1      1 0x00000000 0x0000000000edae88        1        1      1 0x00000000 0x000000000105a278        1        1      1 0x00000000 0x000000000105a2e8        1        1      1 0x00000000 0x000000000105aa38        7        6      1 0x00000000           _!MSFTHISTORY!_ 0x000000000105acf0        2        1      0 0xff3ba880   888:912 wscntfy_mtx 0x000000000105e900        1        1      1 0x00000000 0x0000000001061fe0        2        1      1 0x00000000           542B5ABE01CB391B000003A82 0x00000000010633b8        2        1      1 0x00000000           msgina: InteractiveLogonRequestMutex 0x0000000001066480        2        1      1 0x00000000           PerfOS_Perf_Library_Lock_PID_684 0x00000000010669d0        2        1      1 0x00000000           winlogon: Logon UserProfileMapping Mutex 0x0000000001066bd0        2        1      1 0x00000000           PerfProc_Perf_Library_Lock_PID_684 0x00000000010676d8        2        1      1 0x00000000           RemoteAccess_Perf_Library_Lock_PID_684 0x0000000001067d60        1        1      1 0x00000000 0x0000000001069fa8        2        1      1 0x00000000           WmiApRpl_Perf_Library_Lock_PID_684 0x000000000106fb60        3        2      1 0x00000000           WininetProxyRegistryMutex 0x0000000001070380        2        1      1 0x00000000           Spooler_Perf_Library_Lock_PID_684 0x00000000010719b0        2        1      1 0x00000000           ContentFilter_Perf_Library_Lock_PID_684 0x0000000001071e40        1        1      1 0x00000000