Check commandline parameters of processes with CmdLine.........

[polonus]

Hi malware fighters,

With multiple svchost.exe processes running, one wonders if all these processes are genuine and secure.
For instance this is a good one:
SVCHOST.EXE -K HTTPFILTER - At your option
svchost.exe -k httpfilter
    HTTP SSL service provided by Microsoft.
    Internal Name: HTTPFilter
    HTTP SSL - HTTPFilter isdescribed by Microsoft:
    "HTTP SSL service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service,
     using the Secure Socket Layer (SSL).
     If this service is disabled, any services that explicitly depend on it will fail to start."
    Default start mode: Manual
    The command to launch HTTP SSL - HTTPFilter:
    svchost -k HTTPFilter
    Suggestion: do not change the start mode of HTTP SSL - HTTPFilter service.

We can use the following unique tool to check on this and other commandline parameters of this and other
processes: CmdLine

This program is FREEWARE. Get it from here: http://diamondcs.com.au/consoletools/cmdline.php

CmdLine is the only tool of its kind - it is actually able to read the commandline parameters of processes.
This can reveal important information about how processes are started.
The ID and full path of each process is also shown.

CmdLine also serves as a unique security tool. See this article for more information:
http://diamondcs.com.au/consoletools/parameteranalysis.php

An example:
SVCHOST.EXE
SvcHost (Service Host) hosts all the services on your system (and there are quite a lot).
These are usually DLLs that are loaded into the memory space of svchost.exe processes,
and it's not at all uncommon to have several svchost.exe processes running.

CmdLine reveals that svchost.exe is being sent the "-k" switch, and also the name of a service:
C:\WINDOWS\System32\svchost.exe [1948]
  C:\WINDOWS\System32\svchost.exe -k HTTPFilter

SvcHost is almost always started this way ("-k" followed by a service name),
so if you find an instance of svchost.exe running with unusual parameters
then there's reason for further investigation of that process. 

We can find more information about this service by going to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter

SvcHost can easily be used by attackers,
and the fact that it's not uncommon to have multiple svchost.exe processes running
provides an easy hiding place for malicious processes.
SvcHost trojans are generally one of two forms - a trojan service
(CmdLine might show something like "svchost.exe -k trojanservicename"),
or a trojan process masquerading as svchost.exe
(CmdLine might show something like "c:\windows\svchost.exe" instead of "c:\windows\system32\svchost.exe").
Running as a service can also offer other advantages to the attacker
due to the elevated security privileges of SvcHost.exe,

Just wanted to present this inforrmation to you all,

polonus

[nmb]

thanks sir pol.

bookmarked.

nmb

[mkis]

+1 

[Alan Baxter]

Thank you, polonus.  If I recall correctly, some of my malware scanning programs may report this information too, but cmdline.exe from Diamond Computer Systems of Australia is a much more lightweight and quicker alternative.  A cursory test of it shows that it seems to work well, and, since it runs in a command window, its output can be redirected to a text file easily.  There's also a trojan named cmdline.exe, http://www.softwaretipsandtricks.com/dangerous_files/2531-cmdLineexe.html, so make sure you get it from a legit site. (of course!)

I'll probably continue to get that information from Process Explorer like I usually do, but it's nice to know about this convenient alternative.