Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Find_Suspicious_SVCHOST_Paths.bat  (Read 1031 times)

0 Members and 1 Guest are viewing this topic.

Hackoo

    Topic Starter


    Beginner
  • Thanked: 11
  • Experience: Expert
  • OS: Windows 10
Find_Suspicious_SVCHOST_Paths.bat
« on: March 06, 2017, 09:10:03 PM »
Hi  ;)
I made this batch script in order to identify if there is a virus or trojan with svchost.exe name
  • svchost.exe is good and functions like a container for relevant services
  • svchost.exe is only a virus if itís living outside C:\Windows\System32
Code: [Select]
@echo off
REM First release on 01/03/2017 @ 04:45
REM Updated on 07/03/2017 @ 04:05
Set "ProcessName=SVCHOST"
Set "Tmp_Services=%Tmp%\%~n0.txt"
If Exist "%Tmp_Services%" Del "%Tmp_Services%"
Set "ProcessLog=%Tmp%\%ProcessName%.log"
If Exist "%ProcessLog%" Del "%ProcessLog%"
Set "Legits_Services_SVCHOST=%~dp0Legits_Services_%ProcessName%.txt"
Set "Legit_Location=%windir%\system32\svchost.exe"
Set "LogFile=%~dp0%ProcessName%_ProcessList.txt"
Set "Suspicious_LogFile=%~dp0%ComputerName%_%ProcessName%_Suspicious_Paths.txt"
Title Finding all instances and paths of "%ProcessName%" by Hackoo 2017
If Exist "%LogFile%" Del "%LogFile%"
Set /A Counter=0
setlocal enableDelayedExpansion
for /F "skip=1" %%a in ('WMIC Path win32_process where "name like '%%%ProcessName%%%'" get commandline') do (
for /F "delims=" %%b in ("%%a") do (
Color 0A
set /A Counter+=1
set "p=%%b"
for /f %%f in ('echo !p! ^|Findstr /LI "%Legit_Location%"') do (
echo [!Counter!] : !p!
)
( echo "!p!" )>>"%LogFile%"
)
)

Powershell.exe Get-WmiObject Win32_Process ^| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^| Out-File -Append "%ProcessLog%" -Encoding ascii
Type "%ProcessLog%" | find /i "%Legit_Location%" > "%Tmp_Services%"

(
echo(
echo Those are legitimes services of "%ProcessName%.exe"
Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe"
)>con

(
echo(
echo Those are legitimes services of "%ProcessName%.exe"
Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe"
)>> "%Tmp_Services%"
CMD /U /C Type "%Tmp_Services%" > "%Legits_Services_SVCHOST%"
echo(
Echo All instances of "%ProcessName%" in this path "%Legit_Location%" are legitimes services
echo(
echo Hit any key to look for a suspicious "%ProcessName%" paths
Findstr /LVI "%Legit_Location%" "%LogFile%" > "%Suspicious_LogFile%"
pause>nul
Start "" "%Suspicious_LogFile%"
Start "" "%Legits_Services_SVCHOST%" & exit
::*********************************************************************************************

Squashman



    Specialist
  • Thanked: 117
  • Experience: Experienced
  • OS: Other
Re: Find_Suspicious_SVCHOST_Paths.bat
« Reply #1 on: March 07, 2017, 07:29:49 AM »
Do you have a question?

Hackoo

    Topic Starter


    Beginner
  • Thanked: 11
  • Experience: Expert
  • OS: Windows 10
Re: Find_Suspicious_SVCHOST_Paths.bat
« Reply #2 on: March 07, 2017, 11:10:11 AM »
Do you have a question?
Yes ! I have just tested this script under Windows 7 (32 bits) !
I wonder if there is another legit location of svchost.exe on (64 bits machines) ?
for example should i check it on sysWOW64 location or not ?
Thank you !