Here is simple trick based on observation to detect backdoor in svhost
One of the common things an attacker may do once they are inside your machine is to rename the process they are running as. In many cases they will try to imitate or get very close to normal system process names. One common process to spoof is the svchost process.
If we then notice any svchost.exe instances running without any services under it, then it is most likely another process that has renamed itself to look like svchost.
One of the common things an attacker may do once they are inside your machine is to rename the process they are running as. In many cases they will try to imitate or get very close to normal system process names. One common process to spoof is the svchost process.
What is svchost?
Microsoft states that “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. So when a piece of software starts a service from a dll, it will be found connected to an svchost instance.So what?
Well, if that is the case then we can rest assured that any svchost process will also have some services running under it. The following command will show us the svchost instances and what services are under it:C:\> tasklist /SVCIf we then notice any svchost.exe instances running without any services under it, then it is most likely another process that has renamed itself to look like svchost.
