DaS 2.1 - Manual

Download DaS from here PCIHTDL

1. Why DaS 2.1 ?

This tool helps you to get the Services and Processes running.

It also checks the presents of the file located at the ImagePath datakey value.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xxxxxx
"ImagePath" = "path to the file"

If not present and its a .sys file, then it checks for the file in the drivers map. Both 32 and 64 bits map (sysWOW64)
If the file isn't present a [x] is showed at the end of the line.

The following extensions are logged:

  • .exe
  • dll
  • .sys

Example 1:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d926dfd5
" ImagePath" = "C:\WINDOWS\system32\rundll32.exe" "c:\progra~1\ws-ena~1\AssistantSvc.dll,service"

In this case, DaS looks at the presence of AssistantSvc.dll and reports back with [x] at the end if it isn't present.

Example 2:

Output DaS 2.1 of a Zero Access infectie.....

S2 - [‮etadpug] - Google Update Service (gupdate) - c:\program files\google\desktop\install\{734e8dfb-afbc-44f4-4bb6-7e628d1cd909}\ \...\‮ﯹ
๛\{734e8dfb-afbc-44f4-4bb6-7e628d1cd909}\googleupdate.exe [x]

2. General Information

  • Adapter.......................A service for a hardware device that requires its own driver.
  • FileSystemDriver......A file system driver, which is also a Kernel device driver.
  • InteractiveProcess...A service that can communicate with the desktop.
  • KernelDriver..............A Kernel device driver such as a hard disk or other low-level hardware device driver.
  • RecognizerDriver........A file system driver used during startup to determine the file systems present on the system.
  • Win32OwnProcess....A Win32 program that can be started by the Service Controller and that obeys the service control protocol.(This type of Win32 service runs in a process by itself)
  • Win32ShareProcess..A Win32 service that can share a process with other Win32 services.

More info you can find here

3. The Screen output (help screen)


Screen 1

Running the tool without any switch gives the helpscreen.
The command: "DaS_21 /f" makes a log placed in the same folder as the tool was running from.
(mind the space before the '/')

4. The log output (example with the /dw switch)


*** File System Driver ***
R0 - [FileInfo] - File Information FS MiniFilter - C:\Windows\system32\drivers\fileinfo.sys
R0 - [FltMgr] - FltMgr - C:\Windows\system32\drivers\fltmgr.sys
R0 - [Mup] - Mup - C:\Windows\system32\drivers\mup.sys
R1 - [NetBIOS] - NetBIOS Interface - C:\Windows\system32\drivers\netbios.sys
R3 - [srv] - srv - C:\Windows\system32\drivers\srv.sys
R3 - [srv2] - srv2 - C:\Windows\system32\drivers\srv2.sys
*** Kernel Driver ***
R0 - [ACPI] - Microsoft ACPI Driver - C:\Windows\system32\drivers\acpi.sys
R0 - [atapi] - IDE-kanaal - C:\Windows\system32\drivers\atapi.sys
R0 - [CLFS] - Common Log (CLFS) - C:\Windows\system32\clfs.sys
R0 - [crcdisk] - Crcdisk Filter Driver - C:\Windows\system32\drivers\crcdisk.sys
R0 - [disk] - Stuurprogramma voor schijfstations - C:\Windows\system32\drivers\disk.sys
R0 - [Ecache] - ReadyBoost Caching Driver - C:\Windows\system32\drivers\ecache.sys
R0 - [intelide] - intelide - C:\Windows\system32\drivers\intelide.sys
R0 - [KSecDD] - KSecDD - C:\Windows\system32\drivers\ksecdd.sys
R0 - [MountMgr] - Mount Point Manager - C:\Windows\system32\drivers\mountmgr.sys
R0 - [msisadrv] - ISA/EISA Class Driver - C:\Windows\system32\drivers\msisadrv.sys
R0 - [NDIS] - NDIS System Driver - C:\Windows\system32\drivers\ndis.sys
R0 - [partmgr] - Partition Manager - C:\Windows\system32\drivers\partmgr.sys
R0 - [pci] - PCI Bus Driver - C:\Windows\system32\drivers\pci.sys
R0 - [snapman] - Acronis Snapshots Manager - C:\Windows\system32\drivers\snapman.sys
R0 - [spldr] - Security Processor Loader Driver - C:\Windows\system32\Drivers\spldr.sys
R0 - [Tcpip] - Stuurprogramma voor TCP/IP-protocol - C:\Windows\system32\drivers\tcpip.sys
R0 - [tdrpman251] - Acronis Try&Decide and Restore Points filter (build 251) - C:\Windows\system32\drivers\tdrpm251.sys
R0 - [timounter] - Acronis Backup Archive Explorer - C:\Windows\system32\drivers\timntr.sys
R0 - [vmci] - VMware VMCI Bus Driver - C:\Windows\system32\drivers\vmci.sys
R0 - [volmgr] - Stuurprogramma voor Volumebeheer - C:\Windows\system32\drivers\volmgr.sys
R0 - [volmgrx] - Dynamic Volume Manager - C:\Windows\system32\drivers\volmgrx.sys
R0 - [volsnap] - Opslagvolumes - C:\Windows\system32\drivers\volsnap.sys
R0 - [vsock] - vSockets Driver - C:\Windows\system32\drivers\vsock.sys
R0 - [Wdf01000] - Kernel Mode Driver Frameworks service - C:\Windows\system32\drivers\wdf01000.sys
R1 - [Beep] - Beep - C:\Windows\system32\Drivers\Beep.sys
R1 - [netbt] - netbt - C:\Windows\system32\drivers\netbt.sys
R1 - [tdx] - Stuurprogramma voor ondersteuning van NetIO Legacy TDI - C:\Windows\system32\drivers\tdx.sys
R2 - [tcpipreg] - TCP/IP Registry Compatibility - C:\Windows\system32\drivers\tcpipreg.sys
Rx - [AFD] - AFD - C:\Windows\system32\drivers\afd.sys
S3 - [Tcpip6] - Microsoft IPv6 Protocol Driver - C:\Windows\system32\drivers\tcpip.sys

5. The Black List (/list)

All R0 are logged...
=== File System Driver Black List ===
NetBIOS
srv
srv2
=== Kernel Driver Black List ===
atapi
NDIS
pci
Tcpip
volsnap
AFD
Beep
netbt
tdx
tcpipreg
Tcpip6


6. Copyright Disclaimer

You may use all our tools.
You may NOT vend, duplicate, alter or host them.
I would appreciate a link to E Dev or my name (Emphyrio) mentioned :)

7. Thanks

A thank you to the béta testers: abbs, PeterJ

Special thanks towards Maxstar and Smeenk for their support.