In Chapter 7, Malware Functionalities and Persistence, we looked at how an attacker can persist on the system by installing on or modifying an existing service. In this section, we will focus on how to investigate services from the memory image. To list the services and their information such as display name, type of service, and startup type from the memory image, you can use the svcscan plugin. In the following example, the malware creates a service of type WIN32_OWN_PROCESS with the display name and service name as svchost. From the binary path, you can tell that the svchost.exe is malicious because it is running from the non-standard path C:\Windows instead of C:\Windows\System32:
$ python vol.py -f svc.vmem ...