this autorun idea is buggy , but i got something strange
People always search for autorun registry keys and services and check the startup methods then sometimes successfully delete them all , then the client couldnt connect and says "shit i lost my victim" , does this have a solution ?
This has many solutions u can for example add a registry key to open file when explorer.exe or any other exe starts ..
My stupid solution is : maybe with dll injection , u can delete the registry key on start when the computer starts , then create it again when the computer shuts down (still a problem when a computer unexpectedly shutdowns) , but i think this may help
i dunno how to do a command when windows is shutting down , but i think its possible , anyone intrested may help
mrBob
Feb 17 2004, 07:35 PM
for that you can better just use the RunOnce key RunOnce keys will be deleted automaticly after windows has started the program so then you only have to implent some code that, when the app shuts down, it adds the key to the RunOnce thingie but i dunno if this all works perfectly and stuff, i've played with it a few years ago didn't get it to work like i wanted but my programming skills weren't very good either that time (still aren't... )
have fun & good luck
Wodan4Life
Feb 18 2004, 07:47 AM
hmmmm, both ideas are interesting, ill look into this, nice forum by the way!
boshcash
Feb 18 2004, 11:52 AM
yea , its a good thing to add runonce value on reboot, so after reboot it would be deleted , the only problem when a user switches power off (force shutdown) , this way would fail
Maybe another way , is like when someone opens a program like regedit.exe or any other known registry key editors or startup detectors , the program deletes the key and after program is closed return it again , also another solution is using rootkits to hide registry , but im not familiar with them , and u have to do some work to get them undetected ...
tibbar
Feb 18 2004, 12:27 PM
i gave up reg startup keys a long time ago. Why not run hidden services, they are more reliable, and can be set to auto restart upon close.
Sparkles
Feb 18 2004, 01:04 PM
well there are better places to whack your stuff... the following is an extract from Int_13h's paper @ TLSecurity.com (doesnt seem to be up anymore)
now while keeping with the registry... it worthy to note that if you check out your local security policy for windows XP look @ remotely accessable registry key, pipes, and shares... makes you think. as for dll injection... maybe you should have a look at the smart stuff thats been created and implemented in haxdef (esp lastest version). to sum up haxdef, its the ultimate window rootkit. it injects about 6 of the core windows dll's and provides some wicked abilities.
Sparkles
Sparkles
Feb 18 2004, 01:07 PM
i decided that its a waste to only show a section of this discussion so heres the whole thing, i sugest saving the text for clsoer inspection.
This Autostart Directory is saved in : * [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] Startup="C:\windows\start menu\programs\startup"
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows Example content of wininit.ini : [Rename] NUL=c:\windows\picture.exe ' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as Unknown Starting Method and is currently used by Subseven.
9. Icq Inet [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test] "Path"="test.exe" "Startup"="c:\\test" "Parameters"="" "Enable"="Yes" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
10. Explorer start-up
Windows 95,98,ME Explorer.exe is started through a system.ini entry, the entry itself contains no path information so if c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.
Windows NT/2000 The Windows Shell is the familiar desktop that's used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.
The problem has to do with the search order that occurs when system startup is in process. Whenever a registry entry specifies the name of a code module, but does it using a relative path, Windows initiates a search process to find the code. The search order is as follows:
* Search the current directory. * If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path, in the order in which they are specified. * If the code isn't found, search the directories specified in HKEY_CURRENT_USER\Environment\Path, in the order in which they are specified.
More info : http://www.microsoft.com/technet/security/bulletin/fq00-052.asp Patch : http://www.microsoft.com/technet/support/kb.asp?ID=269049
General : If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows version as of today.
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer. Your registry should be full of NeverShowExt keys, simply delte the key to get the real extension to show up.
Int_13h http://www.TLSecurity.net
Sparkles
nubela
Feb 18 2004, 02:09 PM
oh man thats sweet thanks alot
dr0zaxx
Feb 18 2004, 03:44 PM
nice information! well detailed. thanks for sharing. i have seen lots of this. but not as detailed as yours. into my portfolio it goes!
oYost
Feb 18 2004, 04:29 PM
Hum, u wan't the program runs at startup ?
So install it like a service with firedaemon or srvany, there isn't keys in Run file. I hope i am not off-topic
Dr00py
Feb 19 2004, 10:47 AM
very useful, thanks
DiJiTooL
Feb 19 2004, 10:52 AM
big thanks man, it's very interesting!
o0oKARo0o
Feb 20 2004, 01:42 AM
great post, thanks 4 sharing the info
--Elite--
Feb 20 2004, 07:58 AM
Have u ever heard of " Rootkit " ?!! install one and hide ur specifik reg-key !!
and for those who never heard of rootkits windows have shutdown-scripting ability means there is a script file wich windows excute it whenever u shutdown the system . Go find it and try to mix ur creativity with " echo " command ans the "regedit " tool DO NOT ask me where it is located or how can u add/modify it . ask your own windows help
Sparkles
Feb 20 2004, 10:35 AM
QUOTE (oYost @ Feb 18 2004, 04:29 PM)
Hum, u wan't the program runs at startup ?
So install it like a service with firedaemon or srvany, there isn't keys in Run file. I hope i am not off-topic
lol @ firedaemon... no offence buddy, seriosuly. the problem is that firedaemon has been aroudn for a while now... and sysadmins can find it too easy.. and firedaemon has restrictions.
like elite said get yourselfa rootkit and go the whole hog and increase the life of your hacks..
Sparkles
boshcash
Feb 20 2004, 02:03 PM
QUOTE (--Elite-- @ Feb 20 2004, 07:58 AM)
Have u ever heard of " Rootkit " ?!! install one and hide ur specifik reg-key !!
and for those who never heard of rootkits windows have shutdown-scripting ability means there is a script file wich windows excute it whenever u shutdown the system . Go find it and try to mix ur creativity with " echo " command ans the "regedit " tool DO NOT ask me where it is located or how can u add/modify it . ask your own windows help
u didnt finish reading my post cauz i mentioned rootkits , second thing don't say windows has shutdown scripts , but tell us where it is (i know u just saw the lame xp gui saying running shutdown scripts before u shutdown) , so if u wanna post something useful tell us location of scripts and more info ..
oYost
Feb 20 2004, 03:42 PM
QUOTE
lol @ firedaemon... no offence buddy, seriosuly. the problem is that firedaemon has been aroudn for a while now... and sysadmins can find it too easy.. and firedaemon has restrictions.
like elite said get yourselfa rootkit and go the whole hog and increase the life of your hacks..
Sparkles
Read..
QUOTE
Hum, u wan't the program runs at startup ?
So install it like a service with firedaemon or srvany, there isn't keys in Run file. I hope i am not off-topic
If u used srvany, u knew that u have to write in registry to make him working, i quote firedaemon for the noobs.. . Me i use a servu modif and a backdoor modif so.. they have integrated installer. But rootkit seems to be good too
--Elite--
Feb 20 2004, 06:54 PM
Mate , I`m specially not new to MS os`es . if so i coudn`t get my mcse . and also ,i`ve never liked arguing . . .
yes u r right , i didn`t read ALL of comments completely , just a glance this is why i didn`t see " rootkit " there , and about the shutdown script , seems u didn`t read my short post carefully too !
QUOTE
DO NOT ask me where it is located or how can u add/modify it . ask your own windows help
wasn`t clear ?! if ppl r as lazy as they can`t even type some few words to find the answer , it`s better no one answer them !
If u know windows policies , u should be familier with Login/Logout scripts wich u can define them for makeing things easy to users . here u can abuse them .
and finally donnow if it`s good or bad . i do not like to help ppl directly . this way u let their creativity to act ! and this way they NEVER forget what they have learned.
didnt try them yet , if someone tries them tell me ..
vnet576
Feb 21 2004, 03:09 AM
There is one more method that nobody has mentioned. I was surprised to discover that windows allows you to modify services...even crucial system services! For example lets take the service "Server"..an important but not crucial system service...specifically known as lanmanserver. So lets open it up in the registry:
The things that draw my attention are ErrorControl (DWORD) and ImagePath (SZ). I hope some of you are beginning to see where I'm going with this..we're gonna take over that service. So lets remove the default image path
CODE
%SystemRoot%\System32\svchost.exe -k netsvcs
and change it for our own: (note u can name svchost.exe to anything u want..i just think its a better name thatn l33ttrojan.exe.)
CODE
%SystemRoot%\System32\MYHACK\svchost.exe
Now as u might expect if u reboot windows is going to give u alot of ugly error messages such as service path invalid....etc...etc...etc. So we're gonna change the errorcontrol to "0"..meaning no errors.
Basically the service will attempt to start when the host boots his machine...the service will run your trojan..the service will crash..the service will NOT create an error message. The whole process repeats every time the host boots his machine. The scary thing is that you can do this with any system service, just goes to show how insecure windows really is..u can technically do this with the RPC service, but u would get alot of undesirable side effects..so just find a rarely used but default service like Wireless Zero Configuration and take over it.
LittleHacker
Feb 21 2004, 10:22 AM
One more mthod is still left: this method is for Special Trojans ! This special Trojan Will accept a command and its parameters as switch! Consider Command "Trojan.exe notepad.exe %1" will run the trojan and trojan will open %1 with notepad. ok. Now just editing registery and define trojan.exe as default program for openening text files (*.txt). Now Each clicking on any *.txt file will run our trojan. The only point is not to define EXEFILE as Trojan.exe, beacuse running trojan exe will cuase it run again and after a few seconds system will not have any memory to run anything and it will hang. By the way if you have not written your own trojan you can use a .js or .vbs to do the same. Sorry if I explained bad. not a good teacher.
vnet576
Feb 21 2004, 04:50 PM
QUOTE (LittleHacker @ Feb 21 2004, 05:22 AM)
One more mthod is still left: this method is for Special Trojans ! This special Trojan Will accept a command and its parameters as switch! Consider Command "Trojan.exe notepad.exe %1" will run the trojan and trojan will open %1 with notepad. ok. Now just editing registery and define trojan.exe as default program for openening text files (*.txt). Now Each clicking on any *.txt file will run our trojan. The only point is not to define EXEFILE as Trojan.exe, beacuse running trojan exe will cuase it run again and after a few seconds system will not have any memory to run anything and it will hang. By the way if you have not written your own trojan you can use a .js or .vbs to do the same. Sorry if I explained bad. not a good teacher.
Thats true...except in u're trojan u can add a several apis to make it check if the exe is already running. So it'll be safe to set it to start when u open exes. But thats a great idea, I'm gonna incorporate it into my functions.
dongfangshuo
Feb 21 2004, 05:34 PM
hehe let me try
boshcash
Feb 23 2004, 05:48 PM
QUOTE (vnet576 @ Feb 21 2004, 03:09 AM)
There is one more method that nobody has mentioned. I was surprised to discover that windows allows you to modify services...even crucial system services! For example lets take the service "Server"..an important but not crucial system service...specifically known as lanmanserver. So lets open it up in the registry:
The things that draw my attention are ErrorControl (DWORD) and ImagePath (SZ). I hope some of you are beginning to see where I'm going with this..we're gonna take over that service. So lets remove the default image path
CODE
%SystemRoot%\System32\svchost.exe -k netsvcs
and change it for our own: (note u can name svchost.exe to anything u want..i just think its a better name thatn l33ttrojan.exe.)
CODE
%SystemRoot%\System32\MYHACK\svchost.exe
Now as u might expect if u reboot windows is going to give u alot of ugly error messages such as service path invalid....etc...etc...etc. So we're gonna change the errorcontrol to "0"..meaning no errors.
Basically the service will attempt to start when the host boots his machine...the service will run your trojan..the service will crash..the service will NOT create an error message. The whole process repeats every time the host boots his machine. The scary thing is that you can do this with any system service, just goes to show how insecure windows really is..u can technically do this with the RPC service, but u would get alot of undesirable side effects..so just find a rarely used but default service like Wireless Zero Configuration and take over it.
nice method , i like those ways , they are real ways that are considered as backdoor startups ! , maybe someone can configure a service to run cmd.exe /c net user Administrator newpass & servicexe.exe , so that will change the admin pass every startup , also i think it will keep the service running
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
(still aren't... 
)
, the only problem when a user switches power off (force shutdown) , this way would fail
