Government Security
Network Security Resources

Jump to content

All Ways To Auto Start An Exe !

- - - - - security windows server shell stealth
  • Please log in to reply
48 replies to this topic

#1 Guest_Axl_*

Guest_Axl_*
  • Guests

Posted 08 December 2003 - 01:05 PM

All Known and Unknown Autostart Methods from TLSecurity.net

1. Autostart folder
Everything in here will restart.
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Dיmarrer\Programmes\Dיmarrage {french}
This Autostart Directory is saved in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders Startup="C:\windows\start menu\programs\startup"
'So it could be easily changed by any program.

2. Win.ini
[windows]
load=file.exe
run=file.exe

3. System.ini [boot]
Shell=Explorer.exe file.exe

4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
everytime

5. Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
requires no interactivity with the user and runs totaly stealth.

7. Autoexec.bat
Starts everytime at Dos Level.

8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"

The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",
the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.

9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

9. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""

The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.

taken from illmob's site !!!

10x man !!!

#2 Barvaz88

Barvaz88

    Private First Class

  • Members
  • 81 posts

Posted 08 December 2003 - 03:40 PM

10x man nice thing :)

#3 Travis

Travis

    Specialist

  • Sergeant Major
  • 2,101 posts

Posted 08 December 2003 - 04:55 PM

Putting a Trojan as C:\explorer.exe will execute it everytime the computer restarts.

#4 Guest_biboupoki_*

Guest_biboupoki_*
  • Guests

Posted 08 December 2003 - 04:57 PM

very nice thanx

#5 Kynroxes

Kynroxes

    Staff Sergeant

  • Members
  • 263 posts

Posted 08 December 2003 - 10:00 PM

tks Axl for the list in order to help
tks dissolutions I will test it later !

#6 SlippyG

SlippyG

    Specialist

  • Members
  • 121 posts

Posted 08 December 2003 - 10:24 PM

All Known and Unknown Autostart Methods from TLSecurity.net

Does anyone else find it rather strange that any of these methods are
considered 'unknown' ? It is not exactly a very exhaustive list

Perhaps they mean that these are all the techniques 'known' to be in use
by existing malware examined by TLSecurity (rather than all the methods
available) Oh, + a few that they haven't seen used in malware but are
common sense.


I notice simple techniques such as exebinding to (or chain-executing of)
legitimate common executables and a whole heap of other registry locations
are missing from the list. Similarly, all of the techniques seem to be aimed at
running an ARBITRARY binary without writing any additional code... obviously,
code DESIGNED to autorun could use still more methods.

Maybe this should have been billed as 'Top 10 simplest methods of autorunning
any binary' rather than 'All ways to run auto-start an exe' which it so obviously
isn't.

Sorry if I seem a bit picky. Misinformation is a dangerous thing. I'd hate for
any fellow members to wrongly sound the 'all clear' simply because they had
checked all the startup methods in this short list.


SG

#7 gman24

gman24

    Specialist

  • Sergeant Major
  • 643 posts

Posted 08 December 2003 - 10:52 PM

Edit:

This is different from dissolutions post of c:\explorer.exe. If you patch it or replace this with a modified version it cannot be deleted. If it is deleted using the same methods to replace it, the user interface will fail to start. This is a modification to the interface not just a file just starting up.

The one I am talking about is located %systemroot%\explorer.exe, commonly the system root is C:\WINDOWS



I notice simple techniques such as exebinding to (or chain-executing of)
legitimate common executables and a whole heap of other registry locations


That just reminded me of something.

If you file bind to explorer.exe, use a "patch" program that after patching gets deleted, or just straight up replace it; it will start up everytime. Explorer.exe is your user interface for windows, if you want to play with it in assembly as I have create a copy and have it replace it with the original before boot (Be sure to backup as well in case you mess something up). You can't modify explorer.exe while windows is running (You can inject the process with code though) so what you need to do is have it replaced on bootup. Play with autoexec.bat and config.sys :).

You can also replace it manually by booting up in safe mode with command prompt and replacing the files.

There are also keys to load items with internet explorer or other browsers, since this is usually run within the day on most computers connected to the internet its sort of autostart method.

Then there are always the programs that start up automatically that the keys are in places you would never expect.

#8 PiXeL

PiXeL

    Private First Class

  • Members
  • 22 posts

Posted 09 December 2003 - 02:48 AM

Very good tute!!!
Thxxxxx

#9 neoragexxx

neoragexxx

    Private First Class

  • Members
  • 56 posts

Posted 09 December 2003 - 08:39 AM

thx for the useful info axl ;)

#10 Guest_batigoooal_*

Guest_batigoooal_*
  • Guests

Posted 10 December 2003 - 02:18 AM

good tutz thks for pasting this info from illmob website!

#11 boshcash

boshcash

    Staff Sergeant

  • Sergeant Major
  • 461 posts

Posted 10 December 2003 - 04:08 AM

guys there is other startup methods like runas service and the active setup startup method used by beast trojan and the policies way used also by beast trojan , and also putting a hex edited version of explorer.exe and editing the registry to point to it as the default windows shell

#12 Guest_saendler_*

Guest_saendler_*
  • Guests

Posted 10 December 2003 - 08:58 AM

very useful this info

big thx

#13 LoCaliSe

LoCaliSe

    Private First Class

  • Members
  • 39 posts

Posted 10 December 2003 - 09:22 AM

good tutz thks :D

#14 krackatoa

krackatoa

    Corporal

  • Members
  • 194 posts

Posted 10 December 2003 - 07:49 PM

Try this program for viewing autostart information. I've used it regularly to track down trojan start methods without manually having to check each location:

I unleash just about every executable I find on boards like this to my sacrificial machine. It's always interesting to see who is trying to infect who.

Auto-start viewer:

http://www.diamondcs...ds/asviewer.zip

Also take a look at sysinternals, they have a similar free tool

They are not all inclusive, but have a good amount of knonw start methods

#15 Helloman

Helloman

    Private First Class

  • Members
  • 57 posts

Posted 11 December 2003 - 02:57 AM

Woooow ,

this is even more than "intresting" or "useful" .

This ist awesome , not just the silly autostart folder or common methods .

Many ways not every admin will notice .





Also tagged with one or more of these keywords: security, windows, server, shell, stealth