i8igmac Posted May 10, 2016 Posted May 10, 2016 #infect normal operations mode HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\run #infect normal operations mode HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services #infect SAFE BOOT NETWORK MODE [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Spooler] @="Service" years ago I have spent some time making rootkits for windows machines... this was a lot of fun learning the ways to better infect a machine and keep a reverse shell running 100% of the time... I would deploy my rootkit from a meterpreter shell, upload and execute functions and make a few registry entry in a automated fashion... I hope to get some feed back on all locations to infect, a very basic infection could be as simple as placing your exe in the startup folder (below) C:\ProramData\Micsoft\Windows\Start Menu\Programs\Startup Every time the machine reboots, then your application will startup... I hope you guys can share more simple and advanced examples such as Safe mode registry locations Current user locations all user locations Local machine locations scheduled tasks Etc... I will attempt to recover a machine tonight and hope to get your feedback. Quote
i8igmac Posted May 11, 2016 Author Posted May 11, 2016 1) StartUp C:\windows\start menu\programs\startup * [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] Startup="C:\windows\start menu\programs\startup" * [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] Startup="C:\windows\start menu\programs\startup" * [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders] "Common Startup"="C:\windows\start menu\programs\startup" * [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders] "Common Startup"="C:\windows\start menu\programs\startup" "Anything over here execute when you start up your computer" 2) Windows Scheduler: Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt. 3) c:\windows\winstart.bat 'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer 4) Registry : [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] "Whatever"="c:\runfolder\program.exe" 5) "Autoexec.bat" 6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and Trojans. [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed. 7) Explorer start-up The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but dont realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone. As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer. here is the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell if a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft. 8)"Active-X Component" [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName] StubPath=C:\PathToFile\Filename.exe This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up Quote
i8igmac Posted May 11, 2016 Author Posted May 11, 2016 http://www.symantec.com/connect/articles/most-common-registry-key-check-while-dealing-virus-issue I found this article (content posted above). some useful information for manual removal of registry locations... they are missing the safeboot location witch I think symatec should have included in there article... Any one think of othere techniques? Quote
i8igmac Posted May 11, 2016 Author Posted May 11, 2016 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Quote
i8igmac Posted May 11, 2016 Author Posted May 11, 2016 https://malwaretips.com/threads/most-important-areas-in-registry-to-check-for-viruses.38778/ More useful Quote
fugu Posted May 11, 2016 Posted May 11, 2016 I didn't know about RunServices, I never thought of trying that entry. I always would just play about with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to get stuff to start when windows starts Quote
i8igmac Posted May 11, 2016 Author Posted May 11, 2016 https://www.raymond.cc/blog/how-to-edit-windows-registry-key-values-without-booting-in-windows/ This is a good looking artical, shows how to bootup from a live usb stick and modify the registry... the problem you may run into is these nasty rootkits are almost unstoppable in many ways... cant kill the process and you cant over write there regestry keys... they always respawn and rewrite the keys... I i figure a live os boot stick should do the trick... Quote
i8igmac Posted May 11, 2016 Author Posted May 11, 2016 (edited) http://securityxploded.com/backtrackregistry.php And here is a tutorial showing how to bootup kali live usb and edit the windows registry... Run clamAV when u have kali running on the windows hard drive via command line... its possible the av will capture tools on the kali hd and lock them up... Edited May 11, 2016 by i8igmac Quote
fugu Posted May 15, 2016 Posted May 15, 2016 http://securityxploded.com/backtrackregistry.php And here is a tutorial showing how to bootup kali live usb and edit the windows registry... Run clamAV when u have kali running on the windows hard drive via command line... its possible the av will capture tools on the kali hd and lock them up... Thats a great find! Thank you for the share! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.