Jump to content

windows safe boot infection... please share registry locations


i8igmac
 Share

Recommended Posts

#infect normal operations mode

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\run

#infect normal operations mode

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

#infect SAFE BOOT NETWORK MODE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Spooler]

@="Service"

years ago I have spent some time making rootkits for windows machines... this was a lot of fun learning the ways to better infect a machine and keep a reverse shell running 100% of the time... I would deploy my rootkit from a meterpreter shell, upload and execute functions and make a few registry entry in a automated fashion...

I hope to get some feed back on all locations to infect, a very basic infection could be as simple as placing your exe in the startup folder (below)

C:\ProramData\Micsoft\Windows\Start Menu\Programs\Startup

Every time the machine reboots, then your application will startup... I hope you guys can share more simple and advanced examples such as

Safe mode registry locations

Current user locations

all user locations

Local machine locations

scheduled tasks

Etc...

I will attempt to recover a machine tonight and hope to get your feedback.

Link to comment
Share on other sites

1) StartUp

C:\windows\start menu\programs\startup

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Startup="C:\windows\start menu\programs\startup"

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

Startup="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]

"Common Startup"="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]

"Common Startup"="C:\windows\start menu\programs\startup"

"Anything over here execute when you start up your computer"

2) Windows Scheduler:

Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat

'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer

4) Registry :

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

"Whatever"="c:\runfolder\program.exe"

5) "Autoexec.bat"

6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and Trojans.

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"

[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"

[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"

The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the

server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.

7) Explorer start-up

The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but dont realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone.

As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer.

here is the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

if a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft.

8)"Active-X Component"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]

StubPath=C:\PathToFile\Filename.exe

This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up

Link to comment
Share on other sites

http://www.symantec.com/connect/articles/most-common-registry-key-check-while-dealing-virus-issue

I found this article (content posted above). some useful information for manual removal of registry locations... they are missing the safeboot location witch I think symatec should have included in there article...

Any one think of othere techniques?

Link to comment
Share on other sites

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Link to comment
Share on other sites

I didn't know about RunServices, I never thought of trying that entry. I always would just play about with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to get stuff to start when windows starts

Link to comment
Share on other sites

https://www.raymond.cc/blog/how-to-edit-windows-registry-key-values-without-booting-in-windows/

This is a good looking artical, shows how to bootup from a live usb stick and modify the registry...

the problem you may run into is these nasty rootkits are almost unstoppable in many ways... cant kill the process and you cant over write there regestry keys... they always respawn and rewrite the keys...

I i figure a live os boot stick should do the trick...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...