Intro. What Are Autoruns?
For starters who don't know, autoruns are the programs which are automatically run every time windows starts/boots. Most of the time they are background applications and services, which means that the user (we) are not even aware of them running in the background.Wouldn't it be great if we could add our hacking tool to the list of these programs which are run automatically so that we won't have to run it manually every time on our target computer? While most hack tools come with an autorun entry code (means that most hacking software contain the coding to make them autorun), this might not be the case with all of them. Plus, with the security features of windows going higher and higher, it is not as easy as before to add an entry to the system registry.
A List Of Autostart Methods On Windows Machines
Now, before I tell you of my method (which is an easy little innovation), you guys would probably like to know about the commonly known and not-so-known methods of autorun on a windows machine.
1. Autostart folder
Everything in here will restart.
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
This Autostart Directory is saved in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders Startup="C:\windows\start menu\programs\startup"
'So it could be easily changed by any program.
2. Win.ini
[windows]
load=file.exe
run=file.exe
3. System.ini [boot]
Shell=Explorer.exe file.exe
4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
everytime
5. Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @=""%1" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @=""%1" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @=""%1" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @=""%1" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @=""%1" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",
the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.
9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
9. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.
Everything in here will restart.
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
This Autostart Directory is saved in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders Startup="C:\windows\start menu\programs\startup"
'So it could be easily changed by any program.
2. Win.ini
[windows]
load=file.exe
run=file.exe
3. System.ini [boot]
Shell=Explorer.exe file.exe
4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
everytime
5. Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @=""%1" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @=""%1" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @=""%1" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @=""%1" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @=""%1" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",
the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.
9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
9. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.
My Little Innovation
Now, while this list provides you with a number of great options about adding an inconspicuous entry for your software, sometimes (mostly on windows 7 and above) the operating system asks for admin access even for making registry changes, let alone editing system files such as user.ini and win.ini
However, even under these high security conditions, it is easily possible to add our program to the list of autorun programs. Here's how. I will use my laptop as an example.
Step-1: Find at least one autorun program on the target computer.
This means you need to locate one program which is running autorun on the target computer. This should be easy. The autorun folder is the easiest option. Otherwise, go to the registry editor and see a list of the programs in HKEY_LOCAL_MACHINE (better) or HKEY_CURRENT_USER (for one user only) autorun keys.
However, even under these high security conditions, it is easily possible to add our program to the list of autorun programs. Here's how. I will use my laptop as an example.
Step-1: Find at least one autorun program on the target computer.
This means you need to locate one program which is running autorun on the target computer. This should be easy. The autorun folder is the easiest option. Otherwise, go to the registry editor and see a list of the programs in HKEY_LOCAL_MACHINE (better) or HKEY_CURRENT_USER (for one user only) autorun keys.
Step-2: Go to the target location.
After you have located one autorun program on the target computer, go to the folder/directory which contains this program. For shortcuts in the autostart folder, you onnly need to right click and select Open Containing Folder. For entries in system registry, you would need to follow the path written there.
After you have located one autorun program on the target computer, go to the folder/directory which contains this program. For shortcuts in the autostart folder, you onnly need to right click and select Open Containing Folder. For entries in system registry, you would need to follow the path written there.
Step-3: Kill the target program
Step-4: Replace target program with your program
Now you will need to rename (deleting is severely discouraged as the target user will immediately learn something is wrong, the next time windows starts) the target program. However if you find something as simple as are usually found on laptops, you can go delete it right away. Then paste your program (which you want to make autorun) in this location with the same name as the target file, for example in my case, I would rename my prgram to USB3MON.exeAfter this step, you are officially done with your task. The program already has had an autorun entry. You have only replaced the target program. Now that's what they call diversion. While those pesky windows security programmers concentrate at making things harder to add an autorun entry, we have achieved our purpose without having to breach their stupid protocols and procedures. Long live the hacking community!
Step-5 (Optional): Setup an execution for the renamed program
In case you renamed the target software, you will need to setup a method for it's execution so that the target user does not find anything fishy fishy with performance. I suggest for this, you add a "shell" code to your application for running the renamed app. There are several other options for it too, if you don't have access to the code of your hack tool, but they won't be discussed in detail here. Use your creativity.
No comments:
Post a Comment