Friday, April 08, 2005

Interesting stuff on Windows

I was working on a spreadsheet containing information about Registry AutoStart locations last night and ran across something pretty interesting that I thought I'd pass along...

One of the AutoStart locations used by malware is:

HKLM\Software\Classes\exefile\shell\open\command\

On a live system, this also maps to the HKEY_CLASSES_ROOT hive...

HKCR\exefile\shell\open\command

This entry specifies the command to be launched when an exefile (a file ending with the .exe extension) is run. The Default value for this key is "%1" %*. Some malware writes to this entry, ensuring that the malware is launched whenever an executable is run.

*Note: This same sort of thing applies to other types of executable files, such as cmdfile, comfile, scrfile, piffile, and batfile.

So I wanted to see what else could be done via these sorts of keys, so I navigated to:

HKCR\Drive\shell\cmd\command

I right-clicked on the Default value and chose Modify. The default entry is cmd.exe /k "cd %L", and I added && notepad.exe to the command, and clicked "OK". I then opened My Computer, right-clicked on the C:\ drive, and chose "Open Command Prompt here..." from the context menu. A command prompt AND Notepad opened!

So this adds yet another entry to one of the three classes of AutoStart locations (ie, System boot, User login, User activity). I haven't seen anything on the Internet (yet) about locations like this being used by malware or malicious users, but it does go to show what could be done.

7 comments:

spencer said...

Interesting info.

I'm using a perl script I wrote which lists startup
reg entries :


@LMKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" ,
"SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts" );

$lmskey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" ;

@CUKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" ,
"SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts");

@UKEY = ( ".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" );


and startup folders items in a html report.

Of course I'll add these keys.

What other keys sould I add ?

Have a nice day !

P.S. The script is not on the web now, but if anybody is interested
lepetitalbert@gmail.com

Keydet89 said...

Spencer,

For probably the most comprehensive list of autostart locations available online today, go to SysInternals.com and check out AutoRuns.

I'm adding to a spreadsheet that I put together, consolidating this information and wealth of other resources...I'm trying to verify some information, and add references for others. Once I get this completed, it's been suggested that I move if from an Excel spreadsheet into something more manageable/useful.

Thanks,

Harlan

Anonymous said...

See also Silent Runners

spencer said...

Thanks anonymous, cool one.

Have a nice day !

spencer said...

Harlan,

In the original post you say :

"so I navigated to:

HKCR\Drive\shell\cmd\command"

Do you have those keys by default or do you create them ?

I don't have them (XP and 2k).

Have a nice day.

Keydet89 said...

Spencer,

I didn't see the key on my system at home, either...it was XP Home. I didn't try it on my XP Pro system.

Try this...go to HKLM\Software\Classes\Drive\shell

and see what subkeys you have; if you find '\cmd\command', then you should see a '(Default)' value with 'cmd.exe /k "cd %L"' as the data.

Harlan

pri said...

I neither have that key in WXP Pro nor WXP Home, just HKCR\Drive\shell\command

In W2K I cannot find it either, the closest I get is:
anonymous

Btw, I found that adding && notepad.exe to HKLM\Software\Classes\exefile\shell\open\command\ tries to add whatever it is in notepad.exe to the registry everytime regedit is opened. Playing a bit with it I found it was easy to add/delete whatever from the registry without confirmation. It could be used to delete stored keys when someone manually tries to search for something.

Btw, there's a nice list of startup items in this site:
silentrunners

Regards