Pages

Friday, April 08, 2005

Interesting stuff on Windows

I was working on a spreadsheet containing information about Registry AutoStart locations last night and ran across something pretty interesting that I thought I'd pass along...

One of the AutoStart locations used by malware is:

HKLM\Software\Classes\exefile\shell\open\command\

On a live system, this also maps to the HKEY_CLASSES_ROOT hive...

HKCR\exefile\shell\open\command

This entry specifies the command to be launched when an exefile (a file ending with the .exe extension) is run. The Default value for this key is "%1" %*. Some malware writes to this entry, ensuring that the malware is launched whenever an executable is run.

*Note: This same sort of thing applies to other types of executable files, such as cmdfile, comfile, scrfile, piffile, and batfile.

So I wanted to see what else could be done via these sorts of keys, so I navigated to:

HKCR\Drive\shell\cmd\command

I right-clicked on the Default value and chose Modify. The default entry is cmd.exe /k "cd %L", and I added && notepad.exe to the command, and clicked "OK". I then opened My Computer, right-clicked on the C:\ drive, and chose "Open Command Prompt here..." from the context menu. A command prompt AND Notepad opened!

So this adds yet another entry to one of the three classes of AutoStart locations (ie, System boot, User login, User activity). I haven't seen anything on the Internet (yet) about locations like this being used by malware or malicious users, but it does go to show what could be done.
at

7 comments:

  1. Anonymous9:47 AM

    Interesting info.

    I'm using a perl script I wrote which lists startup
    reg entries :


    @LMKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
    "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" ,
    "SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts" );

    $lmskey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" ;

    @CUKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" ,
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" ,
    "SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts");

    @UKEY = ( ".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
    ".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" );


    and startup folders items in a html report.

    Of course I'll add these keys.

    What other keys sould I add ?

    Have a nice day !

    P.S. The script is not on the web now, but if anybody is interested
    lepetitalbert@gmail.com

    ReplyDelete
  2. H. Carvey9:59 AM

    Spencer,

    For probably the most comprehensive list of autostart locations available online today, go to SysInternals.com and check out AutoRuns.

    I'm adding to a spreadsheet that I put together, consolidating this information and wealth of other resources...I'm trying to verify some information, and add references for others. Once I get this completed, it's been suggested that I move if from an Excel spreadsheet into something more manageable/useful.

    Thanks,

    Harlan

    ReplyDelete
  3. Anonymous3:28 AM

    See also Silent Runners

    ReplyDelete
  4. Anonymous7:30 AM

    Thanks anonymous, cool one.

    Have a nice day !

    ReplyDelete
  5. Anonymous9:04 AM

    Harlan,

    In the original post you say :

    "so I navigated to:

    HKCR\Drive\shell\cmd\command"

    Do you have those keys by default or do you create them ?

    I don't have them (XP and 2k).

    Have a nice day.

    ReplyDelete
  6. H. Carvey1:22 PM

    Spencer,

    I didn't see the key on my system at home, either...it was XP Home. I didn't try it on my XP Pro system.

    Try this...go to HKLM\Software\Classes\Drive\shell

    and see what subkeys you have; if you find '\cmd\command', then you should see a '(Default)' value with 'cmd.exe /k "cd %L"' as the data.

    Harlan

    ReplyDelete
  7. Anonymous10:08 PM

    I neither have that key in WXP Pro nor WXP Home, just HKCR\Drive\shell\command

    In W2K I cannot find it either, the closest I get is:
    anonymous

    Btw, I found that adding && notepad.exe to HKLM\Software\Classes\exefile\shell\open\command\ tries to add whatever it is in notepad.exe to the registry everytime regedit is opened. Playing a bit with it I found it was easy to add/delete whatever from the registry without confirmation. It could be used to delete stored keys when someone manually tries to search for something.

    Btw, there's a nice list of startup items in this site:
    silentrunners

    Regards

    ReplyDelete