NOTES OF OFFENSIVE / DEFENSIVE SECURITY : WINDOWS STARTUP PROGRAMS POINTS
Registry Keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Windows Auto-start Services & Drivers
Registry Keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
RunServicesOnce
Registry Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
RunServices
Registry Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
SHELLVALUE
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
UserInit Key -
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\virus.exe.
Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Shell Value -
Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
RunOnce Local Machine Key -
Registry Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Run - .
Registry Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
All Users Startup Folder -
Windows XP C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows NT C:\wont\Profiles\All Users\Start Menu\Programs\Startup
Windows 2000 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
User Profile Startup Folder -
Win 9X, ME c:\windows\start menu\programs\startup
Windows XP C:\Documents and Settings\LoginName\Start Menu\Programs\Startup
RunOnce Current User Key -
Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Explorer Run -
Registry Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Load Key -
Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
AppInit_DLLs -
Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
ShellServiceObjectDelayLoad -
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SharedTaskScheduler
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
The following are files that programs can autostart from on bootup:
1. c:\autoexec.bat
2. c:\config.sys
3 . windir\wininit.ini - Usually used by setup programs to have a file run once and then get deleted.
4. windir\winstart.bat
5. windir\win.ini - [windows] "load"
6. windir\win.ini - [windows] "run"
7. windir\system.ini - [boot] "shell"
8 . windir\system.ini - [boot] "scrnsave.exe"
9. windir\dosstart.bat - Used in Win95 or 98 10. windir\system\autoexec.nt
11. windir\system\config.nt
Un ottima utility grafica per mettere mano a queste chiavi del registry in maniera intuitiva è Autoruns di Sysinternals scaricabile dal sito Microsoft.
Altrimenti, una delle tante strade offensive, e’ WMI (anche su RPC…)
Nb.: il Task scheduler quando settato per lanciare un processo al boot del sistema, non propone UAC
A good graphical Utility to manage all this, the best at my personal opinion, is AUTORUNS by Sysinternals, downloadable at Microsoft.com.
The are a lot of other way, specially if you are a programmer (and probably an offender, rather than just a Sys Admin), my favourite is WMI, that It works on RPC also ;-)
PS.: Task Scheduler set to work ad boot time, don't ask for UAC :D
Commenti
Posta un commento