Im working on a new utility to help systems guys fight spyware on their systems. I was quite frustrated trying to get one off my Mother's machine, random named exes would keep appearing, even after safe mode boots and removal of hklm\software\microsoft\windows\run keys. I tried also 'pausing' the process using process explorer from sysinternals with limited success. So.. now Im writing a kernel mode driver to help combat this.
For starters, lets visit the short list of how all things can load on the system.
ShellExecute HooksHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Shell Delay Load ObjectsHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
URL Search HooksHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
App Init DLLsHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows, AppInit_DLLs
Download ManagerHKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer, DownloadUIHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer, DownloadUI
Notification PackagesHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
User\Start Menu\Programs\Startup; All Users\Start Menu\Programs\Startup; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run; HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce; HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices; HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, System; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, VmApplet; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, UIHost; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit; HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows, run; HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows, load; HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components; HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager, BootExecute; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CurrentVersion\Explorer\BrowserHelperObjectswin.ini, load; win.ini, run; system.ini, shell.
They can also install themselves as services:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
All of these locations can be exploited.
Remember Me
Powered by: newtelligence dasBlog 1.8.5210.0
Disclaimer The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.
© Copyright 2009, Adam Tuliper
E-mail
E-mail