EvilZone
Community => General discussion => : bubzuru October 30, 2011, 05:54:20 PM
-
how is maleware installing on windows 7 systems
whitch files\folders are writeable with default acces (executed without using run as admin)
im planning on creating a class that will allow you to install malware easly, but i need to make a few checks (where can i write files on windows 7 that's descrete)
i thought of just checking if im admin and, windir is writeablle then installing in xp mode ,,, but then what if its windows xp and windir is unwriteble what too do??? , the last question doesnt realy matter because xp malware just installes without checks. just thinking ahead
all ideas welcome
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is writable without any trouble. Same is startup folder on current user in start menu as far as I know.
When it comes to files/folders, win7 is a bitch. Only(mostly) the folders in c:\users\USERNAME\ are writable. Preferable c:\users\USERNAME\appdata\, but Documents and My * are also writable, aswell as the desktop :P
-
I think everything becomes writable once you kill the UAC :(
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is writable without any trouble. Same is startup folder on current user in start menu as far as I know.
When it comes to files/folders, win7 is a bitch. Only(mostly) the folders in c:\users\USERNAME\ are writable. Preferable c:\users\USERNAME\appdata\, but Documents and My * are also writable, aswell as the desktop :P
i know them reg keys are writeable , thats not what im asking
i need a good place to install the malware if the app is running retrected mode
are to folders you mentiond the only writeable folders ??
also if i start an app in unrestricted mode then set hkey_local_machine run value, when it starts will it be running in unrestricted mode ??
I think everything becomes writable once you kill the UAC :(
yes but thats not what i want, i want to be silent
-
i know i could test before i post but im lazy
gunna just write a simple app n see if it works
also if a procsess is started by a process with full rights, does the child process have full rights ??
-
ok
just did a quick test
i put my file in the root drive and set it to run on startup with the hkey_local_machine run value, seems it still runs with less privaleges.
gunna try the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key to see it that helps
Edit:
nope app still runs with less priveligs even tho its started by explorer.exe
-
now i have made an app run on startup with full privileges ..... 8)
it requiers a stub file that needs UAC authentication ...... BUT
there is a twist, if you add to reguler startup key then the deskgop starts and it looks dodgey (not god)
soooo
i made a stub that executes before explorer using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
the uac dialog runs before the desktop is created (after u click login) ,,, if the user clicks dont allow then the desktop wont show,,,, if the user clicks allow then everything works normal and the malware has full access to the file system :0
iv allso thought of unmaping explore.exe, addinu uac and making it so it needs to run with admin access then runing malware through that (not tested)
will write a tut\tool soon
-
tryed unmaping explorer ......
complete fuck up ???
i managed to repace it but after restart it allmost broke my sisters laptop. so thats a no go
the single uac still works soo hahaha fuck microsoft
-
btw
just you know this hack will alow a file\any file it starts in indows 7\vista to run with full access, not just the users access :D
-
video off it working
http://www.youtube.com/watch?v=V56PnsvqyuU (http://www.youtube.com/watch?v=V56PnsvqyuU)
more info soon
-
Doesn't help that it's a vbscript and prompts the user to run it. :/ Learn a real language.
-
Doesn't help that it's a vbscript and prompts the user to run it. :/ Learn a real language.
well i wrote the stub in delphi at first
oblsly the usr will see the prompt, but if if they click no the desktop doesnt create
(not hard to solve , just ctrl+alt del run explorer but the avarage user wont do that
and i chose vbscript because he uac box says verivied by microsoft (less suspicious no ?)
and even if you end the file you run the just start it again . it still has admin privs
-
You could try the Task Scheduler exploit (http://www.exploit-db.com/exploits/15589/), partly written in VBS.