What are stealth ways of running software at start-up on windows without Admin

[hppd]

Hello evilzone,

Last time I got on here I got dissed for asking what the best crypter was. You told me to DIY or GTFO. So I took your advice and started coding my own FUD keylogger, everything works (except encryption I'm a noob coder) but I'm still looking for a stealthy way to run my software at start-up without the need of accessing the registry. I'm not asking for snippets just some pointing in the right direction.  Target systems are WS2008 R2 and Windows 8

Thanks in advance
~HppD

[Kulverstukas]

You won't get as stealthy as the registry. Using startup in the registry is the best way, and if you know how, you can hide it from others.
Windows scheduler is also an alternative way to do it...

[hppd]

Ok thx. But what ways are there to change the registry when it has been disabled by the admin. Or when the .exe isn't opened with "run as administrator"?

[Snayler]

Ok thx. But what ways are there to change the registry when it has been disabled by the admin. Or when the .exe isn't opened with "run as administrator"?

From StackOverflow:

You need administrative privileges to write to locations that are shared by multiple users.
In the filesystem, this means folders like \WINDOWS or \Program Files. In the registry, this means all of the hives which aren't per-user.

Therefore, you can only write to HKEY_CURRENT_USER.
Specifically, you should write to HKCU\Software\Your Company.

Simple google search...

[hppd]

Whoop whoop! Thanks, somehow I was too retarted to find it 

[Kulverstukas]

Whoop whoop! Thanks, somehow I was too retarted to find it 

Common problem around here...

To add to Snayler's post, you can also implement a privilege escalation (admin bypass) exploit for Windows7 and up.
POC and description can be found here:

Code: [Select]

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

[hppd]

The privilege escalation seems legit,. Cookies have been given. And the keylogger works, yay. Now I'll just let my brain explode by trying to figure out how to encrypt the ftp traffic. Wish me luck

EDIT: Would SSL be enough or is it  easily cracked? I read somewhere SSL isn't safe that's why I ask

[lucid]

You told me to DIY or GTFO.

I love that that's a reoccurring phrase that people use now..

@OP - SSL isn't unsafe, that is, unless you are trying to hide from the NSA. SSL uses 1024 RSA, which has been discovered somewhat recently as being crackable by the NSA.

[Kulverstukas]

Another question is who would sniff keylogger traffic? if someone would be doing that, they would know where shit gets sent anyway, and if they really wanted to, they would decrypt SSL traffic too.
I'd say don't bother encrypting the keylogger traffic, it's not much use. Unless of course it's for learning purposes, then by all means, please do.

[hppd]

It is partially for learning purposes. But also because I don't want to send the password, username and server in cleartext. What's the point of sending someone a keylogger if they can use it to hack you and steal your logs?

I love that that's a reoccurring phrase that people use now..

@OP - SSL isn't unsafe, that is, unless you are trying to hide from the NSA. SSL uses 1024 RSA, which has been discovered somewhat recently as being crackable by the NSA.

Yeah but you probably need the phrase to keep the forum clean. And it motivated me to start coding myself.

Okay so the SSL uses RSA according to you. But on wikipedia it said nothing about this. It does say :

FTPS includes full support for the TLS and SSL cryptographic protocols, including the use of server-side public key authentication certificates and client-side authorization certificates. It also supports compatible ciphers, including AES, RC4, RC2, Triple DES, and DES. It further supports hash functions SHA, MD5, MD4, and MD2.

So you can choose wich encryption it uses or what?
Anyways I appreciate the help from you guys cool community

[Kulverstukas]

lol you still trying to implement the old FTP method? haha.
Web backend if the thing of the future, man. No credentials, no passwords or anything - just a link to an ambiguous looking PHP and unpredictable POST requests.

Try it.

[hppd]

lol you still trying to implement the old FTP method? haha.
Web backend if the thing of the future, man. No credentials, no passwords or anything - just a link to an ambiguous looking PHP and unpredictable POST requests.

Try it.

So it's a hidden link that contains your logs if I'm not mistaken? How is that secure (if they trace your link). So no more messing around with stupid text files.. nice

[lucid]

It is partially for learning purposes. But also because I don't want to send the password, username and server in cleartext. What's the point of sending someone a keylogger if they can use it to hack you and steal your logs?

Yeah but you probably need the phrase to keep the forum clean. And it motivated me to start coding myself.

Okay so the SSL uses RSA according to you. But on wikipedia it said nothing about this. It does say : So you can choose wich encryption it uses or what?
Anyways I appreciate the help from you guys cool community

My mistake, I was referring to TLS, which can use keys generated with RSA.

[Kulverstukas]

So it's a hidden link that contains your logs if I'm not mistaken? How is that secure (if they trace your link). So no more messing around with stupid text files.. nice

Not quite...

You will need a webserver for this (free one will do). In there you put a PHP script which receives requests and writes them to a file.
Basically it goes like this: the keylogger fills the keystroke buffer and has to empty it out. Instead of connecting to FTP it connects to the PHP script and sends the keystroke buffer with a POST request (not GET). Done.
However I'm not sure how much data you can send through a POST request, but it's ok for small buffers.

This way you will not expose any FTP details, only a link to the script, which is most of the time useless to the one trying to trace you.

[hppd]

Okay thx, I think the limit is 2083 characters. And if they find out the link or someone else stumbles upon it how do you protect the logs  without password?