Author Topic: Few Questions Win7 (Read 2075 times)

bubzuru · « **on:** October 30, 2011, 05:54:20 pm »

how is maleware installing on windows 7 systems

whitch files\folders are writeable with default acces (executed without using run as admin)

im planning on creating a class that will allow you to install malware easly, but i need to make a few checks (where can i write files on windows 7 that's descrete)

i thought of just checking if im admin and, windir is writeablle then installing in xp mode ,,, but then what if its windows xp and windir is unwriteble what too do??? , the last question doesnt realy matter because xp malware just installes without checks. just thinking ahead

all ideas welcome

ande · « **Reply #1 on:** October 30, 2011, 08:07:57 pm »

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is writable without any trouble. Same is startup folder on current user in start menu as far as I know.

When it comes to files/folders, win7 is a bitch. Only(mostly) the folders in c:\users\USERNAME\ are writable. Preferable c:\users\USERNAME\appdata\, but Documents and My * are also writable, aswell as the desktop

Kulverstukas · « **Reply #2 on:** October 30, 2011, 09:21:14 pm »

I think everything becomes writable once you kill the UAC

bubzuru · « **Reply #3 on:** October 30, 2011, 09:31:54 pm »

Quote from: ande on October 30, 2011, 08:07:57 pm

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is writable without any trouble. Same is startup folder on current user in start menu as far as I know.

When it comes to files/folders, win7 is a bitch. Only(mostly) the folders in c:\users\USERNAME\ are writable. Preferable c:\users\USERNAME\appdata\, but Documents and My * are also writable, aswell as the desktop

i know them reg keys are writeable , thats not what im asking
i need a good place to install the malware if the app is running retrected mode
are to folders you mentiond the only writeable folders ??

also if i start an app in unrestricted mode then set hkey_local_machine run value, when it starts will it be running in unrestricted mode ??

Quote from: Kulverstukas on October 30, 2011, 09:21:14 pm

I think everything becomes writable once you kill the UAC

yes but thats not what i want, i want to be silent

bubzuru · « **Reply #4 on:** October 30, 2011, 09:42:11 pm »

i know i could test before i post but im lazy
gunna just write a simple app n see if it works

also if a procsess is started by a process with full rights, does the child process have full rights ??

bubzuru · « **Reply #5 on:** October 30, 2011, 10:18:06 pm »

ok
just did a quick test

i put my file in the root drive and set it to run on startup with the hkey_local_machine run value, seems it still runs with less privaleges.

gunna try the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key to see it that helps

Edit:
nope app still runs with less priveligs even tho its started by explorer.exe

bubzuru · « **Reply #6 on:** October 30, 2011, 11:58:31 pm »

now i have made an app run on startup with full privileges .....

it requiers a stub file that needs UAC authentication ...... BUT
there is a twist, if you add to reguler startup key then the deskgop starts and it looks dodgey (not god)

soooo
i made a stub that executes before explorer using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

the uac dialog runs before the desktop is created (after u click login) ,,, if the user clicks dont allow then the desktop wont show,,,, if the user clicks allow then everything works normal and the malware has full access to the file system :0

iv allso thought of unmaping explore.exe, addinu uac and making it so it needs to run with admin access then runing malware through that (not tested)

will write a tut\tool soon

bubzuru · « **Reply #7 on:** October 31, 2011, 01:47:09 am »

tryed unmaping explorer ......
complete fuck up

i managed to repace it but after restart it allmost broke my sisters laptop. so thats a no go

the single uac still works soo hahaha fuck microsoft

bubzuru · « **Reply #8 on:** October 31, 2011, 01:51:46 am »

btw
just you know this hack will alow a file\any file it starts in indows 7\vista to run with full access, not just the users access

bubzuru · « **Reply #9 on:** October 31, 2011, 10:37:32 pm »

video off it working
http://www.youtube.com/watch?v=V56PnsvqyuU

more info soon

xor · « **Reply #10 on:** November 01, 2011, 12:10:36 pm »

Doesn't help that it's a vbscript and prompts the user to run it. :/ Learn a real language.

bubzuru · « **Reply #11 on:** November 01, 2011, 12:30:54 pm »

Quote from: xor on November 01, 2011, 12:10:36 pm

Doesn't help that it's a vbscript and prompts the user to run it. :/ Learn a real language.

well i wrote the stub in delphi at first
oblsly the usr will see the prompt, but if if they click no the desktop doesnt create
(not hard to solve , just ctrl+alt del run explorer but the avarage user wont do that

and i chose vbscript because he uac box says verivied by microsoft (less suspicious no ?)
and even if you end the file you run the just start it again . it still has admin privs

techb · « **Reply #12 on:** November 05, 2011, 10:12:18 am »

You could try the Task Scheduler exploit, partly written in VBS.

EvilZone

News:

Author Topic: Few Questions Win7 (Read 2075 times)

bubzuru

Few Questions Win7

ande

Re: Few Questions Win7

Kulverstukas

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

xor

Re: Few Questions Win7

bubzuru

Re: Few Questions Win7

techb

Re: Few Questions Win7