-
June 30th, 2004, 04:03 AM
#1
Windows XP Startup locations
Windows XP Startup locations
I checked out Malware: Fighting Malicious Code and found it's section on starting backdoors automatically. I checked out its list of folders, files, and registry entries and I felt it would be a good idea to post it here, and see if anyone else knows of other locations a startup entry could be entered into. I think BHO's should be included in this list, but I'm not sure. So please, add directories or registry paths that can be exploited if you know of them. I plan on making a tool that will check them for changes. If it works good enough, I might post the source here. I just felt this would be valuable against viruses and hijacks, as well.
Autostart folders
Documents and settings\user\start menu\programs\startup
C:\windows\win.ini
c:\windows\system.ini
c:\windows\Wininit.ini
c:\Winstart.bat
c:\Autoexec.bat
c:\config.sys
Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServicesOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEX
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Microsoft\Windows\System\Scripts
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServicesonce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEx
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\Load
HKCU\SOFTWARE\Policies\Microsoft\Windows\System\ Scripts
HKCU\Exefiles\Shell\Open\Command
Task Scheduler
------------------------------
Again, please add any that aren't listed. Im about to google for more, I'll add them as I find them.
-
June 30th, 2004, 06:47 AM
#2
Clearly the author of that book is not very familiar with 9x C:\Documents and Settings\All Users\Start Menu\Programs\Startup.... sure but in 9x it goes a little more like C:\Windows\Start Menu\Programs\Startup
What about ICQ? [HKEY_LOCAL_MACHINE] SOFTWARE\Mirabilis\ICQ\Agent\Apps\
-
June 30th, 2004, 07:06 AM
#3
Does that start with the box? Or only with ICQ...
I think I am going to extend the list with popular software as well. Might get pretty long :/
-
June 30th, 2004, 08:19 AM
#4
No I just remember that you could make ICQ open files like that. You can also change file associations VIA: the registry & I think you can even have all kinds of files hooked to open with specific files not just file types. You can also modify shortcuts but thats not really much of a startup method but really you can reverse then inject, modify, & just generally trojanise virtually anything you want and then claim it as some type of execution/startup method.
-
June 30th, 2004, 10:47 AM
#5
<Cough>
Clearly the author of that book is not very familiar with 9x
The title of the thread is "Windows XP Startup Locations" and I'm pretty sure that Ed Skoudis could give you a little tour of Win9x anytime you like if you ask him nicely.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 30th, 2004, 02:43 PM
#6
I think you might also need to include
HKLM\system\currentcontrolset
This is where the starting of services and drivers are managed.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|