Good afternoon HTS,
I recently came up with a simple concept. Imagine you wanted a certain program to run on a certain computer without having to edit the registry for fear of administrators or anti-hacker programs monitoring the registry run keys.
All the program really needs is to search through a list of existing run keys (ex: keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and choose one at random. The program will then find the location of the executable to be launched by that run key and then rename the executable with the same name but with a suffix (ex: winlogon.exe will become winlogon64.exe) and then insert into the same directory it's own executable under the previous executable's name (ex: in our example the executable will be named winlogon.exe). This new executable will now be launched by the run key instead of the previous executable without altering the registry. From there it can pass its arguments to the executable which it is masquerading as to make sure that the computer continues running as expected.
At that point, it can do whatever it wants. It can snoop around the computer, log keys, connect to C&C servers, and so forth. The basic idea is that it is too obvious to an investigator that a malicious run key has been added, so instead, your program masquerades as a program with a legitimate run key to look authentic. One query of the run keys is also a lot less suspicious then an addition to the run keys.
TL:DR; take a program that's run at startup, replace it with your own shady program under the same name so that it will also be launched at startup.
What do you guys think of this? Criticism, suggestions, problems, flaws are a welcome. I'm currently trying to implement this in batch, but batch is a terrible language for string manipulation...