Hijacking registry run key

[WallShadow]

Good afternoon HTS,

I recently came up with a simple concept. Imagine you wanted a certain program to run on a certain computer without having to edit the registry for fear of administrators or anti-hacker programs monitoring the registry run keys.

All the program really needs is to search through a list of existing run keys (ex: keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and choose one at random. The program will then find the location of the executable to be launched by that run key and then rename the executable with the same name but with a suffix (ex: winlogon.exe will become winlogon64.exe) and then insert into the same directory it's own executable under the previous executable's name (ex: in our example the executable will be named winlogon.exe). This new executable will now be launched by the run key instead of the previous executable without altering the registry. From there it can pass its arguments to the executable which it is masquerading as to make sure that the computer continues running as expected.

At that point, it can do whatever it wants. It can snoop around the computer, log keys, connect to C&C servers, and so forth. The basic idea is that it is too obvious to an investigator that a malicious run key has been added, so instead, your program masquerades as a program with a legitimate run key to look authentic. One query of the run keys is also a lot less suspicious then an addition to the run keys.



TL:DR; take a program that's run at startup, replace it with your own shady program under the same name so that it will also be launched at startup.

What do you guys think of this? Criticism, suggestions, problems, flaws are a welcome. I'm currently trying to implement this in batch, but batch is a terrible language for string manipulation...

-WallShadow <3

[0phidian]

I think that replacing the existing executables with your own is a good concept. Then again if the av was looking for code signatues maybe not, but I am not an expert at that. Anyways, the trick would be getting permissions to do so in the first place.

The reminds me a little of an exploit that I had read about were you could change the address of a system service to another location or enter shell code. The difficult part was finding a service that ran with system privleges and that was able to be changed by an unprivliged user. It worked for me on Win XP, never tried 7.

So maybe instead of randomly picking an executable you could find a specific one that you know is able to be changed. Additionally if you wanted to be more stealthy about it, then it would probably be a good idea to pick one that wont be noticed.

[WallShadow]

Now that you mention it, I've noticed that most of run keys point to executables under Program Files which is protected from tampering without administrator privileges. That would indeed require demanding the admin privileges out of the user or working around them.

Also, when I said pick one at random, I truly didn't mean it that way. What I'm designing it to do is generate a list of available targets and prune the list several times until there are only targets left with a 100% chance of success.