Thread: Startup (explorer.exe)

i have been thinking about this not sure if anybody uses it or if it would work

ok explorer.exe starts every time so as you know if you call your server explorer.exe and have it in the window directory it will run at startup

but then explorer does not load on xp (not sure about the rest) so you have to kill it and then load explorer to run your desktop

so what about if you renamed explorer.exe to say explorerOLD.exe and then had your server call it's self explorer.exe and then make your server run explorerOLD.exe !!

Anybody know if that would work?

Was just a thought as i hate using the registry as lots of progs monitor that

I know what you mean... But it's not gonna be a good solution due to 2 main reasons (not going too deep on the subject)

1.As soon as yor servers arrives at ?:\windows you'll get that very popular Confirm file replace dialog.
2.You 'll need to do some work to rename a running file (explorer.exe).

Well, i'm not saying you can't do that though, a lot of effort will be required !

An injection would be more appropriate !

Heyheyhey, this reminds me of something. I think Sub7 used a similiar startup method.
this might help you.

out from sub7 removal guide (attached to post):

In SYSTEM.INI, the Windows Shell is defined as EXPLORER.EXE. When Windows reads this at startup, it searches for EXPLORER.EXE in C:\ first, and then in C:\WINDOWS, which is the correct one. Normally, C:\WINDOWS\EXPLORER.EXE is thus used as shell, but if C:\EXPLORER.EXE is present, that file is mistaken for the shell file. This 'bug' has been in Windows since the first release of Windows 95.
The Sub7 server as C:\EXPLORER.EXE probably runs C:\WINDOWS\EXPLORER.EXE too to prevent Windows from not functioning, but I wasn't able to check this since I didn't feel like rebooting.

Oh well, i had something registry related in my head but, since he was discarding registry i kept my mouth shut. I'll give this a try !

Bypassing file protection would get rid of the "replace file" dialog...

Well why not bind ur server to explorer.exe?..i know someone who did that

yes i had also thought about binding something with explorer

then i thought aphex realeased something called lace and i think that adds your server code the end of any exe.


so will look into that.

when you say injection you still need a installer to start dont you?

if you inject a server into a process does you original file then close that was used to inject?

Infecting a file that is in use could be troublesome.
I think I seen Postron/Niklaus make a file prepender that mass-infected exe files.
Maybe its this one http://www.virusexchange.org/positro...zaaPrepend.rar (www.positronvx.cjb.net)

when you say injection you still need a installer to start dont you?

Yes

if you inject a server into a process does you original file then close that was used to inject?

Yes you can if you want. Or you can leave it running.

Why don't you put your explorer.exe in the system32 folder and use winlogon to launch it? Then, you will see 2 'explorers' in your ctrl+alt+del screen, but the user will think nothing of it usually. You could also name it svchost and have it in some other random folder and have that open since there are a few of those that run at any given time, and if you shut down the wrong one, it will shutdown your computer.

BUMP!! I like the thread ,I already thought about this without seeing the thread.
So on Win7 I tested this and worked BUT you need admin rights and some code to apply for the file protection and also its easy to replace explorer.exe ( I know a good method )
BUT I tried on XP too, and XP I saw its replacing imediately system files from the cache or smtg... anyone tried on xp too?