Vista:
Disable User Account Control (UAC):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
"EnableLUA" = "0"
Disable DEP:
Run: "bcdedit /set nx alwaysoff"
Enable RDP:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
"fDenyTSConnections" = "0"
XP:
Disable "Show Hidden Files and Folders":
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = "2"
Restore the Prompt to save passwords in IE:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"FormSuggest PW Ask" = "yes"
Enable Password Caching (IE):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"DisablePasswordCaching" = "0"
Disable "Shift Override":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"ShiftOveride" = "1"
Disable Password Caching in Internet Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"DisablePasswordCaching" = "1"
Disable 'Control Panel' items:
HKEY_CURRENT_USER\Control Panel\don't load
Windows Firewall:
"firewall.cpl" = "No"
Windows LiveUpdate Control Panel Module:
"S32LUCP1.cpl" = "No"
Windows Security:
"wscui.cpl" = "No"
Windows Automatic Updates:
"wuaucpl.cpl" = "No"
Enable RDP:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
"fDenyTSConnections" = "0"
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
Friday 23 January 2009
DLL Malware
I have been having a play with DLL's recently and have realised the potential advantages over normal executables, here are a few thoughts:
From what I understand, depending on how you create your DLL you can either Inject the DLL into a process and/or load it using a Loader (such as 'rundll32').
Heres an example of what could be done...
Create a custom loader which contains a copy of the DLL as an encrypted resource file (easily done in VB6);
Check for the existence of Sandboxes etc; If found we quit, otherwise:Detect if we have Admin rights:
If we do, decrypt and extract the DLL to eg: %windir%\*random-file-name*.dll
If not, decrypt and extract the DLL to eg: %temp%\*random-file-name*.dllCheck the file actually extracted (and wasn't blocked):
If it still fails we quit, and melt into null.
Alternatively I believe we could extract the DLL into memory and not even write to disk.
Alternatively I believe we could extract the DLL into memory and not even write to disk.
The Loader then detects the PCs default browser from the Registry;
Then creates a Suspended copy of the Default Browser;Injects the DLL into the Suspended Process, this way we bypass the Firewall*.
If injection fails, load the DLL using 'rundll32' and hope everything goes ok (alternatively we could try inject into a different process, say MSN, Explorer.exe etc)
If injected we can then delete the DLL we extracted as it is now in memory.
Then exit the loader.
So based on the concept that we have injected the DLL, we now have no visible process running in Task Manager, and potentially have bypassed the Firewall without creating additional rules.
Startup methods?
Well we can either can add an entry for the Loader again (which would allow injection) or load the DLL using say rundll32 or from a Service via SVCHOST.
* This is simple Firewall Bypass which probably doesn't work anymore, but you get the idea.
Startup methods?
Well we can either can add an entry for the Loader again (which would allow injection) or load the DLL using say rundll32 or from a Service via SVCHOST.
* This is simple Firewall Bypass which probably doesn't work anymore, but you get the idea.
Subscribe to:
Posts (Atom)
