Trojan brilliant idea: dove gray is registered as a system service method-vulnerability warning-the black bar safety net

ID MYHACK58:62200610817
Type myhack58
Reporter 佚名
Modified 2006-08-01T00:00:00


A few days ago a pigeon to research registered into the system service method, I don't have pigeons, and found that it is using rundll32 to import an inf to achieve, this should be added a registry key to disable the reg script, disable regedit, are effective? Examples are as follows: add a service: [Version] Signature=$WINDOWS NT$ [DefaultInstall. Services] AddService=inetsvr,,My_AddService_Name [My_AddService_Name] DisplayName=Windows Internet Service Description=provides on the Internet Information Services Management Support. ServiceType=0x10 StartType=2 ErrorControl=0 ServiceBinary=%11%\inetsvr.exe save for the inetsvr. inf, and then: rundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8 c:\path\inetsvr.inf this example adds a named inetsvr the service is not very like the system comes with the service, Oh on.

Some points to note: 1, The last four are the service type: 0x10 as an independent process services, 0x20 for shared process services such as svchost); Start type: 0 system boot time loading, 1 OS initialization when loaded, and 2 by the SCM, the Service Control Manager automatically starts, 3 manual start, 4 disabled. Note that 0 and 1 can only be used for drivers

Error control: 0 to ignore, 1 to continue and warning that 2 To switch to the LastKnownGood settings, 3 blue screen. Service program location:%1 1% represents the system32 directory%1 0% indicates that the system directory(WINNT or Windows),%1 2 percent to drive the directory system32\drivers and. Other values, see the DDK for. You can also needless to variables directly using the full path. This fourth item is a must have. 2, In addition to the examples of the six projects, there are LoadOrderGroup And Dependencies, etc. Not commonly used so not introduced. 3, The inetsvr behind the two commas, because the middle is omitted not a commonly used parameter flags. To delete a service: [Version] Signature=$WINDOWS NT$ [DefaultInstall. Services] DelService=inetsvr very simple, isn't it? Of course, you can also import the registry to achieve the purpose.

But the inf has its own advantages. 1, export a the system comes with the service registry entry, you will find that its execution path is like this: ImagePath=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6 d,0 0,5 2,0 0,6 f,0 0,6 f,0 0,\ 74,00,25,00,5 c,0 0,7 3,0 0,7 9,0 0,7 3,0 0,7 4,0 0,6 5,0 0,6 d,0 0,3 3,0 0,3 2,0 0,5 c,0 0,7 4,\ 00,6 c,0 0,6 e,0 0,7 4,0 0,7 3,0 0,7 6,0 0,7 2,0 0,2 e,0 0,6 5,0 0,7 8,0 0,6 5, 0 0,0 0,0 0 the readability is too poor. 其实 它 就是 %SystemRoot%\system32\tlntsvr.exe but the data type is REG_EXPAND_SZ the. When manually importing the registry to increase service, so that the defined ImagePath obviously very inconvenient. And use the inf file is not the problem, ServiceBinary, i.e. the ImagePath automatically become REG_EXPAND_SZ。 2, The most critical is, and with SC and other tools, the inf file of the effect is instant acting, and import the reg after must be restarted to be effective. 3, The inf file will automatically for the service registry entries to add a Security sub-key so that it looks more like the system comes with the service.

In addition, AddService and DelService as well as AddReg And DelReg can be at the same time and repeated use. It can simultaneously adding and deleting multiple services and registry entries. I is so hand the black hole register to the service, huh. Quiet added: nice... I was using the black hole of infection into the level of service file to reach in order to service start.... Features are hidden!~.. There's some self-protection function huh..even if he deleted. Restart will regenerate due to the infection inside so it will not affect the original file:)