This forum is in archive mode. You will not be able to post new content.

Author Topic: Few Questions Win7  (Read 2636 times)

0 Members and 1 Guest are viewing this topic.

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Few Questions Win7
« on: October 30, 2011, 05:54:20 PM »
how is maleware installing on windows 7 systems

whitch files\folders are writeable with default acces (executed without using run as admin)

im planning on creating a class that will allow you to install malware easly, but i need to make a few checks (where can i write files on windows 7 that's descrete)

i thought of just checking if im admin and, windir is writeablle then installing in xp mode ,,, but then what if its windows xp and windir is unwriteble what too do??? , the last question doesnt realy matter because xp malware just installes without checks. just thinking ahead
 
all ideas welcome
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Few Questions Win7
« Reply #1 on: October 30, 2011, 08:07:57 PM »
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is writable without any trouble. Same is startup folder on current user in start menu as far as I know.

When it comes to files/folders, win7 is a bitch. Only(mostly) the folders in c:\users\USERNAME\ are writable. Preferable c:\users\USERNAME\appdata\, but Documents and My * are also writable, aswell as the desktop :P
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Few Questions Win7
« Reply #2 on: October 30, 2011, 09:21:14 PM »
I think everything becomes writable once you kill the UAC :(

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #3 on: October 30, 2011, 09:31:54 PM »
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is writable without any trouble. Same is startup folder on current user in start menu as far as I know.

When it comes to files/folders, win7 is a bitch. Only(mostly) the folders in c:\users\USERNAME\ are writable. Preferable c:\users\USERNAME\appdata\, but Documents and My * are also writable, aswell as the desktop :P

i know them reg keys are writeable , thats not what im asking
i need a good place to install the malware if the app is running retrected mode
are to folders you mentiond the only writeable folders ??

also if i start an app in unrestricted mode then set hkey_local_machine run value, when it starts will it be running in unrestricted mode ??

I think everything becomes writable once you kill the UAC :(

yes but thats not what i want, i want to be silent
« Last Edit: October 30, 2011, 09:33:18 PM by bubzuru »
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #4 on: October 30, 2011, 09:42:11 PM »
i know i could test before i post but im lazy
gunna just write a simple app n see if it works 

also if a procsess is started by a process with full rights, does the child process have full rights ??
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #5 on: October 30, 2011, 10:18:06 PM »
ok
just did a quick test

i put my file in the root drive and set it to run on startup with  the hkey_local_machine run value, seems it still runs with less privaleges.

gunna try the  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key to see it that helps

Edit:
nope app still runs with less priveligs even tho its started by explorer.exe
« Last Edit: October 30, 2011, 10:32:35 PM by bubzuru »
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #6 on: October 30, 2011, 11:58:31 PM »
now i have made an app run on startup with full privileges .....  8)

it requiers a stub file that needs UAC authentication ...... BUT
there is a twist, if you add to reguler startup key then the deskgop starts and it looks dodgey (not god)

soooo
i made a stub that executes before explorer using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

the uac dialog runs before the desktop is created (after u click login) ,,, if the user clicks dont allow then the desktop wont show,,,, if the user clicks allow then everything works normal and the malware has full access to the file system :0

iv allso thought of unmaping explore.exe, addinu uac and making it so it needs to run with admin  access then runing malware through that (not tested)

will write a tut\tool soon
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #7 on: October 31, 2011, 01:47:09 AM »
tryed unmaping explorer ......
complete fuck up  ???
i managed to repace it but after restart it allmost broke my sisters laptop. so thats a no go

the single uac still works soo hahaha fuck microsoft
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #8 on: October 31, 2011, 01:51:46 AM »
btw
just you know this hack will alow a file\any file it starts in indows 7\vista to run with full access, not just the users access :D
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #9 on: October 31, 2011, 10:37:32 PM »
video off it working
http://www.youtube.com/watch?v=V56PnsvqyuU

more info soon
Damm it feels good to be gangsta
http://bubzuru.comule.com

xor

  • Guest
Re: Few Questions Win7
« Reply #10 on: November 01, 2011, 12:10:36 PM »
Doesn't help that it's a vbscript and prompts the user to run it. :/ Learn a real language.

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: Few Questions Win7
« Reply #11 on: November 01, 2011, 12:30:54 PM »
Doesn't help that it's a vbscript and prompts the user to run it. :/ Learn a real language.

well i wrote the stub in delphi at first
oblsly the usr will see the prompt, but if if they click no the desktop doesnt create
(not hard to solve , just ctrl+alt del run explorer but the avarage user wont do that

and i chose vbscript because he uac box says verivied by microsoft (less suspicious no ?)
and even if you end the file you run  the just start it again . it still has admin privs
« Last Edit: November 01, 2011, 12:38:06 PM by bubzuru »
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline techb

  • Soy Sauce Feeler
  • Global Moderator
  • King
  • *
  • Posts: 2350
  • Cookies: 345
  • Aliens do in fact wear hats.
    • View Profile
    • github
Re: Few Questions Win7
« Reply #12 on: November 05, 2011, 10:12:18 AM »
You could try the Task Scheduler exploit, partly written in VBS.
>>>import this
-----------------------------

 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.