, is a built-in Windows tool used to view and edit the registry. The window on the left shows the open subkeys. The window on the right shows the value entries in the subkey. Each value entry has a name, type, and value. The full path for the subkey currently being viewed is shown at the bottom of the window.
) is a well-known way to set up software to run automatically. While not a very stealthy technique, it is often used by malware to launch itself automatically.
The Autoruns tool (free from Microsoft) lists code that will run automatically when the OS starts. It lists executables that run, DLLs loaded into Internet Explorer and other programs, and drivers loaded into the kernel. Autoruns checks about 25 to 30 locations in the registry for code designed to run automatically, but it won’t necessarily list all of them.
Run key from the registry and adding a value so that the program runs each time Windows starts. The RegSetValueEx function, which takes six parameters, edits a registry value entry or creates a new one if it does not exist. contains comments at the end of most lines after the semicolon. In most cases, the comment is the name of the parameter being pushed on the stack, which comes from the Microsoft documentation for the function being called. For example, the first four lines have the comments samDesired, ulOptions, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", and hKey. These comments give information about the meanings of the values being pushed. The samDesired value indicates the type of security access requested, the ulOptions field is an unsigned long integer representing the options for the call (remember about Hungarian notation), and the hKey is the handle to the root key being accessed.
The code calls the RegOpenKeyEx function at ❶ with the parameters needed to open a handle to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The value name at ❺ and data at ❹ are stored on the stack as parameters to this function, and are shown here as having been labeled by IDA Pro. The call to lstrlenW at ❷ is needed in order to get the size of the data, which is given as a parameter to the RegSetValueEx function at ❸.
shows an example of a .reg file. simply lists the version of the registry editor. In this case, version 5.00 corresponds to Windows XP. The key to be modified, [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], appears within brackets. The last line of the .reg file contains the value name and the data for that key. This listing adds the value name MaliciousValue, which will automatically run C:\Windows\evil.exe each time the OS boots.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], appears within brackets. The last line of the .reg file contains the value name and the data for that key. This listing adds the value name MaliciousValue, which will automatically run C:\Windows\evil.exe each time the OS boots.
Войти в систему
Войти с помощью соц. сетей:
