Hi together,

In Windows 2000 / XP exist several (public known) methods to start a program automatically with windows.
One possibility is to use the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
is our example here below.

So, from where does windows know how to use this key? (good thought, he?)
I scanned several system files for the aforementioned key with no result.
After that i re-examined the system files that are loaded with windows and i stumbled over explorer.exe, that has indeed the key in it. It's just not that easy to find ;)

In version 5.0.3700.6690 of explorer.exe (Windows 2000 / SP4) the key is located from offset: 0000b560h to 0000b5a0h
and looks like: "S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.R.u.n." in ascii.
The same in hex: "53 00 6F 00 66 00 74 00 77 00 61 00 72 00 65 00 5C 00 4D..." etc.

1. Turn windows file protection off (ask google if you don't know how to).
2. Kill the running explorer.exe
3. Open the file in binary mode and search for the above string.
4. Replace the string by:

"S.y.s.t.e.m.\.H.i.d.d.e.n.A.u.t.o.r.u.n.\.Y.o.u.r.A.p.p.\.P.a.r.a.m.e.t.e.r.s.\.s.r.u.n.s." or something like that.
4.1 The string has to be the same length as the above one.
5. Save the file and restart explorer.exe

The user will just notice a crash of the explorer, as it happens twice a day *scnr* and the ensuing restart of it.
From the next reboot on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" is useless but in exchange you have a new one at "HKEY_LOCAL_MACHINE\System\HiddenAutorun\YourApp\Parameters\sruns".
To stay undetected it is essential to load alls apps located in the old registry key. Otherwise a user my notice the change.

regards,
nec

read comments (15) / write comment

recent comments:

Windows File Protection	claxus	04.May:15:54
junk	SubTen	29.Apr:22:55
WFP	admin	23.Apr:21:08
gj	akcom	23.Apr:21:01
Vice Results	bobp	23.Apr:18:57

printer-friendly version