| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Oct 3 23:43:08 2005 From: se_cur_ity at hotmail.com (Morning Wood) Subject: RE: Full-Disclosure Digest, Vol 8, Issue 3 >Can you give me an example of a trojan, worm, or another program which has added the last USB device installed in the >Windows Registry, yes, see below >or how about a program, worm, trojan - some ASM code... ( edited ) any_key1 db "SYSTEM\CurrentControlSet\AnyKeyIWant", 0 another_key2 db "SYSTEM\CurrentControlSet\AnotherKeyIWant", 0 invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr any_key1, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, addr hRegkey, NULL invoke wsprintf, addr senddata, addr some_value3, addr port invoke wsprintf, addr recvdata, addr another_value2, addr port invoke RegSetValueEx, hRegkey, addr senddata, 0, REG_SZ, addr recvdata, eax invoke RegCloseKey, hRegkey ( repeat for another_key2 ) easily done in .c too or c:\>regedt32 -s somebad.reg ( will silently install ANY key you want ) >which caused something to be added to the last typed URL? VNC ( or aformentioned key writes ) how do you think malware writes startup keys? I am confused by your statement... once a system has been compromised, ANYTHING can be written to the registry ( especialy is the attacker has SYSTEM privs ) my2bits, M.W
Powered by blists - more mailing lists