A Tale of Two Regeds: Registry editors

 

 A Tale of Two Regeds: Registry editors


An interesting fact many people don't know about registry editors is how they can be used to launch DOS and batch files. This might not be a direct attack vector for malware, but it does make it so that if you want to use a script under the current user's account, you must either store the file in an accessible folder or copy its command into an editor without a GUI. It also means if your target is using one of these text-based programs, then you may be able to carry out your attack using an interactive editor.

##What is it?
Registry editors are used by system administrators and power users alike to edit the Windows Registry manually when other methods are unavailable or ineffective. The registry is the central database of settings that affect the operating system, and has been holding a lot of power in Windows since the dawn of Windows NT when it was used to store information about drivers that Windows needed to access hardware. Today, it holds major parts of how the operating system behaves, like whether a program can be run automatically when you login or what programs start when you boot.
One way malicious code could use these editors would be to copy a batch file or other executable into the same folder where your selected editor is located, because then you could issue commands through the editor without ever opening it directly.
Another way would be to trick your target into opening the registry editor and then copying your command into the editor before closing it. This can be done by using a program like AutoIt or PowerShell, which will give you access to almost any executable through the command line. Or you could create a simple batch script that looks for the presence of a text editor in the same folder as your target and then runs it if present.
Additionally, some editors contain options that can be used to open and edit the registry directly via some other program, so they are not just useless programs with extra help files on them. Some debuggers even allow you to attach to running processes while they are being debugged, but always consult with your target's documentation before doing this because it may not work with all applications.
If your target is running Windows XP, then you can get their auto-run settings from the terminal. Double click on "Computer" from the start menu and go to "Tools -> Folder Options". Type regedit in the address bar and press enter, and then find HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.
If you are using Windows 7 or later, an easier method to get this information is by using SysInternals' AutoRuns program, which can be downloaded here . You can then view some of the more useful registry keys in it, and there is a "Registry Editor" tab that lists all the auto-run settings.
##How to do it ##
##1. Create the file
You need to create a text file that can be edited by your target, and this means not just composing text. First, open Notepad (or some other editor) and go to File -> Save As... and save it in the same directory as your target application with a ".bat" extension.
Then add all of the commands you want your target to run into this file, like so: 
REM This batch file launches regedit to allow for DOS commands
echo This batch file launches regedit to allow for DOS commands> batfile.txt
start /d "C:\Program Files\regedit.exe" /s "C:\"
REM This batch file launches regedit to allow for DOS commands
echo This batch file launches regedit to allow for DOS commands> batfile.txt
start /d "C:\Program Files\regedit.exe" /s "D:\batfile.txt"
It is important to note that the above line will not work if your target's Windows directory is on the D: drive, because when it runs in DOS mode it will look for the Windows folder on drive C: and so will launch the editor from both directories. You need to replace that line with a command that moves the program into its correct location, like this:
move d:\regedit.exe c:\
Now, if your target uses the editor you created to edit a file in their Windows directory and then closes the editor, this will cause the batch file to run.
After some time or when an error is encountered, Notepad will close, which will then run your batch file. This all happens after a delay so that they don't notice it happening right away. You could also leave Notepad running to hide what's going on more easily. An added bonus of this method is that it won't have any visible indicators that anything happened because there isn't a program shown in the taskbar or task manager. They would have to check their hard drive for new files if they wanted proof.
##2. Configure your target to run the file
You may need your target's auto-run settings to be changed, and this can be done by double clicking on "Computer" from the start menu and going to "Control Panels -> System." Open the "Users" tab in it and then open the "Group Policy Object Editor." Select a user from there and click edit, and then edit them.
Under "User Configuration," choose the Active Directory Users and Computers settings node.

Conclusion
This is a very simple hack, but it is effective and extremely useful to have in your arsenal. It is not nearly as hard as hijacking your target's registry It is quite easy to carry out, and you should be able to set it up on a computer of yours if you can't get at theirs. Either way, creating your own batch file or using AutoIt or PowerShell to obtain the necessary command line will work in most cases.
If you are looking for something more advanced, like hijacking the entire login process so that your target receives emails from the attacker, then read my guide on how I did that here
Good luck! Feel free to ask any questions below. If this tutorial helped you please consider donating.

Post a Comment

Previous Post Next Post