首页 > 其他分享 >在涉及恶意软件的任何调查中,寻找持久性点(也称为“自动启动扩展点”或ASEP)是一项经常出现的任务。

在涉及恶意软件的任何调查中,寻找持久性点(也称为“自动启动扩展点”或ASEP)是一项经常出现的任务。

时间:2024-02-18 09:01:53浏览次数:39  
标签:HKLM Windows 恶意软件 ASEP CurrentVersion 持久性 HKCU Microsoft Software

Autostart categories

When you launch Autoruns for the first time, all autostart entries on the system are displayed in one long list on the Everything tab. As Figure 4-8 shows, the display includes up to 19 other tabs that break down the complete list into categories.

FIGURE 4-8

FIGURE 4-8 Autostart categories are displayed on up to 20 different tabs.

Logon

This tab lists the “standard” autostart entries that are processed when Windows starts up and a user logs on, and it includes the ASEPs that are probably the most commonly used by applications. They include the various Run and RunOnce keys in the registry, the Startup directories in the Start menu, computer startup and shutdown scripts, and logon and logoff scripts. It also lists the initial user session processes, such as the Userinit process and the desktop shell. These ASEPs include both per-user and systemwide locations, and entries designed for control through Group Policy. Finally, it lists the Active Setup\Installed Components keys, which although never publicly documented or supported for third-party use have been reverse-engineered and repurposed both for good and for ill.

The following lists the Logon ASEP locations that Autoruns inspects on a particular instance of an x64 version of Windows 10.

The Startup directory in the “all users” Start menu

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup

The Startup directory in the user’s Start menu

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Per-user ASEPs under HKCU\Software

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Per-user ASEPs under HKCU\Software—64-bit only

HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnc

Per-user ASEPs under HKCU\Software intended to be controlled through Group Policy

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff

Systemwide ASEPs in the registry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Active Setup\Installed Components
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\IconServiceLib
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram

Systemwide ASEPs in the registry, intended to be controlled through Group Policy

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown

Systemwide ASEPs in the registry—64-bit only

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components

Systemwide ActiveSync ASEPs in the registry

HKLM\Software\Microsoft\Windows CE Services\AutoStartOnConnect
HKLM\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect

Systemwide ActiveSync ASEPs in the registry—64-bit only

HKLM\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect
HKLM\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect

Explorer

The Explorer tab lists common autostart entries that hook directly into Windows Explorer3 and usually run in-process with Explorer.exe. Again, although most entries are systemwide, there are a number of per-user entries. Key entries on the Explorer tab include the following:

  • Shell extensions that add context menu items, modify property pages, and control column displays in folder windows

  • Namespace extensions such as the Desktop, Control Panel, and Recycle Bin, as well as third-party namespace extensions

  • Pluggable namespace handlers, which handle standard protocols such as http, ftp, and mailto, as well as Microsoft or third-party extensions such as about, mk, and res

  • Pluggable MIME filters

On 64-bit versions of Windows, in-process components such as DLLs can be loaded only into processes built for the same CPU architecture. For example, shell extensions implemented as 32-bit DLLs can be loaded only into the 32-bit version of Windows Explorer—and 64-bit Windows uses the 64-bit Explorer by default. Therefore, these extensions might not appear to work at all on 64-bit Windows.

The following lists the Explorer ASEP locations that Autoruns inspects on a particular instance of an x64 version of Windows 10.

Per-user ASEPs under HKCU\Software

HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\*\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers
HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\ShellEx\DragDropHandlers
HKCU\Software\Classes\Folder\ShellEx\ExtShellFolderViews
HKCU\Software\Classes\Folder\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Protocols\Filter
HKCU\Software\Classes\Protocols\Handler
HKCU\Software\Microsoft\Ctf\LangBarAddin
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Systemwide ASEPs in the registry

HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Classes\Folder\ShellEx\ExtShellFolderViews
HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\Protocols\Filter
HKLM\Software\Classes\Protocols\Handler


HKLM\Software\Microsoft\Ctf\LangBarAddin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Systemwide ASEPs in the registry—64-bit only

HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Internet Explorer

Internet Explorer is designed for extensibility, with interfaces specifically exposed to enable Explorer bars such as the Favorites and History bars, toolbars, and custom menu items and toolbar buttons. And Browser Helper Objects (BHOs) enable almost limitless possibilities for extending the capabilities and user experiences for Internet Explorer.

However, because so much of users’ computer time is spent in a browser, and because much of the high-value information that users handle (such as passwords and credit card information) goes through the browser, it has become a primary target of attackers. The same programmatic interfaces that enable integration with third-party document readers and instant messaging have also been used by spyware, adware, and other malicious endeavors.

The following lists the Internet Explorer ASEP locations that Autoruns inspects on a particular instance of an x64 version of Windows 10.

Per-user ASEPs under HKCU\Software

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

Systemwide ASEPs in the registry

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Per-user and systemwide ASEPs in the registry—64-bit only

HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Scheduled Tasks

The Scheduled Tasks tab displays entries that are configured to be launched by the Windows Task Scheduler. The Task Scheduler allows programs to be launched on a fixed schedule or upon triggering events, such as a user logging on or the computer being idle for a period of time. Commands scheduled with At.exe also appear in the list. The Task Scheduler was greatly enhanced in Windows Vista, so Windows now makes heavy use of it, and the list on the Scheduled Tasks tab will generally be long unless you hide verified Windows entries.

Because tasks can actually be disabled in Windows (unlike Start menu items), clearing the check box next to a scheduled task in Autoruns disables the task rather than copying it to a backup location.4

If you select Jump To Entry from the Entry menu for a scheduled task entry, Autoruns displays the Task Scheduler user interface, but it does not try to navigate to the selected entry.

Services

Windows services run in noninteractive, user-mode processes that can be configured to start independently of any user logging on, and that are controlled through a standard interface with the Service Control Manager. Multiple services can be configured to share a single process. A common example of this can be seen in Svchost.exe (Host Process for Windows Services), which is specifically designed to host multiple services implemented in separate DLLs.

Services are configured in the subkeys of HKLM\System\CurrentControlSet\Services. The Start value within each subkey determines whether and how the service starts.

Autoruns’ Services tab lists services that are not disabled, unless they were disabled by Autoruns (indicated by the presence of an AutorunsDisabled value in the service’s registry key). The content for the Description column comes from the text or the resource identified by the Description value in the configuration key. The image path column displays the path to the service executable; for Svchost services, Autoruns displays the path to the target DLL identified by the ServiceDll value in the service’s key or its Parameters subkey. There are cases for some services in some versions of Windows where administrative rights are required to view the Parameters key; in these cases, Autoruns displays the path to Svchost.exe in the image path column.

Be certain you know what you are doing when disabling or deleting services. Missteps can leave your system with degraded performance, unstable, or unbootable. And again, note that disabling or deleting a service does not stop the service if it is already running.

One malware technique to watch for is a service that looks like it’s supposed to be part of Windows but isn’t, such as a file named svchost.exe in the Windows directory instead of in System32. Another technique is to make legitimate services dependent on a malware service; removing or disabling the service without fixing the dependency can result in an unbootable system. Autoruns’ Jump To Entry feature is handy for verifying whether the service’s configuration in the registry includes a DependOnService value that you can inspect for dependencies before making changes.

Drivers

Like services, drivers are also configured in the subkeys of HKLM\System\CurrentControlSet\Services, as well as in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers. Unlike services, drivers run in kernel mode, thus becoming part of the core of the operating system. Most are installed in System32\Drivers and have a .sys file extension. Drivers enable Windows to interact with various types of hardware, including displays, storage, smartcard readers, and human input devices. They are also used to monitor network traffic and file I/O by antivirus software (and by Sysinternals utilities such as Procmon and Procexp!). And, of course, they are also used by malware, particularly rootkits.

As with services, the Drivers tab displays drivers that are not marked as disabled, except those disabled through Autoruns. The Description value comes from the version resource of the driver file, and the image path points to the location of the driver file.

Most blue-screen crashes are caused by an illegal operation performed in kernel mode, and most of those are caused by a bug in a third-party driver. (Less common reasons for blue screens are faulty hardware, the termination of a system-critical process such as Csrss.exe, or an intentional crash triggered through the keyboard driver’s crash functionality, as described in Knowledge Base article 244139: http://support.microsoft.com/kb/244139.)

You can disable or delete a problematic driver with Autoruns. Doing so will usually take effect after a reboot. As with services, be absolutely certain you know what you are doing when disabling or deleting the configuration of drivers. Many are critical to the operating system, and any misconfiguration might prevent Windows from working at all.

Codecs

The Codecs category lists executable code that can be loaded by media playback applications. Buggy or misconfigured codecs have been known to cause system slowdowns and other problems, and these ASEPs have also been abused by malware. The following lists the keys that are shown on the Codecs tab.

Keys inspected under both HKLM and HKCU

\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
\Software\Classes\Filter
\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

Keys inspected under both HKLM and HKCU on 64-bit Windows

\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

Boot Execute

The Boot Execute tab shows you Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot. BootExecute typically includes tasks, such as hard-drive verification and repair (Autochk.exe), that cannot be performed while Windows is running. The Execute, S0InitialCommand, and SetupExecute entries should never be populated after Windows has been installed. The following lists the keys that are displayed on the Boot Execute tab.

Keys that are displayed on the Boot Execute tab

HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

Image hijacks

Image hijacks is the term I use for ASEPs that run a different program from the one you specify and expect to be running. The Image Hijacks tab displays four types of these redirections:

  • exefile Changes to the association of the .exe or .cmd file types with an executable command. The file-association user interfaces in Windows have never exposed a way to change the association of the .exe or .cmd file types, but they can be changed in the registry. Note that there are per-user and systemwide versions of these ASEPs.

  • htmlfile Changes to the association of the .htm or .html file types with an executable command. Some malware that hijacks these ASEPs can come into play when you open an HTML file. Verify that the executable command is a legitimate browser.

  • Command Processor\Autorun A command line that is executed whenever a new Cmd.exe instance is launched. The command runs within the context of the new Cmd.exe instance. There is a per-user and systemwide variant, as well as a separate version for the 32-bit Cmd.exe on 64-bit Windows.

  • Image File Execution Options (IFEO) Subkeys of this registry location (and its echo in the 64-bit versions of Windows) are used for a number of internal and undocumented purposes. One purpose for IFEO subkeys that has been documented is the ability to specify an alternate program to start whenever a particular application is launched. By creating a subkey named for the file name of the original program and a “Debugger” value within that key that specifies an executable path to an alternate program, the alternate program is started instead and receives the original program path and command line on its command line. The original purpose of this mechanism was for the alternate program to be a debugger and for the new process to be started by that debugger, rather than having a debugger attach to the process later, after its startup code had already run. However, there is no requirement that the alternate program actually be a debugger, nor that it even look at the command line passed to it. In fact, this mechanism is how Process Explorer (described in Chapter 3) replaces Task Manager.

The following list shows the registry keys corresponding to these ASEPS that are shown on the Image Hijacks tab.

Registry locations inspected for EXE file hijacks

HKCU\Software\Classes\Exefile\Shell\Open\Command\(Default)
HKCU\Software\Classes\.exe
HKCU\Software\Classes\.cmd
HKLM\Software\Classes\Exefile\Shell\Open\Command\(Default)
HKLM\Software\Classes\.exe
HKLM\Software\Classes\.cmd

Registry locations inspected for htmlfile hijacks

HKCU\Software\Classes\Htmlfile\Shell\Open\Command\(Default)
HKLM\Software\Classes\Htmlfile\Shell\Open\Command\(Default)

Command processor autorun keys

HKCU\Software\Microsoft\Command Processor\Autorun
HKLM\Software\Microsoft\Command Processor\Autorun
HKLM\Software\Wow6432Node\Microsoft\Command Processor\Autorun

Keys inspected for Image File Execution Options hijacks

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

AppInit

The idea behind AppInit DLLs surely seemed like a good idea to the software engineers who incorporated it into Windows NT 3.1. Specify one or more DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll (that is, virtually all user-mode Windows processes). Well, what could go wrong with that?

  • The AppInit DLLs are loaded into the process during User32’s initialization—that is, while its DllMain function is executing. Developers are explicitly told not to load other DLLs within a DllMain. It can lead to deadlocks and out-of-order loads, which can lead to application crashes. And yet here, the AppInit DLL “feature” does exactly that. And yes, that has led to deadlock and application crashes.5

  • A DLL that automatically gets loaded into every process on the computer sounds like a winner if you are writing malware. Although AppInit has been used in legitimate (but misguided) software, it is frequently used by malware.

Because of these problems, AppInit DLLs are deprecated and disabled by default in Windows Vista and newer. For purposes of backward compatibility, it is possible to re-enable AppInit DLL functionality, but doing so is strongly discouraged. To ensure that AppInit DLLs have not been re-enabled, verify that the LoadAppInit_DLLs DWORD value is 0 in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows and in HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows.

Registry values inspected for AppInit Entries

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

KnownDLLs

KnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL.

The Autoruns KnownDLLs tab should contain only verifiable Windows DLLs. On 64-bit versions of Windows, the KnownDLLs tab lists one ASEP, but file entries are duplicated for both 32-bit and 64-bit versions of the DLLs, in directories specified by the DllDirectory and DllDirectory32 values in the registry key. Note that the Windows-On-Windows-64 (WOW64) support DLLs are present only in the System32 directory and Autoruns will report “file not found” for the corresponding SysWOW64 directory entries. This is normal.

To verify that malware hasn’t deleted an entry from this key so that it can load its own version of a system DLL, save the Autoruns results from the suspect system and compare it against the results from a known-good instance of the same operating system. See the “Saving and comparing results” section later in this chapter for more information.

Winlogon

The Winlogon tab displays entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface. Introduced in Windows Vista, the Credential Provider interface manages the user authentication interface. Today, Windows includes many credential providers that handle password, PIN, picture-password, smartcard, and biometric logon. Most of these are shown only if you disable the Hide Windows Entry option. Third parties can supply credential providers that further customize interactive user logons.

The Winlogon tab also includes the user’s configured screen saver, which is started by Winlogon.exe after inactivity, and registered Group Policy client-side extensions (CSEs), which are DLLs that the Group Policy engine loads. The Group Policy engine used to run in the Winlogon process, but now it runs in the Group Policy Client service.

The following list specifies the registry keys that are shown on the Winlogon tab.

Per-user specification of the screen saver

HKCU\Control Panel\Desktop\Scrnsave.exe

Per-user specification of the screen saver, controlled by Group Policy

HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe

Group Policy Client-Side Extensions (CSEs)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

Credential provider ASEPs

HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers

Systemwide identification of a program to verify successful boot

HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath

ASEP for custom setup and deployment tasks

HKLM\System\Setup\CmdLine

Winsock providers

Windows Sockets (Winsock) is an extensible API on Windows because third parties can add a transport service provider that interfaces Winsock with other protocols or layers on top of existing protocols to provide functionality such as proxying. Third parties can also add a namespace service provider to augment Winsock’s name-resolution facilities. Service providers plug into Winsock by using the Winsock service provider interface (SPI). When a transport service provider is registered with Winsock, Winsock uses the transport service provider to implement socket functions, such as connect and accept, for the address types that the provider indicates it implements. There are no restrictions on how the transport service provider implements the functions, but the implementation usually involves communicating with a transport driver in kernel mode.

The Winsock tab lists the providers registered on the system, including those that are built into Windows. You can hide the latter group by enabling Hide Windows Entries and Verify Code Signatures to focus on the entries that are more likely to be causing problems.

Keys inspected for Winsock Provider Entries

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

Print monitors

The entries listed on the Print Monitors tab are DLLs that are configured in the subkeys of HKLM\System\CurrentControlSet\Control\Print\Monitors. These DLLs are loaded into the Spooler service, which runs as Local System.

note.jpg Note

One of the most common problems that affects the print spooler is misbehaving or poorly coded third-party port monitors. A good first step in troubleshooting print spooler issues is to disable third-party port monitors to see whether the problem persists.

LSA providers

This category of autostarts comprises packages that define or extend user authentication for Windows, via the Local Security Authority (LSA). Unless you have installed third-party authentication packages or password filters, this list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.

The SecurityProviders ASEP that is also shown on this tab lists registered cryptographic providers. DLLs listed in this ASEP get loaded into many privileged and standard user processes, so this ASEP has been targeted as a malware persistence vector. (This ASEP isn’t truly related to the LSA, except that, like the LSA, it represents security-related functionality.)

Keys inspected for Authentication Providers

HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\System\CurrentControlSet\Control\Lsa\Security Packages
HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

Keys inspected for Registered Cryptographic Providers

HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders

Network providers

The Network Providers tab lists the installed providers handling network communication, which are configured in HKLM\System\CurrentControlSet\Control\NetworkProvider\Order. On a Windows desktop operating system, for example, this tab includes the default providers that provide access to SMB (file and print) servers, Microsoft RDP (Terminal Services/Remote Desktop) servers, and access to WebDAV servers. Additional providers are often visible in this list if you have a more heterogeneous network or additional types of servers that Windows needs to connect to. All entries in this list should be verifiable.

WMI

The WMI tab lists registered WMI event consumers that can be configured to run arbitrary scripts or command lines when a particular event occurs. When you select an entry on the WMI tab, the lower panel reports information about the target file, the event consumer’s full command line, and the condition, such as a WQL query, that will trigger the event consumer to execute.

When you disable a WMI entry, Autoruns replaces the entry with a clone that has the same name but with “_disabled” appended. This breaks the binding to the event filter so that it won’t execute. By re-enabling, the original name and the event binding is reestablished.

These events and bindings are stored in the WMI repository in the ROOT\subscription namespace.

Sidebar gadgets

On Windows Vista and Windows 7, this tab lists the Sidebar Gadgets (called “Desktop Gadgets” on Windows 7) that are configured to appear on the user’s desktop. Although gadget software is often (but not always) installed in a systemwide location such as %ProgramFiles%, the configuration of which gadgets to run is in %LOCALAPPDATA%\Microsoft\Windows Sidebar\Settings.ini, which is per-user and nonroaming. Disabling or deleting gadgets with Autoruns manipulates entries in the Settings.ini file.

The image path usually points to an XML file. The gadgets that shipped with Windows Vista and Windows 7 are catalog signed and can be verified. Gadgets were discontinued after Windows 7.

Office

The Office tab lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word. On 64-bit Windows, Office add-ins can be registered to run in 32-bit or 64-bit Office versions. 32-bit add-ins are registered in Wow6432Node subkeys on 64-bit Windows.

Keys inspected under both HKLM and HKCU

\Software\Microsoft\Office\Access\Addins
\Software\Microsoft\Office\Excel\Addins
\Software\Microsoft\Office\Outlook\Addins
\Software\Microsoft\Office\PowerPoint\Addins
\Software\Microsoft\Office\Word\Addins

Keys inspected under both HKLM and HKCU on 64-bit Windows

\Software\Wow6432Node\Microsoft\Office\Access\Addins
\Software\Wow6432Node\Microsoft\Office\Excel\Addins
\Software\Wow6432Node\Microsoft\Office\Outlook\Addins
\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins
\Software\Wow6432Node\Microsoft\Office\Word\Addins

ASEPs list

Software hive

  • Microsoft\Windows\CurrentVersion\Run,
  • Microsoft\Windows\CurrentVersion\RunOnce,
  • Microsoft\Windows\CurrentVersion\RunServices,
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
  • Wow6432Node\Microsoft\Windows\CurrentVersion\Run,
  • Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce,
  • Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
  • Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run,
  • Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce

NTUSER.DAT hives

  • Software\Microsoft\Windows\CurrentVersion\Run,
  • Software\Microsoft\Windows\CurrentVersion\RunOnce,
  • Software\Microsoft\Windows\CurrentVersion\RunServices,
  • Software\Microsoft\Windows\CurrentVersion\RunServicesOnce,
  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
  • Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run,
  • Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce,
  • Software\Microsoft\Windows NT\CurrentVersion\Run,
  • Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
  • Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Winlogon & AppInit

  • Microsoft\Windows NT\CurrentVersion\Winlogon (value AppInit_DLLs)
  • Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
  • Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  • Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
  • Microsoft\Windows NT\CurrentVersion\Winlogon\System

Services

  • CurrentControlSet\Services

Scheduled Tasks

  • C:\Windows\System32\Tasks\ (Windows Vista and onwards only)

Active Setup

  • Microsoft\Active Setup\Installed Components

Microsoft Fix-it

  • Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

 


Autopsy plugin that scans the Auto-Start Extensibility Points (ASEPs) and list out the potential persistences

Current Capabilities

  • System Registry Run keys

    • HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
    • HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
    • HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnceEx
    • HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
    • HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
    • HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run
    • HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/RunOnce
    • HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnce
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
    • HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders, 'Startup'
    • HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders, 'Startup'
    • HKLM/SYSTEM/Control/SafeBoot, 'AlternateShell'
    • HKLM/SYSTEM/Control/Terminal Server/wds/rdpwd, 'StartupPrograms'
    • HKLM/SYSTEM/Control/Terminal Server/WinStations/RDP-Tcp, 'InitialProgram'
  • User Registry Run Keys

    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServicesOnce
    • HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
    • HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnce
    • HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
    • HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Run
    • HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Load
    • HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Run
    • HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Shell
    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/Shell
    • HKCU/SOFTWARE/Policies/Microsoft/Windows/System/Scripts/Logon
    • HKCU/SOFTWARE/Policies/Microsoft/Windows/System/Scripts/Logoff
    • HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
    • HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run
    • HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/RunOnce
    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders, 'Startup'
    • HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders, 'Startup'
  • WinLogon

    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'TaskMan'
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Shell'
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Userinit'
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Notify'
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'System'
    • HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'VmApplet'
  • Services

    • HKLM/SYSTEM/ControlSet*/Services/*
  • Active Setup

    • HKLM/SOFTWARE/Microsoft/Active Setup/Installed Components/*
  • Scheduled Tasks

    • C:/Windows/System32/Tasks
  • Startup Program

    • %APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup
    • %ALLUSERSPROFILE%/Microsoft/Windows/Start Menu/Programs/Startup

 

标签:HKLM,Windows,恶意软件,ASEP,CurrentVersion,持久性,HKCU,Microsoft,Software
From: https://www.cnblogs.com/suv789/p/18018730

相关文章

  • 【THM】Intro to Malware Analysis(恶意软件分析简介)-学习
    本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/intromalwareanalysis本文相关内容:简单介绍一下遇到可疑的恶意软件应该怎么处理。简介当我们在担任SOC(安全运营中心)分析师时,有时会遇到一些可疑的内容(文件或流量),并且我们必须确定这些可疑内容是否为恶意的,为此......
  • 10个常用恶意软件检测分析平台(网工精选)
    你们好,我的网工朋友。我们往期的文章已经同步过很多的好用工具,毕竟,作为一个职场网工人,提升效率才是才能在单位时间内赚到更多的工资往期的好用工具收到了不少好的反响,今天更新一波新的工具安利,专注提升你的工作支线效率。今日文章阅读福利:《12个网络工程师必备工具下载地址》私信我......
  • 自己动手,从源码构建Aseprite!
    最近想试试这个很有名的像素画软件Aseprite,但是又囊中羞涩,没有钱去买Steam版。不过不要紧,Aseprite是开源软件,并且它的源文件是不需要花钱购买的。本着先上车再补票的原则,这篇文章就来尝试一下从源文件构建这个软件。构建的过程在官方的Github仓库里面描述得比较清楚了,本文记录一......
  • 爱好的持久性
    感觉入坑时懵懵懂懂,甚至刚成年,不知道这个东西的毒害。再加上没有老师以及学长的指引,就一条道走到黑了。现在回过头来,发现这真的是一条不归路,至少对于普通人是这样的。感觉每个人都会踩坑,固然有自己固执的因素,但是如果有贵人相助(老师、学长合理规劝),一定能减少亏损,但这都过去了,要说......
  • SpringCloudGateway网关整合swagger3+Knife4j3,basePath丢失请求404问题
    很多人都是照着别人的文章粘代码,我也是粘的,但是这样粘也会有问题,我搞这个Knife4j3的时候遇到两个问题,这里记录一下:第一个是basePath丢失,第二个解决basePath丢失完又引发了会引起application/json数据类型参数示例的问题。在集成SpringCloudGateway网关的时候,会出现没有basePat......
  • CKAD考试实操指南(八)---永恒记忆:状态持久性实践技巧
    状态持久性在这份CKAD考试实操指南中,我将为你详细介绍如何利用CKAD-exercises项目和知十平台进行CKAD考试的准备和复习。通过CKAD-exercises提供的练习题,你可以在知十平台的云原生环境中进行实践和模拟。在这个过程中,你将熟悉Kubernetes的各种操作和场景,并在实践中加深对知识的理解......
  • msmpeng.exe是Windows Defender反病毒软件的主要执行文件,其作用是扫描系统中的文件和
    msmpeng.exe是WindowsDefender反病毒软件的主要执行文件,其作用是扫描系统中的文件和进程,以便检查是否存在恶意软件。WindowsDefender是微软官方提供的反病毒软件,随Windows操作系统一起提供。如果您使用Windows10操作系统,那么您已经拥有了WindowsDefender。启用WindowsDefend......
  • Go每日一库之137:easeprobe(探活工具)
    服务探活在现实场景中应用广泛,比如:服务发现、服务负载均衡、服务调度、服务状态监控等。然而,“探活”往往是作为一个功能模块或者组件集成在各个平台系统中。本次要介绍的easeprobe是一款轻量级的,可独立运行的探活工具,利用easeprobe,无需其他系统支持,就可以对多种类型的服务/中间件......
  • 网安周报|Chaes恶意软件的新Python变种针对银行和物流行业
    1、Chaes恶意软件的新Python变种针对银行和物流行业银行和物流业正受到名为Chaes的恶意软件的重新设计变种的冲击。Chaes于2020年首次出现,它的目标是拉丁美洲(尤其是巴西)的电子商务客户,以窃取敏感的财务信息。该恶意软件的最新迭代版本被称为Chae$4(参考源代码中的调试日志信息),其中......
  • Amazo S3 是如何实现 99.999999999% 的持久性和可用性的?
    亚马逊简单存储服务(AmazonS3)是最广泛使用和可靠的云存储服务之一,提供高度可扩展和耐用的存储。许多S3客户的关键要求是确保其数据的最大正常运行时间和可用性。在本文中,我们将深入探讨S3如何通过其稳固的系统架构和实现方式实现超过99.99%的可用性。亚马逊云科技开发者社......