In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article mainly introduces how to add system services in the backdoor of network security, which has a certain reference value. Interested friends can refer to it. I hope you will gain a lot after reading this article. Let's take a look at it.
Now a lot of Trojans, backdoors, worms are "wanton" by modifying the RUN key value in the registry to achieve self-startup. But this self-starting mode means "there is no silver 320 here". People who know a little bit about security will generally check the RUN key value when they find that the computer has been hacked.
Now a lot of Trojans, backdoors, worms are through the modification of the registry of the RUN key value to achieve self-startup. But this self-boot mode is not very hidden, people who know a little bit about security, generally find that the computer is hacked, will check the RUN key value. As a result, the system service has become a relatively hidden self-starting mode. Shock wave killers, for example, use system services to start virus programs.
There are many tools to add system services, the most typical of which is netservice. But we are talking about manually adding system services, so the use of tools is beyond the scope of this article. Many things in WINDOWS are closely related to the registry, and system services are no exception.
System services are related to the following registry items:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet002\ Services
We can find the key value of the service that has been registered in the system service to follow suit. Add a new entry to any of the above registry columns:
The name is the name of the system service you want to add, such as Backdoor.
Create a new string under the BACKDOOR item, and the numeric name Displayname numeric data is the value of the
Name Backdoor.
Here is a table that will be more intuitive:
Name type data remarks
Displayname REG_SZ wants to add the name of the service
Description of Description REG_SZ service description of service
Path of the ImagePath REG EXPAND SZ program
Start REG_DWORD 0prime2, 3, 4, 2, 2, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0, 0, 4, 4, 4, 4, 4, 4, 0, 0, 0, 4, 4, 4, 4, 4, 0, 0, 0, 0, 4, 4, 4, 4, 4, 4, 0, 0, 0, 0, 4, 4, 4, 4, 4, 4, 0, 0, 0, 0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0, 0, 0, 0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0, 0, 0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
ErrorControl REG_DWORD 1
Type REG_DWORD 10 or 20 general applications are 10, others correspond to 20
ObjectName REG_SZ LocalSystem shows local login
Note: you can add REG EXPAND SZ types manually under XP/2003. Modify the ImagePath key value directly under XP/2003. But not under WIN2000. I don't know the reason: (. But under WIN2000 we write a REG to register the system service directly, so it is easy to add the system under WIN2000. It is also important to note that the numerical type of ImagePath in the registry file must be HEX (hexadecimal). You can use WINHEX to convert the absolute path of the program to hexadecimal. Each value is shelved with a comma. For example, if my ImagePath key is C:\ winnt\ nukegroup.exe, it should be converted to:
63magistrate 3A, 5C, 77pence6e, 6e, 74e, 5C, 6e, 75b, 65b, 65, 2e, 65, 78, and 65 (no spaces).
Open notepad and type in the following:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SRVTEST]
"Type" = dword:00000010
"Start" = dword:00000002
"ErrorControl" = dword:00000001
"ImagePath" = hex (2): 63, 3A, 5C, 77pence, 69e, 6e, 64e, 5C, 6e, 75e, 74e, 5C, 6e, 75e, 75e, 65b, 65e, 65, 65, 65, 68, 65.
"DisplayName" = "SRVTEST"
"ObjectName" = "LocalSystem"
"Description" = "system service testing"
Save the above information as addsrv.reg
We can rely on commands to import the registry, so as to achieve the purpose of adding system services. We typed regedit / s addsrv.reg in the command console, and when the machine restarted, the service was successfully added. But I encountered difficulties in the real experiment. The value of ImagePath is garbled
I don't understand what I think. But at this point, the garbled code can be changed to an absolute path. If you directly write the REG message as "ImagePath" = hex (2): C:\ WINNT\ NUKEGROUP.EXE, other key values can be added, but this key value is not? In short, we can first add garbled ImagePath, and then modify it to C:\ winnt\ nukegroup.exe. It is troublesome to add it at the command line.
The above is the method of adding system services manually by Windows 2000. The registry structure of Windows 98 is different, but Windows 98 can still add system services through the registry, and it is a little simpler.
Add a new string value under the project "HKLM/SOFTWARE/Microsoft/WindowsCurrentVersion/RunServices". For example, if the name of the program is "BACKDOOR", create a string value called "BACKDOOR" and enter the full path to execute the program in the data field. Adding a system service by hand is as simple as deleting the system by hand. This is achieved through the registry, so I won't say much here.
Thank you for reading this article carefully. I hope the article "Network Security how to add system Services in the backdoor" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support and pay attention to the industry information channel. More related knowledge is waiting for you to learn!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.