View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Trying To Override Basic Windows Executables

Posts: 57
Location: Halted
Joined: 23.08.08
Rank: Wiseman

Posted on 24-03-10 17:35

Most viruses override windows executables so they cant be detected
by just browsing the proccesses on the taskmanager.
Example wuauclt.exe (Windows Update)
What method is used to do this? How can i do this?

http://www.black-zero.com

Author

RE: Trying To Override Basic Windows Executables

system_failure
Member

Posts: 57
Location: Halted
Joined: 23.08.08
Rank: Wiseman

Posted on 24-03-10 17:55

After reading what Moshbat posted (Thank you for your reply) trying to hide the proccess may irritate antivirus sences

which is not good. On the other
hand, naming the executable like "Windows Update Manager" may give
to my program a more innocent form. Can you name other windows based
executables names?

http://www.black-zero.com

Author

RE: Trying To Override Basic Windows Executables

cyb3rl0rd1867
Member

Posts: 143
Location: U.S
Joined: 07.07.06
Rank: Hacker Level 1

Posted on 25-03-10 04:42

Check out rootkit.com

Edited by cyb3rl0rd1867 on 25-03-10 04:43

Author

RE: Trying To Override Basic Windows Executables

fuser
Member

Posts: 959
Location: in front of a computer (duh)
Joined: 05.04.07
Rank: HBH Guru

Posted on 25-03-10 12:58

If I recall, there's an old issue of hakin9 that covered this topic showing how it can be done. I can't remember the issue number, but if I recall correctly it also has tutorials on WiFi cracking and RFI/LFI, I think it must've been over a year old now.

ah, here's the issue: http://hakin9.org/magazine/580-no-backdoor-try-opening-the-windows

Telling modern Internet users to stop whining is like telling them to stop breathing — it seems unrealistic and inhumane. Paul Lutus

Edited by fuser on 25-03-10 13:05

Author

RE: Worse!

RootsBabilonia
Member

Posts: 30
Location: Brasil_Amazônia@127.0.0.1/etc/shadow
Joined: 31.03.10
Rank: God

Posted on 01-07-10 03:24

It is much worse than that! If the virus only override windows executables would be great!
For example, you look at windows update and disables this shit [is much more constructive track updates and download only what you need is, we learned a lot about new vulnerabilities

]
Worse is when they are loaded as services SVCHOST! It is loaded with privileges of the system ... And with the taskmanager you never know about anything!

The only way to know about what is happening on the machine is using:
------------------------
1 - CMD.exe
2 - Type Tasklist / SVC
-----------------------
He'll show you all the services that are being loaded on SVCHOST!
It is also very good for refining the system configuration!

Still I'll write some articles about windows!