請參考這兒....話說,怎麼會跑回來看這種秘技?常常灌了不知道什麼東西,讓瀏覽器動作怪怪的,也許在底下可以找到原因!
1. 當使用者登入系統時,在這個機碼(key)下的的程式或Script會被自動執行起來:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\
HKCU\Software\Policies\Microsoft\Windows\System\Scripts
參考:
How to Modify the List of Programs that Run When You Start Windows XP (http://support.microsoft.com/kb/314488).
A definition of the Run keys in the Windows XP registry (http://support.microsoft.com/kb/314866/EN-US/).
INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (http://support.microsoft.com/kb/179365/EN-US/).
Definition of the RunOnce Keys in the Registry (http://support.microsoft.com/kb/137367).
Description of the RunOnceEx Registry Key (http://support.microsoft.com/kb/310593/EN-US/).
Programs Automatically Start When User Logs on to Windows (http://support.microsoft.com/kb/147369).
Script Policy Is Not Run When a Slow Link Is Detected (http://support.microsoft.com/default.aspx?scid=kb;en-us;328991).
To assign user logoff scripts (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/gptext_logoffscripts.mspx?mfr=true).
2. 當IE啟動時,在這個機碼下的元件(in-process COM components)每次都會被IE載入,這就是在IE上看到的工具列:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
參考:
How to disable third-party tool bands and Browser Helper Objects (http://support.microsoft.com/default.aspx?scid=kb;en-us;298931).
Browser Helper Objects: The Browser the Way You Want It (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp).
3. 預設值為'"%1" %*'(沒有單引號)。有些惡意程式會把它修改為'"FileName "%1" %*',當執行可執行檔(.exe)時,檔案"FileName"也會被執行起來:
HKLM\Software\Classes\exefile\shell\open\command\
HKEY_CLASSES_ROOT\vbsfile\shell\open\command\ (差別在於它是Visual Basic Script檔(.vbs))
HKEY_CLASSES_ROOT\vbefile\shell\open\command\ (差別在於它是編碼過的Visual Basic Script檔(.vbe))
HKEY_CLASSES_ROOT\jsfile\shell\open\command\ (差別在於它是JavaScript檔(.js))
HKEY_CLASSES_ROOT\jsefile\shell\open\command\ (差別在於它是編碼過的JavaScript檔(.jse))
HKEY_CLASSES_ROOT\wshfile\shell\open\command\ (差別在於它是Windows Scripting Host檔(.wsh))
HKEY_CLASSES_ROOT\wsffile\shell\open\command\ (差別在於它是Windows Scripting File檔(.wsf))
HKEY_CLASSES_ROOT\comfile\shell\open\command\ (差別在於它是COM檔(.com))
HKEY_CLASSES_ROOT\batfile\shell\open\command\ (差別在於它是批次檔(.bat))
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (差別在於它是螢幕保護檔(.scr))
HKEY_CLASSES_ROOT\piffile\shell\open\command\ (差別在於它是Portable Interchange Format檔(.bat))
參考:
You Are Unable to Start a Program with an .exe File Extension (http://support.microsoft.com/default.aspx?scid=kb;en-us;310585).
You receive an error message when you try to start a program that has an .exe file name extension (http://support.microsoft.com/kb/837334/en-us).
4. 每次啟動CMD.exe時,在這個機碼下的命令會被執行:
HKLM\Software\Microsoft\Command Processor\AutoRun\
HKCU\Software\Microsoft\Command Processor\AutoRun\
參考:
WORM_SWEN.A (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSWEN%2EA&VSect=T)
Cmd (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cmd.mspx?mfr=true).
AutoRun (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/942.asp).
5. 在這機碼下的CLSID會對應到HKLM\Software\Classes\CLSID\{GUID}\InProcServer。每當IE啟動時,它們會被IE載入:
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
參考:
TROJ_YABE.H (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_YABE.H&VSect=Sn).
Download.Ject Payload Detection and Removal Tool (http://support.microsoft.com/default.aspx?scid=kb;en-us;873018).
6. 可以自訂不同的使用者介面:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell\
參考:
Shell (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/93488.asp).
7. 包含被允許的Shell Extensions表列:
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
8. 當使用者登入系統時,在這個機碼裡的DLLs會被Windows-based應用程式載入(DLL Injection的一種方法):
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
參考:
Working with the AppInit_DLLs registry value (http://support.microsoft.com/default.aspx?scid=kb;en-us;197571).
9. 當Windows NT會執行標準的GINA DLL(MSGina.d)。當GinaDLL機碼存在時,在這機碼下面的DLL會被Winlogon在載入:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL\
參考:
Windows NT loads and executes the standard Microsoft GINA DLL (MSGina.dll). If the GinaDLL key value is present, it must contain the name of a GINA DLL, which Winlogon will load and use.
Loading and Running a GINA DLL (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/loading_and_running_a_gina_dll.asp).
10. 這個機碼可以更改原來的SHell(explorer.exe)且在這機碼下的執行檔會被Userinit.exe啟動:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
參考:
Shells Other Than Explorer.exe Replaced on Installation or Upgrade (http://support.microsoft.com/default.aspx?scid=kb;en-us;228309).
11. 在這機碼下的程式會在System Mode被啟動:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
參考:
System (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58543.asp).
12. 可以定義系統所使用的工作管理員:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
參考:
TaskMan (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58543.asp).
13. 當使用者登入系統時,在這機碼下的程式會被Winlogon執行。預設是Userinit.exe:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
14. 在這機碼下的DLLs會接收和處理由Winlogon產生的事件(event):
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
參考:
Winlogon Notification Packages (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/registry_entries.asp).
15. 當系統啟動時,在這個機碼裡的程式會被執行:
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
參考:
BootExecute (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/46697.asp).
16. 在這機碼下的服務,大部份會以LocalSystem的權限啟動:
HKLM\System\CurrentControlSet\Services\
17. 微軟使用這個機碼來設定已經安裝的視窗元件(Windows component):
HKLM\Software\Microsoft\Active Setup\Installed Components\
參考:
TROJ_SMALL.AZX (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSMALL%2EAZX&VSect=T).
Backdoor.Plux (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.plux.html).
Monitoring of the Active Setup Registry Key (http://www.greatis.com/webhelp/regrunhelp.htm#regrun___detailed_instructions/start_control/active_setup_registry_key.htm).
18. 這個機碼記錄現行使用者(Current User)的啟動目錄(「開始」功能表=>程式集=>啟動,亦即,%USERPROFILE%\「開始」功能表\程式集\啟動):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup (如果上一列機碼不存在,它會用這個機碼)
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup (這個機碼記錄所有使用者的啟動目錄(「開始」功能表=>程式集=>啟動,亦即,%ALLUSERSPROFILE%\「開始」功能表\程式集\啟動))
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup (如果上一列機碼不存在,它會用這個機碼)
19. 在這機碼下的子機碼記載每個程式的路徑和完整的執行路徑名稱:
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\
20. 這是用來檢查應用程式的問題,但惡意程式會利用它,以達到執行的目的:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
參考:
Inside 'Image File Execution Options' debugging (http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx).
How to Enable Kerberos Debugging in Windows 2000 (http://support.microsoft.com/default.aspx?scid=kb;en-us;892894;http://support.microsoft.com/default.aspx?scid=kb;en-us;216052).
21. 在這機碼下COM Objects會記錄執行的命令。預設值是shell32.dll:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
參考:
Logging the Shell Activity (http://www.codeguru.com/Cpp/COM-Tech/shell/article.php/c4515/#more).
Windows Core (http://www.greatis.com/webhelp/regrun___detailed_instructions/start_control/windows_core.htm).
Creating a shell extension with C# (http://www.codeproject.com/csharp/dateparser.asp).
* Folder Autostart Locations
1. %USERPROFILE%\「開始」功能表\程式集\啟動
2. %ALLUSERSPROFILE%\「開始」功能表\程式集\啟動
3. %SystemRoot\Tasks (排程工作的目錄)
* File AutoStart Locations
1. %SystemDrive%\explorer.exe:EXPLORER.EXE是Windows的檔案總管程式,正常位置是在%SystemRoot %目錄內。某些人會使用的一個技巧,就是在C:\目錄底下產生一個同樣取名為explorer.exe。當Windows在開機時,並未指定 explorer.exe應該在哪個目錄底下,所以,開機時會從根目錄開始尋找該檔案來執行。
2. %SystemDrive%\autoexec.bat
參考:
http://en.wikipedia.org/wiki/AUTOEXEC.BAT
3. %SystemDrive%\config.sys
參考:
http://en.wikipedia.org/wiki/CONFIG.SYS
4. wininit.ini: 是Windows在開機時用來預先載入某些應用程式的方法。
舉例說明:
shell=explorer.exe virusfile.exe
5. winstart.bat
6. win.ini: 是載入系統設定,例如驅動程式、桌布畫面等等。
舉例說明:
load=virusfile.exe
run=virusfile.exe
7. hosts
參考:
http://en.wikipedia.org/wiki/Hosts
0 意見:
張貼留言