What are the operations made by malware to hook the auto start extensibility points in order to be able to run at the startup of the computer that runs Windows operation system ?
Asked
Active
Viewed 745 times
1 Answers
1
There are lots of ways for malware to hook into Windows auto start. There are simple cases where the registry is modified to load modules on start. Here is the a list of auto start locations in the registry. And a bit more info on Windows startup paths.
There are more advanced techniques, Target a driver. Drivers are loaded fairly early on in the boot process and are run with Ring 0 privilege. Microsoft only has 2 rings of protection, Ring 0 and Ring 3. The example I linked to targets drivers loaded before by the Session Manager (SMSS.exe).
Or you could depend on Windows itself to load your module. When processes load libraries that are in their import table they try a specific order of paths to find the module they're looking for. If you insert your DLL at a location searched before the normal DLL?
This really just scratches the surface, but you get the idea. Malware is creative, and there are lots of ways for it to enable persistance. A lot of system processes will load modules by default, and all Malware needs is a load!
RoraΖ
- 12,317
- 4
- 51
- 83