This paper was previously not intended for public viewing. I've changed my mind so here you guys are.
History
Recently I was working on developing an advisory for some
CLSID problems I came across, and figured out something quite interesting.
Something the coders might be interested in. I'll start from the beginning just
follow along hopefully everything will become clear by the time you reach EOF.
First lets create our very own file extension. Our file extension is going to be
called .mr so in your HKCR folder create a .mr
HKCR\.mr\
HKCR\.mr\ (Default) = MRFile
HKCR\.mr\ Content Type =
application/x-mr
HKCR\.mr\ HKCR\.mr\ (Default) = MRFile HKCR\.mr\ Content Type = application/x-mr What is happening here is pretty simple. We are setting up an extension. Whenever you run an .exe it will check HKCR\.* for that extension. If it finds it, it will continue on with the instructions of how to handle the extension. Right now we are telling windows that if .mr extension is run that it is to find the instructions at MRFile. This is sort of like a pointer too the instructions. For those of us that are c++ oriented. I ll run through the registry settings and what I mean by what. First you create a key HKCR\.mr\ The (Default) value should be MRFile (or your own extension etc). The (Default) string should be type REG_SZ we only deal with REG_SZ and REG_BINARY. Now Content Type is what explorer will use. I created my own content type application/x-mr, so for my Content Type = application/x-mr |
Next were are going to create a key HKCR\MRFile, the (Default)
MRFile is what is displayed when you click the file once, in the left side
of my computer, for example you click on a .html file it will say HTML Document
in the left hand corner of my computer.
HKCR\MRFile\ (Default) = MR
File
HKCR\MRFile\DefaultIcon\ (Default) =
%SystemRoot%\System32\shell32.dll,-151 Note that, that entry will make
all .mr files have the icon of a WordPad
document...
HKCR\MRFile\Shell\
HKCR\MRFile\Shell\Open (Default) =
&Open Note that if you want to open with you can do something like
&Open with &txtfile its up to you too fool around with that. That is one
of many ways to utilize open with
HKCR\MRFile\Shell\Open EditFlags =
00 00 00 00 Stay tuned for changes on this key below
HKCR\MRFile\Shell\Open\command (Default) = C:\winnt\server.exe
I recommend utilizing "%1" %* instead of the server location
HKCR\MRFile\Shell\ HKCR\MRFile\Shell\Open (Default) = &Open Note that if you want to open with you can do something like &Open with &txtfile its up to you too fool around with that. That is one of many ways to utilize open with HKCR\MRFile\Shell\Open EditFlags = 00 00 00 00 Stay tuned for changes on this key below HKCR\MRFile\Shell\Open\command (Default) = C:\winnt\server.exe I recommend utilizing "%1" %* instead of the server location Lets go through this entry-by-entry. We create the MRFile remember that HKCR\.mr pointed too MRFile. The HKCR\MRFile\ (Default) = MR File will be displayed on the right side of my computer when you select a .mr file it will show "MR File" You can change it too MR Document or what ever you want to see. The DefaultIcon key sets the default icon it is pretty self-explanatory. Things get interesting here the Open key's default value can be nothing if wanted. I m not fully sure why the &Open is used...But it can also be used to use the open_with command. For example you can do "&Open with &MRFile" file it will know to open file the file with MRFile instructions. By specifying the command (Default) value equaling server location every time a .mr file is run, the actual .mr file doubled clicked on wont execute only the file it points to will, I recommend using the "%1" %* instead of specifying a server location but both serve their purpose. You could instead of doing "%1" %* point to an .lnk file and from the .lnk file extension have it run the server so you are confusing the user even more. |
Since we are mad elite I m going to show you how to make it so that the new
file extension is downloaded and run by explorer no prompting...Were going to
have to make some registry entries so bear with me. First we want to fully
create the content type so that explorer and any other Internet protocol program
can handle it. We will add these
entries:
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr (Default) = (value
not set) HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr Extension
= .mr you can make the application/x-mr anything you please as long as it
points to an extension. Hypothetically you could modify an existing type to
execute your file type that is not recommended because I fore see errors
HKEY_CLASSES_ROOT\MIME\Database\Content
Type\application/x-mr HKEY_CLASSES_ROOT\MIME\Database\Content
Type\application/x-mr (Default) = (value not set)
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr Extension =
.mr you can make the application/x-mr anything you please as long
as it points to an extension. Hypothetically you could modify an
existing type to execute your file type that is not recommended because I
fore see errors Alright basically we are creating the type so that when IE receives the Content Type part of the header it will search the data base and find application/x-mr, x-mr points to the .mr extension in HKCR\.mr\ this intern points to MRFile and we are brought back to the file instructions. Now to utilize this to update your server with a new version you must use the "%1" %* as the command instead of the server location. Because if you have the server location instead of "%1" %* it will run the old server and not update with the new one. |
As I started to write this section I figured something else out. So your in
luck I m going to give you to brilliant examples. We will take it from least
brilliant to most brilliant. I m going to show the registry entries that need to
be made or that are important.
HKCR\lnkfile\ Note the nevershowext
just thought you might take a peek at it ;)
HKCR\lnkfile\shell
HKCR\lnkfile\shell\open\
HKCR\lnkfile\shell\open\command
HKCR\lnkfile\shell\open\command
(Default) = file location
A couple things to cover first is that I don't
know why there isn't a handler in the command key it is the way my registry was.
Secondly adding the server's location is one way of running it but that means
that all .lnk files will run an invisible file (the server) making it awful
suspicious. But this example doesn't accour when clicking desktop links. I don't
know why. What you must do is create a file and rename it too a .lnk that
will make it run the (Default) value. I m currently working on a method
to run the executed file and to run the server at the same time.
Note this
is nothing to get too excited over in my opinion at least. But this is one way
to allude AV's as well you can create for example c:\winnt\kernel32.lnk
which will execute an exe or .mr file. Or if you wanted you could make DLL's
executable and see the results, it's up to you to test that idea. With registry
knowledge the ideas are endless...
Anyway moving right along...This idea
hasn't been tested but very hypothetically it should work! If you test it please
e-mail me to let me know how it went.
Basically we are upping the anty in this next trick. Instead of a .lnk
file why not pick a file extension windows starts up
automatically...catching on? Here's a hypothetic example... (I would not be
scared to try this just back up your registry no guarantees)
Now
HKCR\sysfile consist of relatively no registry entries...so did .lnk
and it worked. The only concern is if you modify it will it stop the .sys
from loading and just execute the server, how ever yoru server could then
startup those needed .sys files as I stated above I m currently working on away
to run both at once. The results of testing this I can't predict nor will I try
too.
HKCR\sysfile\
HKCR\sysfile\shell\
HKCR\sysfile\shell\Open
HKCR\sysfile\shell\Open\command
HKCR\sysfile\shell\Open\command
(Default) = server location maybe point it to an .lnk file to fool the
user?
Lets go through some strings stored in the HKCR\sysfile\.
The EditFlags key is very important as it decides if IE will download
without prompting, I can only imagine what this version of EditFlags
does, and the NoOpen key is awful suspicious. If you have a second
computer I encourage you to test it. I will contribute extra information if you
e-mail me. I m curious to see if this works.
Misc.
I did discover how to figure out what the file extension's
CLSID would be. The CLSID makes the extension more real and increases the
possibilities and ways to call the file. You can run applications from the web
using window.open=file:///clsid::/clsid ...I didn't include how to find the
CLSID but if you are interested e-mail me.
EOF
I came up with a couple more pages of start-ups like using control panel and
CLSID alias's to startup the files. I don't feel they are qualified. There is
much I have found but wont release because its "not good enough" this is my
contribution too you guys. Enjoy it will probably be my last.
Thanks.
No one is perfect if there is false information or spelling and
grammatical errors please e mail me and help me correct them I am firmly against
false information and have gone to great lengths to verify everything mentioned
above -> E mail -> http://tnt2.ath.cx:5080/kernel32/[email protected]?subject=false
info/error
Thanks goes to the following people in no special
order:
Cyberfly, M_R and Magus(Thanks for all your help and support :-) ),
weed(congrats bro), SilenceGold, dragnet, Elektik, #tnt, Connected, and
ap0calaps. Also a huge thank you too Olympus(http://www.lithiumrat.org/) for developing
proof of concept code, and to mf4(areyoufearless.com) for also developing
code, and for both of their constant programming help. I would like to thank
·=[KïÐ ÄRCåÐê]=· for letting me borrow and publish his code. If you have been
forgotten I m sure I was having a memory lapse thanks to you too.