Registry Possibilities

There are many ways to configure a Windows operating system to load and run software during the boot process, but there are only a few recognized standards for loading device drivers and running applications. This section provides examples of each.

To install a rootkit as a persistent device driver, add the following to the registry key HKEY_LOCAL_ MACHINE\System\CurrentControlSet\Services:

  Key – MyDeviceDriver [any name will be OK]  Value – DisplayName [string value – should match Key name]  Value – ErrorControl [DWORD – 1]  Value – Group [optional string – filter]  Value – ImagePath [string (from %windows%) – system32\drivers\comint32.sys]  Value – Start [DWORD – 2]  Value – Type [DWORD – 1] 

The Start value can be any of the following:

• SERVICE_BOOT_START = 0

• SERVICE_SYSTEM_START = 1

• SERVICE_AUTO_START = 2 (this is how a filter driver is usually loaded)

• SERVICE_DEMAND_START = 3 (this is how we have been loading)

• SERVICE_DISABLED = 4

The Type value can be any of these:

• SERVICE_KERNEL_DRIVER = 0x00000001

• SERVICE_FILE_SYSTEM_DRIVER = 0x00000002

• SERVICE_ADAPTER = 0x00000004

• SERVICE_RECOGNIZER_DRIVER = 0x00000008

• SERVICE_DRIVER = (SERVICE_KERNEL_DRIVER | \

• SERVICE_FILE_SYSTEM_DRIVER | \

• SERVICE_RECOGNIZER_DRIVER)

• SERVICE_WIN32_OWN_PROCESS = 0x00000010

• SERVICE_WIN32_SHARE_PROCESS = 0x00000020

• SERVICE_WIN32 = (SERVICE_WIN32_OWN_PROCESS | \

• SERVICE_WIN32_SHARE_PROCESS)

• SERVICE_INTERACTIVE_PROCESS = 0x00000100

• SERVICE_TYPE_ALL = (SERVICE_WIN32 | \

• SERVICE_ADAPTER | \

• SERVICE_DRIVER | \

• SERVICE_INTERACTIVE_PROCESS)

To install a rootkit using an application, add the following to the registry key

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:    Value – MyDeviceLoader [string – C:\SCMLoader.exe]