There are many ways to configure a Windows operating system to load and run software during the boot process, but there are only a few recognized standards for loading device drivers and running applications. This section provides examples of each.
To install a rootkit as a persistent device driver, add the following to the registry key HKEY_LOCAL_ MACHINE\System\CurrentControlSet\Services:
Key – MyDeviceDriver [any name will be OK] Value – DisplayName [string value – should match Key name] Value – ErrorControl [DWORD – 1] Value – Group [optional string – filter] Value – ImagePath [string (from %windows%) – system32\drivers\comint32.sys] Value – Start [DWORD – 2] Value – Type [DWORD – 1]
The Start value can be any of the following:
SERVICE_BOOT_START = 0
SERVICE_SYSTEM_START = 1
SERVICE_AUTO_START = 2 (this is how a filter driver is usually loaded)
SERVICE_DEMAND_START = 3 (this is how we have been loading)
SERVICE_DISABLED = 4
The Type value can be any of these:
SERVICE_KERNEL_DRIVER = 0x00000001
SERVICE_FILE_SYSTEM_DRIVER = 0x00000002
SERVICE_ADAPTER = 0x00000004
SERVICE_RECOGNIZER_DRIVER = 0x00000008
SERVICE_DRIVER = (SERVICE_KERNEL_DRIVER | \
SERVICE_FILE_SYSTEM_DRIVER | \
SERVICE_RECOGNIZER_DRIVER)
SERVICE_WIN32_OWN_PROCESS = 0x00000010
SERVICE_WIN32_SHARE_PROCESS = 0x00000020
SERVICE_WIN32 = (SERVICE_WIN32_OWN_PROCESS | \
SERVICE_WIN32_SHARE_PROCESS)
SERVICE_INTERACTIVE_PROCESS = 0x00000100
SERVICE_TYPE_ALL = (SERVICE_WIN32 | \
SERVICE_ADAPTER | \
SERVICE_DRIVER | \
SERVICE_INTERACTIVE_PROCESS)
To install a rootkit using an application, add the following to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Value – MyDeviceLoader [string – C:\SCMLoader.exe]