Penetration Testing Blog
.text
Section containing executable code.
.rdata
Globally accessible within the program for read-only data.
.data
Stores globally accessible data within the program.
.idata
Stores import function data, where relevant.
.edata
Stores export function data, where relevant.
.pdata
Stores exception handling data for x64 executables.
.rsrc
Stores program resources.
.reloc
Library file relocation information.
Program dynamic link libraries (DLLs) can provide information about the functionality of a program. Here is a list and description of the most common Windows DLLs:
Kernel32.dll
Core functionality of access and modification of system memory, files and the hardware.
Advapi32.dll
Windows Service Manager and Registry access.
User32.dll
User interface components such as user controlled components, i.e. buttons and scroll bars.
Gdi32.dll
Graphics functionality.
Ntdll.dll
Windows kernel interface.
WSock32.dll and Ws2__32.dll
Network connectivity and related network functionality.
Wininet.dll
Application layer functions in networking, such as HTTP and FTP.
Open PowerShell terminal from ‘Start > Run’.
Paste the following command in to the terminal to gather the list of installed programs on Windows:
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
This will display the output within your PowerShell terminal.
To output the information to a file, you can use the following command (amend as appropriate for your username and output location):
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize > "file_output_location_and_file_format".
For the file output location, you can use the path, e.g. C:\Users\Kevin\Documents\PSAppOutput.txt.
Malware developers commonly program the code behind malware to perform malicious actions on targeted systems for nefarious purposes. One particular activity used by malware developers and their malware programs is to modify the contents of the targets host such as the registry in a Windows system architecture. The reason behind this is to protect the malware’s execution during the system reboot process to ensure persistence access on the host.
The registry on Windows systems is used as a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the registry.
Some common registry keys used my malware can be found below:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
“Whatever”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”
Open Command Prompt via Run or Start menu
Type command – Telnet Towel.blinkenlights.nl