Advanced manual addition of system services

Nowadays, many Trojans, backdoors, and worms are automatically started by modifying the RUN key value in the registry.

However, this self-starting mode is not very concealed. People who are a little bit Secure generally find that the computer is hacked and will view the RUN key value.

As a result, system services have become a relatively hidden self-starting mode. For example, the shock wave killer uses the system service to start the virus program.

There are many tools to add system services. The most typical tool is netservice. But here we will talk about
The manual addition of system services, so the use of tools is not covered in this article.

Nowadays, many Trojans, backdoors, and worms are automatically started by modifying the RUN key value in the registry.

However, this self-starting mode is not very concealed. People who are a little bit Secure generally find that the computer is hacked and will view the RUN key value.

As a result, system services have become a relatively hidden self-starting mode. For example, the shock wave killer uses the system service to start the virus program.

There are many tools to add system services. The most typical tool is netservice. However, we are talking about manually adding system services, so the use of tools is not covered in this article.

Many items in WINDOWS are closely related to the registry, and system services are no exception.

System services are related to the following registry items:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices

HKEY_LOCAL_MACHINESYSTEMControlSet001Services

HKEY_LOCAL_MACHINESYSTEMControlSet002Services
We can find the key value of the service that has been registered in the system service to draw a gourd based on the sample.

Add a new item to any of the above registry columns:

The name is the name of the system service you want to add, such as Backdoor.

Create a new string under the BACKDOOR item. The value is named Displayname.

The name is Backdoor.
A table is listed below, which is intuitive:

Name type data remarks

Displayname REG_SZ name of the service to be added the name of the service to be added
Description REG_SZ Description of the service
ImagePath reg expand sz program path
Start REG_DWORD, indicates automatic Start, 3 indicates manual Start of the Service, 4 indicates disabling the service, and 0 indicates the system is driving the underlying device (this is generally not required)
ErrorControl REG_DWORD 1
Type REG_DWORD 10 or 20 generally, all applications are 10, and others correspond to 20
ObjectName REG_SZ LocalSystem displays local Login

Note: In XP/2003, You can manually add the reg expand sz type. You can directly modify the ImagePath key value in XP/2003. However, it is not allowed in WIN2000. I do not know the reason :(. However, in WIN2000, we write a REG to directly register the system service, so that it is easy to add a system under WIN2000. Note that the value type of ImagePath in the Registry file must be HEX (hexadecimal ). You can use WINHEX to convert the absolute path of the program into a hexadecimal format. Each value is separated by a comma. For example, if the key value of ImagePath is C: winntukegroup.exe, it should be converted:
63, 3A, 5C, 77,69, 6E, 6E, 74, 5C, 6E, 75, 6B, 65, 2E, 65,78, 65 (no space)

Open notepad and enter the following content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSRVTEST]

"Type" = dword: 00000010

"Start" = dword: 00000002

"ErrorControl" = dword: 00000001

"ImagePath" = hex (2): 63, 3A, 5C, 77,69, 6E, 6E, 74, 5C, 6E, 75, 6B, 65, 2E, 65,78, 65

"DisplayName" = "SRVTEST"

"ObjectName" = "LocalSystem"

"Description" = "system service test"

Save the preceding information as addsrv. reg. we can import the registry using commands to add system services.

In the command console, enter regedit/s addsrv. reg. When the machine restarts, the service is successfully added.

But I encountered difficulties in real experiments. The value of ImagePath is garbled (figure 1) (Figure 2 ),

I don't understand what it means. However, you can change garbled characters to absolute paths. If you directly write the REG information as this
"ImagePath" = hex (2): C: WINNTNUKEGROUP. EXE

Can I add other key values? In short, we can add the garbled ImagePath first, and then modify it to C: winntukegroup.exe, which is not impossible. It is very troublesome to add it in the command line. (Figure 3)

The preceding method is used to manually add system services in Windows 2000. The Registry structure of Windows 98 is different, but Windows 98 can still add system services through the registry, which is simpler.

Add a new string value under "HKLM/SOFTWARE/Microsoft/WindowsCurrentVersion/RunServices.

For example, if the program name is "BACKDOOR", create a string value named "BACKDOOR" and enter the complete path of the program to be executed in the data field.

Manual addition of a system service is as simple as manual deletion of the system. It is implemented through the registry.