-
Running non .exe files
Hello everyone. I'm trying to write a program that can run valid PE files that do not have the .exe, .com, .bat, .scr, or .pif extensions. I do malware removal for a living, and we see a lot of exe hijacks, so we need to be able to have a program that can run exe files after they're no longer registered as application-x/msdownload in the registry.
I know it's possible, because sysinternals has a tool called psexec which you can use to run programs, and I've renamed calc.exe to calc.pqs and it still runs so long as I launch it from psexec (e.g. psexec.exe calc.pqs).
Someone had recommended using the libraries that psexec uses to try to accomplish this goal. From what I can tell it uses a function(s) from pdh.dll to accomplish this, but I can't tell how.
I've also tried using CreateProcess() & ShellExec() to accomplish this. ShellExec asks what to open it with, CreateProcess returns error 2 (Trying to run an invalid Windows application).
Thanks everyone. :)
-Slackwarefan
-
psexec uses CreateProcess(WithToken|WithLogon|AsUser) to run things, depending on what arguments you give it. Of course, it sounds like this entire thing is fruitless anyway. If you can't run plain exe files, how do you intend to run the tool that you'll create? It'll have to have a non-exe association to run it, at which point you're back to square one.
Not sure how you came to pdh.dll, psexec doesn't use it at all.
-
We can slip it in. The Rogue AV whitelists some files so you can go online to pay them for their scam. Renaming it to iexplore.exe with arguments to run our standard battery of tools allows me to fix the hijack, remove the malware, and stop any rootkits in one move, instead of chasing my tail with tools re-inserting themselves into reg after reboot & downloaders re-downloading the code because I couldn't wipe them out due to policy restrictions the virus made. I've tried using CreateProcess myself. Here's the code I used. If you can tell me where I'm going wrong it'd be greatly appreciated.
Code:
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si,0,sizeof(si));
si.cb = sizeof(si);
si.lpReserved = NULL;
si.lpTitle = NULL;
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_MINIMIZE;
BOOL res = CreateProcess(NULL,"C:\\Windows\\System32\\calc.123",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);
if(res == FALSE) {
char sBuffer[100];
sprintf(sBuffer,"Error Code: %d", GetLastError());
MessageBox(NULL, sBuffer, "FAILED TO EXECUTE PE CODE!",
MB_ICONEXCLAMATION | MB_OK);
}
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
-
You can rename .exe files to .bat or .com and they will run, if that's of any help.
-
You're probably compiling a 32-bit program and running it on a 64-bit version of Windows, where C:\Windows\system32\calc.123 becomes C:\Windows\SysWOW64\calc.123. Since the calc.123 doesn't exist in the SysWOW64 directory, it fails.
The code works fine
-
Surely a reg file that restore the EXE file association would be no more complex and more effective - as someone else pointed out, if you can run one program, you can fix the problem without having to do fancy things. Copy regedit.exe to your whitelisted filenames and you're away, and fixing the problem in one less step.
That said, doing malware removal on this kind of scale in an automated fashion is just asking for trouble if you ask me. Clean boot into recovery, format, reinstall from image. Probably takes a lot less time than any of your fancy tricks anyway. If you're doing this on many people's computers (e.g. a repair shop) then the chances of finding the same malware with the same whitelist is slim and you'll spend more time chasing it and its million variants than you would have done to just remove the disk and scan it from a proper antivirus as a data-only disk, then restore registry entries and return disk to the original machine.
Seriously: I'd be sacked if I dealt with malware on my network often enough that your sort of tool helped. And if your tool was useful, then just booting the machine in an OS that's NOT running a known malware in memory is 100% more effective at correcting the problem. Hell, I could knock up a read-only Linux boot disk in minutes that would restore the EXE file association on any machine in a *CLEAN* way before you scanned it - crafting your own C program to load in an executable to then attempt cleansing of the system "Live" while the malware is active? Sounds like a recipe for disaster to me - for a start, rootkit-like capabilities of some modern malware mean that you wouldn't be able to even *SEE* the change in the registry if the malware was still live (some of them are capable of hooking access to critical parts of the filesystem / registry / process list on startup so you can't detect the malware's presence or remove it).
As a "slackwarefan", I'm sure you could do a better job than this Heath-Robinson affair.