- Mastering Reverse Engineering
- Reginald Wong
- 111字
- 2021-06-10 19:40:25
Run keys
Entering a file path in the registry data under these registry keys will trigger execution when Windows starts, as can be seen in the following registry path for the Windows 64-bit versions
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\N\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Windows\CurrentVersion\Run
Programs that are listed under these registry keys will trigger execution when the current user logs in, as can be seen in the following registry path:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
The keys names containing Once will have the listed programs that run only once. The malware may still persist if it keeps on placing its own file path under the RunOnce, RunOnceEx or RunServicesOnce keys.
推薦閱讀
- 攻守道:企業(yè)數(shù)字業(yè)務(wù)安全風(fēng)險與防范
- Penetration Testing with Perl
- 黑客攻防與網(wǎng)絡(luò)安全從新手到高手(絕招篇)
- 計算機網(wǎng)絡(luò)安全技術(shù)研究
- 隱私計算:推進數(shù)據(jù)“可用不可見”的關(guān)鍵技術(shù)
- 網(wǎng)絡(luò)空間安全法律問題研究
- 數(shù)字銀行安全體系構(gòu)建
- 計算機系統(tǒng)與網(wǎng)絡(luò)安全研究
- 一本書讀透金融科技安全
- 從實踐中學(xué)習(xí)Nmap滲透測試
- CCNA Security 210-260 Certification Guide
- 計算機病毒揭秘與對抗
- 網(wǎng)絡(luò)安全與維護
- 網(wǎng)絡(luò)安全等級保護2.0:定級、測評、實施與運維
- 商用密碼發(fā)展報告(2012—2017年)