Tải bản đầy đủ
Analyze and document tlie results related to die lab exercise. Give your opinion on your target’s security posture and exposure dirough public and tree information.

Analyze and document tlie results related to die lab exercise. Give your opinion on your target’s security posture and exposure dirough public and tree information.

Tải bản đầy đủ

M odule 0 6 - T rojans and Backdoors

P L E A S E TALK TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D T O T H I S LAB.

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved
Remotely accessing Windows Server 2008
R esult: System inform ation o f remote Windows
Server 2008

Atelier Web
Remote
Commander

Network Information Path remote Windows Server
2008
viewing complete tiles of c:\ o f remote Windows
Server 2008
User and Groups details o f remote Windows Server
2008
Password hashes

Questions
1. Evaluate die ports that A\\”RC uses to perform operations.
2. Determine whether it is possible to launch AWRC from the command line
and make a connection. If ves, dien illustrate how it can be done.
In tern e t C o n n ectio n R eq u ired
□ Yes

0 No

P latform S upported
0 C lassroom

C E H L ab M an u al P age 468

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Detecting Trojans
A Trojan is aprogram that contains malicious or harmful code inside apparently
harmlessprogramming or data in such a >raj that canget control and cause damage,
such as mining thefile allocation table on a hard drive.
ICON

KEY

f~'/ Valuable

information
.‫ *'■׳י‬Test your
____ knowledge______
Web exercise ^
m

Workbook review

Lab Scenario
Most individuals are confused about the possible ways to remove a Trojan virus
from a specific system. One m ust realize that the World Wide W eb is one o f
the tools that transmits information as well as malicious and harmful viruses. A
backdoor Trojan can be extremely harmful if not dealt with appropriately. The
main function o f tins type o f virus is to create a backdoor 111 order to access a
specific system. With a backdoor Trojan attack, a concerned user is unaware
about the possible effects until sensitive and im portant information is found
missing from a system. With a backdoor Trojan attack, a hacker can also
perform other types ot malicious attacks as well. The other name for backdoor
Trojans is remote access Trojans. The main reason that backdoor Trojans are
so dangerous is that they hold the ability to access a particular machine remotely
(source: http://w w w .com bofix.org).
You are a security administrator o f your company, and your job responsibilities
include protecting the network from Trojans and backdoors, Trojan attacks,
theft o f valuable data from the network, and identity theft.

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor
attacks.
The objectives o f the lab mclude:
& Tools
demonstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 06 Trojans
and Backdoors

C E H L ab M an u al P age 469



Analyze

using Port Monitor



Analyze

using Process M onitor



Analyze

using Registry Monitor



Analyze using Startup Program Monitor



Create MD5 hash tiles for Windows directory files

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Lab Environment
To carry out this, you need:


Tcpview, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and
Backdoors\Port Monitoring Tools\TCPView



Autoruns, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and
B ackdoors\Process Monitoring Tools\Autoruns



PrcView, located at C:\CEH-Tools\CEHv7 Module 06 Trojans and
B ackdoors\Process Monitor Tool\Prc View



Jv16 power tool, located at D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012

‫י‬

FsumFrontEnd. located at D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Files and Folder Integrity Checker\Fsum Frontend



A computer running Window Server 2008 (host)

& Disabling and Deleting
Entries



Windows Server 2003 running 111 Yutual Machine

If you don't want an entry to
active die nest time you
boot or login you can either
disable or delete it. To
disable an entry uncheck it.
Autoruns will store die
startup information in a
backup location so diat it
can reactivate die entry
when you recheck it. For
items stored in startup
folders Autoruns creates a
subfolder named Aiitoruns
disabled. Check a disabled
item to re-enable it

■ If you decide to download the la te st version, then screenshots shown
111 the lab might differ


You need a web browser to access Internet



Administrative privileges to run tools

Lab Duration
Tune: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program diat contains m alicious or harmful code inside apparently
harmless programming or data 111 such a way that it can get control and cause
damage, such as ruining die lile allocation table on a hard drive.
Note: The versions of the created client or host and appearance may differ from
what it is 111 the lab, but the actual process of connecting to the server and accessing
the processes is same as shown 111 tins lab.

m.

TASK

1

Tcpview

Lab Tasks
1.

Go to Windows Server 2012 Virtual Machine.

2. Install Tcpview from the location D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Port Monitoring Tools\TCPView.
3. The TCPYiew main window appears, with details such as Process, Process
ID, Protocol, Local address. Local Port, Remote Address, and Remote Port.

C E H L ab M an u al P age 470

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

TCPView - Sysinternals: www.sysinternals.com

File Options Process View Help
H

03 Should delete items that
you do not wish to ever
execute. Do so by choosing
Delete in the Entry menu.
Only die currendy selected
item will be deleted.

a

h

|

|| Process >
C l dns.exe
T7 dns.exe
T7 dns.exe
T 7 dns.exe
i - dns.exe
I"7 dns.exe
i 7‫ ־‬dns.exe
i" 7 dns.exe
IF dns.exe
» dns.exe
1‫ י‬dns.exe
» 1 dns.exe
T7 dns.exe
r dns.exe
» dns.exe
T dns.exe
‫ י‬dns.exe
r dns.exe
‫ י‬dns.exe
‫ ׳ י‬dns.exe
1‫ ־‬dns.exe
1 dns.exe
T dns.exe
• ‫ ו‬dns.exe
• dns.exe

PID
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572
1572

Protocol
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP

Local Address
win-2n9stosgien
WIN-2N9ST0SGL
WIN-2N9ST0SGL
win-2n9stosgien
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9STOSGL
WIN-2N9ST0SGL
WIN-2N9STOSGL
WIN-2N9STOSGL
WIN-2N9ST0SGI..
WIN-2N9STOSGL
WIN-2N9ST0SGL
WIN-2N9STOSGI..
WIN-2N9STOSGL
WIN-2N9STOSGL
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGL
WIN-2N9STOSGL
WIN-2N9STOSGI..
WIN-2N9STOSGL

Local Pott
domain
domain
49157
domain
domain
49152
49153
49154
49155
49156
49157
49158
49159
49160
49161
49162
49163
49164
49165
49166
49167
49168
49169
49170
49171

V‫׳‬/l
Wl

V

1

>

III

< r

w fl

_____________ ______________ ______________ ______________ _________________

U

FIGURE 8.1: Tcpview Main window

tool perform port monitoring.
TCPView - Sysinternals: www.sysinternals.com

-

1 File Options

y

G3 If you are running
Autoruns without
administrative privileges on
Windows Vista and attempt
to change die state of a
global entry, you'll be denied
access

a

I ~ I □ f

X

Process View Help

‫@ !־‬

Process '
E l svchostexe
(O svchostexe
E l svchost.exe
E l svchost.exe
E l svchost.exe
E svchost.exe
E svchost.exe
E svchost.exe
E svchost.exe
1'‫ י‬svchost.exe
E svchost.exe
1' ‫ י‬svchost.exe
E svchost.exe
[□ svchost.exe
E svchost.exe
E svchost.exe
E svchostexe
E svchost.exe
T7 System
1 ‫ י‬System
• 1 System
• ' System
7‫ יי‬System
T7 System
• 1 System

PID
385G
892
960
1552
2184
3440
4312
4272
1808
1552
1552
9G0
1552
3092
960
960
1064
960
4

4
4
4
4
4
4
III

Protocol
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
TCP
TCP
TCP
TCP
TCP
TCP
TCP

Local Address
WIN-2N9ST0SGI..
WIN-2N9STOSGI..
WIN-2N9STOSGL
WIN-2N9STOSGL
WIN-2N9ST0SGL
WIN-2N9STOSGI..
WIN-2N9ST0SGI..
WIN-2N9STOSGL
WIN-2N9ST0SGI..
win-2n9stosgien
win-2n9stosgien
WIN-2N9ST0SGI...
win-2n9stosgien
WIN-2N9STOSGL
WIN-2N9ST0SGL
WIN-2N9ST0SGI...
WIN-2N9STOSGI..
win-2n9stosgien
win-2n9stosgien
win-2n9stosgien
win-2n9stosgien
WIN-2N9STOSGI...
WIN-2N9STOSGI...
WIN-2N9STOSGI...
WIN-2N9STOSGI...

n

|Local Port
5504
49153
49154
49159
49161
49163
49168
49169
49187
bootps
bootpc
isakmp
2535
3391
teredo
ipsec-msft
llmnr
53441
netbios-ssn
microsoft-ds
microsoft-ds
http
https
microsoft-ds
5985

1R ^
Wl
Wl
Wl
Wl
Wl
Wl
Wl
Wl
Wl

*
*

Wl
wir
wit
Wl
Wl
Wl
Wl v
>

FIGURE 8.2: Tcpview Main window

5. Now it is analyzing die SMTP and odier ports.

C E H L ab M an u al P age 471

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

‫ד‬

TCPView - Sysinternals: www.sysinternals.com
File

Options

Process

View

Help

y a
& Autoruns will display a
dialog with a button that
enables you to re-launch
Autoruns with
administrative rights. You
can also use the -e
command-line option to
launch initially launch
Autoruns with
administrative rights

Cl There are several ways to
get more information about
an autorun location or entry.
To view a location or entry
in Explorer or Regedit
chose Jump To in the Entry
menu or double-click on the
entry or location's line in the
display

“rotocol
CP
CP
CP
CP
CP
CP
CP
CP
CP
CP
DP
DP
DP
DP
DP
DP
DP
DP
DP
CP
CP
CP
CP
CP
CP

Local Address
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
win-2n9stosgien
win-2n9stosgien
WIN-2N9ST0SGL
win-2n9stosgien
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9STOSGL
WIN-2N9ST0SGL
win-2n9stosgien
win-2n9stosgien
win-2n9slosgien
wirv2n9$tosgien
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL

<

Local Port
3388
5504
49153
49154
49159
49161
49183
49168
49169
49187
bootps
bootpc
isakmp
2535
3391
teredo
ipsecmsft
llmnr
53441
netbios-ssn
microsoft-ds
microsoft-ds
http
https
microsoft-ds

Remote Address
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGL
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..
WIN-2N9ST0SGI..

Remote Pott
0
0
0
0
0
0
0
0
0
0
*

*

‫יי‬
‫יי‬
‫יי‬
‫יי‬
‫יי‬
‫יי‬
‫יי‬
‫יי‬

x

*
*
‫יי‬

*
‫יי‬
‫יי‬

WIN-2N9ST0SGL 0
win-egbhisgl 410
49158
windows8
49481
WIN-2N9ST0SGI.. 0
WIN-2N9ST0SGI.. 0
WIN-2N9ST0SGI.. 0
. ‫ך‬

III

Stat
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST

LIST
EST,
EST,
LIST
LIST
LIST
‫ח־‬

FIGURE 8.3: Tcpview analyzing ports

You can also kill die process by double-clickuig diat respective process, and
dien clicking die End Process button.
Properties fo r dns.exe: 1572
| ‫ך־‬

Domain Name System (DNS) Server
Microsoft Corporation

Version:

G.02.8400.0000

Path:
C:\Windows\System32\dns.exe

End Process
OK

FIGURE 8.4: Killing Processes

1m TASK 2
Autoruns

Go to Windows Server 2012 Virtual Machine.
Double-click Autoruns.exe, which is located at D:\CEH-Tools\CEHv8
Module 06 Trojans and Backdoors\Process Monitoring Tools\Autoruns.
It lists all processes. DLLs, and services.

C E H L ab M an u al P age 472

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter.J ~

O

File

Entry

O ptions

HijacksImage3

User

|ExecuteBoot3

&

1ft Winsock Provtders ]

O

Everything

Help

Logon

|Codecs

|

Print Monitors |
< Explorer |

t j j LSA Providers |

&

Internet Explorer | J

Scheduled Tasks |

Autorun Entry
Description
Publisher
■}jf HKLM\SOFTWARE\Microsoft\Window$ N T\CurrentVers10n\Winl0g0nl'AppS etup

O You can view Explorer's
file properties dialog for an
entry's image file by
choosing Properties in die
Entry menu. You can also
have Autoruns automatically
execute an Internet search in
your browser by selecting
Search Online in the Entry
menu.

0

,‫־‬$► Applnit

£ ‫ ־‬Network Providers | 9 .

g ] UsrLogon cmd

|

,‫־‬V KnownDLLs

|

A

Sidebar Gadgets

Services |

Drivers

Image Path
c:\windows\system32\usrlo...

HKLM \S 0 FTWAR E\M croscrft\Wndows\CurrentVers10n\R un
0

[■13HotKeysCmds

hkcmd Module

Intel Corporation

c: \windows\system32\hkc...

0

£ 3 IgfxT ray

igfxTray Module

Intel Corporation

c:\windows\system32\igfxtr...

Intel Corporation

c:\windows\system32\igfxp...

0

$

[■1‫־‬

Persistence

persistence Module

H KLM\S 0 FTWAR E\W0w6432N ode\M icrosott\Wmdows\CurrentVersion\R un
E

Adobe ARM

0

[■1 Adobe Reader

Adobe Reader and Acrobat. .. Adobe Systems Incorporated c:\program files (x86)Vcomm...
Adobe Acrobat SpeedLaun.. Adobe Systems Incorporated c:\program files (x86)\adob

0
EPS0N_UD_S.. EPSON USB Display V I
r‫־‬a r ‫\־‬
. . ■
^
. T ■

40

SEIKO EPSON CORPORA.. c:\program files (x86)\epso...
^
.
.

.

Ready

Windows Entries Hidden.

FIGURE 8.5: Automns Main Window
& Simply run Autoruns
and it shows you die
currendy configured autostart applications in the
locations that most direcdy
execute applications.
Perform a new scan that
reflects changes to options
by refreshing die display

1 °-

following is the detailed list on die Logon tab.
O

Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L

I File

Entry

O ptions

User

H

Codecs

|

P

Boot Execute

fc* Winsock Providers

!3

Everything |

0

[ij]

0

|

^

Image Hjacks

Print Monitors

Logon

Autorun Entry

CQ Internet Explorer This
entry shows Browser Helper
Objects (BHO's), Internet
Explorer toolbars and
extensions

Help

d is ) ^ 1 X ^

^ Explorer

4$

HotKeysCmds hkcmd Module

E3

Adobe ARM

Adobe Reader and Acrobat. .

0

Adobe Reader...

Services

^

Drivers

Image Path
c:\windom\system32\hkc...

Adobe Systems Incorporated

Adobe Acrobat SpeedLaun...

Google Tak

Winlogon

c:\windows\system32\igfxtr

0

googletalk

^

Sidebar Gadgets

c:\windows\system32\igfxp .

S

9
fH

'1 Scheduled Tasks |

|

Intel Corporation

persistence Module

EPS0N_UD_S. EPSON USB Display V I.40

KnownDLLs

Intel Corporation

Persistence

0

|

Network Providers |

Intel Corporation

igfxT ray Module

lil

0

£

Publisher

0

0

[ j ) Applnit

Internet Explorer

Description

lafxTrav

|

LSA Providers

c:\program files (x86)\comm..

Adobe Systems Incorporated

c:\prog1am files (x86)\adob..

SEIKO EPSON CORPORA... c:\program files (x86)\epso.
Google

SurvlavaUpdat JavalTM) Update Scheduler

c:\program files (x86)Vgoogl.
Sun Microsystems, Inc. c:\program files |x86)Vcomm

t S C:\ProgramDala\Microsoft\Windows\Start Menu\Progcams\Startup

Ready

Windows Entries Hidden

FIGURE 8.9: Autonuis Logon list

11. The following are die Explorer list details.

C E H L ab M an u al P age 473

E th ica l H a c k in g an d C ounterm easures Copyiight © by EC-Council
All Rights Reserved. Reproduction is Stricdy Proliibited.

Wriogon

M od ule 0 6 - T rojans and Backdoors

Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter...L

O

File

Entry

O ptions

| Codecs

& Services All Windows
services configured to start
automatically when the
system boots.

|

3

User

Boot Execute

Winsock Providers |
Z? Everything | ^

Help

|

3

Image H^acks

1* Print Monitors

Logon[

,j

Explorer

^ te x t/x m l

'■> Applnit

LSA Providers |

£

Internet Explorer | J

Autorun Entry
Desciiption
HKLM \S 0 FTWAR E\Classes\Protocois\F*er
0

|

|

|

'

KnownDLLs

]

Network Providers |
Scheduled Tasks |

Publisher

A

Wnbgon

Sidebar Gadgets
Services |

Drivers

Image Path

Microsoft Office XML MIME... Microsoft Corporation

c:\pr0gramfiles\c0fnm0n fi..

•iff HKLM \S oftware\Classes\x\S heC xVContextM enuH andlers
0

^

SnagltMainSh.. Snagit Shell Extension DLL

0

fo‫־‬

WinRAR WinRAR shel extension

TechSmith Corporation c:\program files (x86)\techs..

Alexander Roshal

c:\programfiles\winrar\rare.

H KLM \S 0ftware\W0w6432N ode\Classes\x\S helE x\ContextM enuH andlers
0

Snagit Shell Extension DLL

SnagltMainSh .

0

*V

WinRAR32

TechSmith Corporation

c:\program files (x86)\techs..

WinRAR shel extension Alexander Roshal

c:\programfiles\winrar\rare.

H KLM \S oftware\Classes\D irectory\S helE xSContextM enuH andlers
0

Snagit Shell Extension DLL

SnagltMainSh

TechSmith Corporation

Ready

c:\program files (x8S)\techs.

Windows Entries Hidden.

FIGURE 8.10: Autonins Explorer list

12. The following are die Services list details.
Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L

O

File

Entry

O ptions

User

Help

*J & & B X *
H

(33 Drivers This displays all
kernel-mode drivers
registered on the system
except those that are
disabled

Codecs

|

‫־־‬I Boot Execute

fc?; Winsock Providers |
O

Everything | ^

&

Logon |

Autorun Entry

]

3

Image hijacks

Print Monitors
Explow T

|

[ j l Applnit

LSA Providers
i

Internet Explorer

Description

£

|

KnownDLLs

Network Providers 1

Scheduled Tasks |

Publisher

|

^

Wintogon

Sidebar Gadoets
Services

Drivers

Image Path

HKLM\System\CurrentControlSet\Services

g

This service keeps you Ad... Adobe Systems Incorporated c: \windows\syswow64\ma

0

[ 1 ‫ י‬AdobeFlashPta

0

[■1 c2wts

Service to convert claims b .. Microsoft Corporation

0

0

EPSON USB Display V I 40

EMPJJDSA

c:\program filesNwindows id..

SEIKO EPSON CORPORA.. c:\program files (x86)\epso...

0

F I M02illaMainten... The Mozia Maintenance S. . Mozila Foundation

0

0ose

Savesinstalationfilesused .. Microsoft Corporation

c:\program files (x86)\comm

0

F I osoosvc

Office Software Protection... Microsoft Corporation

c:\program files\common fi

0

H

WSusCertServer This service manages the c... Microsoft Corporation

c:\program filesVupdate ser

Ready

c:\program files (x86J\m02i ...

Windows Entries Hidden

FIGURE 8.11: Autoruns Services list

13. The following are die Drivers list details.

C E H L ab M a n u al P age 474

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter...L

O

File

Entry

3

O ptions

User

Image H^acks

|ExecuteBoot! 3 |CodecsH

&

ft Winsock Providers [

O

£9 Scheduled
Tasks Task
scheduler tasks
configured to start
at boot or logon

Everything |

Help

Print Monroes |

$

Logon | . < Explorer | ^

Autorun Entry

[

LSA Providers*

|

£‫ ־‬Network Providers |

Internet Explorer | J

Description

Scheduled Tasks |

Publisher

,‫־‬$ Applnit

Sidebar Gadgets
Services

Dnvers

Image Path

HKLM\System\CurrentControlSet\Services
| LSI 3ware SCSI Storpoct Driver}SI

c: \windows\system32\drrve.

S) adp94xx(

Adaptec Windows SAS/SA... Adaptecjnc.

c: \windows\system32\dr1ve.

adpahci ^

Adaptec Windows SATA St.. Adaptec, Inc.

c: \ windows\system32\drive.

Adaptec StorPort Ultra320... Adaptecjnc.

c: \ window$\system32\dnve.

,‫־‬amdsata 4

AHD 1.2 Device Driver

c: \ windows\system32\dnve.

amdsbs ^

AM D Technology AH Cl Co... AM D Technologies Inc.

c: \ windows\system32\drive.

amdxata ^

Storage Filter Driver

c: \ window$\system32\drive.

^

3ware

adpu320

arcsas &

Advanced Micro Devices
AdvancedMicroD evices

Adaptec RAID Storpoct Driver PMC-Sierra, Inc.

c: \ windowsSsystem32\drrve.

Adaptec SAS RAID W S 0 3 ... PMC-SierraJnc.

c: \window$\system32\drrve.

Ready

Windows Entries Hidden.

FIGURE 8.12: Autoruns Drivers list.

14. Tlie following is die KnownDLLs list 111 Antonins.
Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter...L

O

File

Entry

O ptions

User

Help

d j) & B X *
I?• Winsock Providers |
O
‫כ‬

Everythin
Ever/hing

Q

Codecs

^

^

Logon |
Q

Print Monitors | ^
Explorer ]

Boot Execute

Autorun Entry

|

Description

&

LSA Providers |

Internet Explorer ] J

f"^ Image Hijacks

|

f

Network Providers | 9 •
Scheduled Tasks 1

[ j | Applnit

\

KnownDLLs

Publisher

Sidebar Gadgets

Services [

j

Drivers
Winlogon

Image Path

ijT HKLM \System\CurrentControlSet\Controf\S ession Manager\KnownDlls

0

13

_W0w64

File not found: C:\Wndows...

0 1‫ר‬

W ow64cpu

File not found: C:\Wndows.

0 ■‫י‬

Wow64win

File not found: C:\Wndows...

Ready

Windows Entries Hidden

FIGURE 8.13: Autoruas Known DLL’s list.

15. Install and launch jv16 PowerTools 111 Windows Server 2012 (host
machine).
T A S K

4

16. jvl6 Power Tool is located at D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012.
Jv16 Power Tool

17. To launch jv16 PowerTools, select die Start menu by hovering die mouse
cursor on die lower-left corner ot die desktop.

C E H L ab M a n u al P age 475

E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

|

,‫־‬V KnownDLLs

|

A

M od ule 0 6 - T rojans and Backdoors

u

‫י ״‬

Unilb
Rnta


(tarn
aP
PhutT..‫״‬

■3 Windows Server 2012
Wirdowt Server 2012 Rocate Cancxfatr Caucrnt.
fcvaluator copy. Eud *40.

.. . * J L J L . ‫ל‬

1

FIGURE 7.1: Windows Server 2012 Start-Desktop

18. Click jv16 PowerTools 2012 111 Start menu apps.
Start

A dm inistrator A

03 Winlogon
Notifications Shows DLLs
that register for Winlogon
notification of logon events

FIGURE 7.2: Windows Server 2012 Start Menu Apps

19. Click the Clean and fix my computer icon.

C] Winsock Providers
Shows registered Winsock
protocols, including
Winsock service providers.
Malware often installs itself
as a Winsock service
provider because there are
few tools diat can remove
them. Autoruns can uninstall
them, but cannot disable
them

C E H L ab M a n u al P age 476

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.