One 、 Preface

generally speaking , After the Trojan or virus runs successfully on the server , One thing I will do is to add myself to the boot item , To achieve persistent residence on the target server .
To achieve self startup , There are several ways , Have a task plan 、 service 、 Registration Form . Task planning is relatively , More obvious , It is easy to be found by the administrator , And service , It's not universal , For example win10 and win8 Services that can be generated directly on , stay win7 And the following operating systems are often not used . And the safest way is to realize self startup by modifying the registry . The advantage of this method is , Applicable to the full version windows System , So the most stable .
Some people may have questions , I'm not a hacker , Why learn this ？ It's very simple , As a penetration tester , It is a necessary skill to check the existence of viruses and Trojans in the system , Many virus Trojans are made immune , It's difficult to identify by anti-virus software alone , Therefore, you need to check manually , The startup item is one of the items to be checked , Therefore, only to understand its attack methods , To know how to clean it up and take defensive measures .

Two 、 There are two ways to modify the registry

There are two main ways to modify the registry , One is to modify manually in the graphical interface , The other is to use the command line to operate , This requires a certain understanding of the relevant commands . Next, demonstrate one by one as follows .

（ One ） Manually modify the registry

First enter... On the command line ：

regedit

After opening the registry , Locate in the following position ：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

On the desktop 1.exe File as an example , stay run Create a new one on the right A string value , Take any name , I'm going to set it to zero aaa. First of all to see 1.exe Path to file ：

C:\Users\ASUS\Desktop\1.exe

Then double click. aaa And change its value to ：

"C:\Users\ASUS\Desktop\1.exe" /start

Then open the task manager , stay start-up You can see in the module ,1.exe Has been added to the startup item .

（ Two ） The command line modifies the registry

The main way to modify the registry through the command line is to use reg Command to change .
You can enter the following commands on the command line to view help ：

reg /?

One of the parameters we need to use is ：
reg add
This means adding or modifying . If there is nothing, it will increase , The existing ones cover （ Name and type ）. The syntax of this command and the meaning of its parameters can be entered on the command line ：

reg add /?

Here are two things we need to pay attention to , First , The path should be enclosed in double quotation marks , secondly , There is a space after the double quotation marks , After the space /start Parameters .
The construction statement is as follows ：

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v bbb /t REG_SZ /d "\"C:\Users\ASUS\Desktop\1.exe\" /start" /f

Be careful ,/d All the contents in the double quotation marks after the parameter indicate that you want to write bbb Key content , Because this parameter will recognize double quotation marks , So escape is used here . meanwhile , Spaces are also enclosed in double quotes , Therefore, there is no need to deal with it separately .
Note that it is best to run the command prompt as an administrator when modifying the registry , In order to avoid the situation of insufficient authority .

Check the registry ：

Command executed successfully ！

3、 ... and 、 Query registry key value

Use the following command ：

reg query

I don't know the syntax of this command , No problem , Use the following command to query help ：

reg query /?

Use this syntax , We can query the key value just generated ：

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v bbb

Four 、 Summary

This article shares two ways to modify the registry to realize the automatic operation of the specified program , At the same time, we share the query methods of registry keys , I hope it is helpful for everyone to learn penetration testing .