1

I was reading an article about a malware.

An when describing its installation process I came across the following question:

How can a program run on startup if there is no script or executable file present in the system?

The only similar question I found was this but it does not mention a system reboot.

Here is how the article described the installation process of the malware (paraphrased in my own words):

Let's say there is a malicious .exe file in a Windows computer.

When executed it starts a process which creates a Mutex and some Events then injects itself into another program's memory space and kills its own process.

After this setup phase the original malicious .exe is deleted from the hard drive.

A process is started to check whether the Mutex is present if not then it will startup the malware.

The Task Scheduler is used so that when the infected computer starts up the malware is executed.

It can also set up a Windows Service for the malware.

Community
  • 1
  • 1
Marcus
  • 289
  • 1
  • 3
  • 19
  • 1
    Haven't read the article, but there are several executables/facilities in Windows that will happily run an arbitrary function from an arbitrary user provided DLL. Rundll, svchost, dllhost, powershell, to name a few. – Seva Alekseyev Nov 10 '19 at 16:18
  • @SevaAlekseyev could you provide more information about this? Thank you. – Marcus Nov 10 '19 at 16:20
  • 1
    What are you trying to accomplish in the first place? StackOverflow is for specific questions, not a "do my research for me" place. – Seva Alekseyev Nov 10 '19 at 16:22
  • After reading the article this was the only thing which I did not understand and would like some clarification on how this can be achieved. – Marcus Nov 10 '19 at 16:25
  • 2
    Here's one example. Put togerther a .NET DLL, run the following command `powershell -Command "Add-Type -Path MyDLL.dll"`. That will load your DLL and execute its startup code. Task accomplished, a piece of your code was run without an executable. – Seva Alekseyev Nov 10 '19 at 16:29
  • This clarifies it a lot, thank you. – Marcus Nov 10 '19 at 16:36
  • 2
    As for svchost, read up [here](https://en.wikipedia.org/wiki/Svchost.exe). Same idea - package your code in a DLL, have a Windows built-in facility load and run it. – Seva Alekseyev Nov 10 '19 at 16:59
  • @sev: `MyDLL.dll` *is* an executable. Unless it's a resource-only DLL. Regardless, though, PowerShell.exe is an executable. – IInspectable Nov 11 '19 at 10:23
  • The point of the OP's question, as far as I understand, was - how can the malware run its code without an .exe? I've answered that. – Seva Alekseyev Nov 11 '19 at 16:33

0 Answers0