Rat wont auto-start when client restart computer

[Wouter-Niemand]

Hi,

I just installed my rat on a VM to test it. (installed in the system, I did use Run as administrator to install the rat) Everything worked fine before I restarted the vm. After that the rat wont start by itself even tough I added it to the startup-programs and the registry. I clicked the autostart in the builder...

Path: C:\Windows\SysWOW64\SubDIR\test.exe

Is this fixable?

[MaxXor]

What operating system does the client run on? Also can you check with the tool AutoRuns if the startup entry is shown?

[DoNotAskMeWhy]

I have the same problem. Tried it on Vista x32 and Win 7 x64 and same results. Weirdly enough I didn't have that problem last year.

[MaxXor]

Probably your AV.

[DoNotAskMeWhy]

Well on a VM with the AV disabled, it's hardly to believe, I just don't get the fact that I didn't have that problem before (like one year ago)

[MaxXor]

Something must have changed on your side I think.

[joeyprojects]

same issue recently actually.

[cyclo-techtwister]

I did reproduce and found that if client is running as admin it will not auto run at reboot. If only running as user then it will auto run at reboot. A windows update my have something to have caused this but, there is no easy way around this that I could find. Aside from using Task Scheduler and using a client with only user privileges you can select in Task Scheduler to run with highest privileges. However I find that this method along with a few others I tried all need approval (UAC prompt is activated) which as you know makes remote desktop useless to achieve this. Of course if you know your stuff and for legit use testing a network and people for weak links one can use old fashion social engineering and a simple batch file packaged with client. Tested using Windows 7 sp1, No AV but, built in Windows Defender. moving on...............

[cyclo-techtwister]

Or one can try this:: Information obtained from, https://stackoverflow.com/questions/5427673/how-to-run-a-program-automatically-as-admin-on-windows-7-at-startup#

You can do this by installing the task while running as administrator via the TaskSchedler library. I'm making the assumption here that .NET/C# is a suitable platform/language given your related questions.

This library gives you granular access to the Task Scheduler API, so you can adjust settings that you cannot otherwise set via the command line by calling schtasks, such as the priority of the startup. Being a parental control application, you'll want it to have a startup priority of 0 (maximum), which schtasks will create by default a priority of 7.

Below is a code example of installing a properly configured startup task to run the desired application as administrator indefinitely at logon. This code will install a task for the very process that it's running from.

/ Copyright © 2017 Jesse Nicholson
This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. /

///

/// Used for synchronization when creating run at startup task. ///

private ReaderWriterLockSlim m_runAtStartupLock = new ReaderWriterLockSlim();

public void EnsureStarupTaskExists() { try { m_runAtStartupLock.EnterWriteLock();

    using(var ts = new Microsoft.Win32.TaskScheduler.TaskService())
    {
        // Start off by deleting existing tasks always. Ensure we have a clean/current install of the task.
        ts.RootFolder.DeleteTask(Process.GetCurrentProcess().ProcessName, false);

        // Create a new task definition and assign properties
        using(var td = ts.NewTask())
        {
            td.Principal.RunLevel = Microsoft.Win32.TaskScheduler.TaskRunLevel.Highest;
            // This is not normally necessary. RealTime is the highest priority that
            // there is.
            td.Settings.Priority = ProcessPriorityClass.RealTime;
            td.Settings.DisallowStartIfOnBatteries = false;
            td.Settings.StopIfGoingOnBatteries = false;
            td.Settings.WakeToRun = false;
            td.Settings.AllowDemandStart = false;
            td.Settings.IdleSettings.RestartOnIdle = false;                    
            td.Settings.IdleSettings.StopOnIdleEnd = false;
            td.Settings.RestartCount = 0;                    
            td.Settings.AllowHardTerminate = false;
            td.Settings.Hidden = true;
            td.Settings.Volatile = false;
            td.Settings.Enabled = true;
            td.Settings.Compatibility = Microsoft.Win32.TaskScheduler.TaskCompatibility.V2;
            td.Settings.ExecutionTimeLimit = TimeSpan.Zero;

            td.RegistrationInfo.Description = "Runs the content filter at startup.";

            // Create a trigger that will fire the task at this time every other day
            var logonTrigger = new Microsoft.Win32.TaskScheduler.LogonTrigger();
            logonTrigger.Enabled = true;                    
            logonTrigger.Repetition.StopAtDurationEnd = false;
            logonTrigger.ExecutionTimeLimit = TimeSpan.Zero;
            td.Triggers.Add(logonTrigger);

            // Create an action that will launch Notepad whenever the trigger fires
            td.Actions.Add(new Microsoft.Win32.TaskScheduler.ExecAction(Process.GetCurrentProcess().MainModule.FileName, "/StartMinimized", null));

            // Register the task in the root folder
            ts.RootFolder.RegisterTaskDefinition(Process.GetCurrentProcess().ProcessName, td);
        }
    }                
}
finally
{
    m_runAtStartupLock.ExitWriteLock();
}

}

[MaxXor]

@cyclo-techtwister Quasar is using the Task Scheduler already. Can you check if the task got correctly added? It will be shown when opening the Task Scheduler.

[cyclo-techtwister]

@MaxXor Yes, the Task was add and visible in Task Scheduler. (Windows 7 Sp1) Note: Of course client must be run using "Run as Admin" to get added to Task Scheduler. Some Trace left behind after uninstall (SubDir)..

[MaxXor]

So why doesn't it start then when the task was successfully added? Is the path wrong?

[cyclo-techtwister]

@MaxXor It is working as it should on a VM (Windows 7 Sp1). Will test soon on normal OS.

[cyclo-techtwister]

@MaxXor I installed/ran the client on a fully up to date Windows 7 Sp1 Home Premium OS running on a normal system and it installed into (subdir) and task scheduler just fine. After a complete shut down and hard boot it started and connect to sever very well. Oh, the install path I choose was C:\Users\NormalUser\AppData\Roaming\ I will test other locations next..

[MaxXor]

So how did you reproduce it when it's working? You said earlier that you reproduced that the client is not starting up on reboot when running as admin.

[cyclo-techtwister]

@MaxXor That was before you made these changes and it used only the registry keys which would not start client with admin rights after a reboot . Now that it is using the task scheduler it is running very well. Thank you for these improvements.. (I may have been using previous code not realizing you made these changes ).

[MaxXor]

@cyclo-techtwister lol, the changes were already included in v1.3.0.0 from 2 years ago. :D

[cyclo-techtwister]

@MaxXor Lol, yea I'm bad sorry. I mostly use my companion to Quasar I coded that will install into task scheduler and watch for certain programs such as process hacker,task manager,procmon ect. . If it sees any of those running it will kill the client so it won't be seen and restart once those certain apps are closed. Kind of like a software user mode rootkit. It's flawed of course as it can be seen itself so it's disguised as a legit process that of course produces no network traffic..