Re: Hiding Deschal5.exe

Kees Cook (c-cook@uiuc.edu)
Thu, 1 May 1997 11:29:53 -0500 (CDT)


On Thu, 1 May 1997, Richard Prairie wrote:

> Has anyone come up with a script which will start Deschal5 when the machine
> is turned on, and hides it from the typical user? I would expect that the
> Task Manager would show it's presence, but that the desktop window would
> not. We could get a lot more idle cycles devoted to searching for keys if
> Deschal5 were not obvious.

In the NT resource kit, you want to grab the stuff associated with
"AUTOEXNT". Here is a slightly edited version of what Corey Betka put
together for our NT machines at UIUC:

---------- Forwarded message ----------
Okay, the way I hide the process is to start it as an autoexnt.bat file.
The resource kit comes with a util that installs a service that runs the
%SYSTEMROOT%\autoexnt.bat file just like an autoexec.bat file does for a
DOS machine (or like rc.local does on RedHat for the more linux
friendlies) I've got a batch file written to install it, and I'm sure we
could work out an open share or something similiar to install it from.

Heres the installation batch file:

REM INSTALL.BAT Begin
copy \\Machine\deschall\install\*.* %SYSTEMROOT%\system32
mkdir c:\deschall
copy \\Machine\deschall\*.exe c:\deschall
\\Machine\deschall\instexnt install
net start autoexnt
REM End

This requires that the following files be in this dir structure:

\\Machine\deschall\install\
autoexnt.bat
autoexnt.exe
servmess.dll
\\Machine\deschall
deschal4.exe
deschal5.exe
deschal6.exe
instexnt.exe

The autoexnt.bat file contains the following:

REM AUTOEXNT.BAT Begin
c:\deschall\deschal%PROCESSOR_LEVEL% keymaster.verser.frii.com > c:\deschall\log.txt
REM End

This would require admin access on the machines, you need it to install a
service. In the above structure, you'd have to replace "Machine" with your
NT server, and I'd reccomend using the hidden shares. I can place the
needed files in an anonymous FTP server if you find that the above scheme
will work. The upshot of this scheme is that any time the machine gets
rebooted or restarted, deschal starts right back up....

If you don't have admin access, I think you may be SOL as for an automatic
way to start it....

---end message

--
Cornelius "Kees" Cook    c-cook@uiuc.edu    http://www.uiuc.edu/ph/www/c-cook
     All programmers are playwrights and all computers are lousy actors.