I have a passion for backdooring things . So this time after backdooring linux iso files i tried to backdoor windows ISO files . Adding backdoor to linux ISO file is fairly easy as the OS is open source but when it comes to windows its hard . The backdoor i added to the Windows OS is an application level backdoor . I will make a system level backdoor .
First Try
To backdoor windows with an application level backdoor i had to know where does windows stores the applications like for example notepad . Turns out if you mount the iso there is a folder called sources which was very obvious . There is a WIM file called install.wim . I then extracted the file and mounted that using DSIM . It looks something like this . The mount command is
DISM /Mount-Wim /WimFile:E:\Mount\install1.wim /Index:1 /MountDir:E:\Mount\Bootwin
Noice . Now lets make an malicious exe that will replace the explorer.exe . The plan was to replace the explorer.exe with my malicious exe . My exe will have the same name as explorer.exe and the original file will be renamed to something else . The malicious file will call the original explorer.exe and do the malicious stuffs . Then commit the changes . The command to commit is
DISM /Unmount-Wim /MountDir:E:\Mount\Bootwin /Commit
Now the wim file is modified . Open the iso in poweriso and after deleting the original install.wim file drag and drop the modified install.wim file . Saved the iso file
Use a vm to install that OS . It did not work . The reason is that windows uses explorer.exe during the installation process . Since I replaced the explorer.exe with my malware it did not work . Did the same thing with notepad.exe . The os did get installed but my malicious binary did not run . I did not dive deep to find the reason .
Second try
I tried to modify shortcut (lnk) files . I changed the properties of a few lnk file that was available . There were a few lnk files available to modify here E:\Mount\Bootwin\ProgramData\Microsoft\Windows\Start Menu\Programs .Here E:\Mount\Bootwin is the mount location . I basically made a program that gets called when you click one of the default lnk files available . I modified the lnk file for notepad . It runs the malware which again runs powershell.exe for poc purposes
Yes i know i messed up somewhere and the notepad icon is not available . I have to fix it
So here is it . A backdoored version of windows . Now an attacker can upload this file to various platforms . Spread the file and you will have a botnet full of computers . Maybe i will dive deeper and go from application level to system level
