Beyond good ol’ Run key, Part 9

March 2, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

Using Jumplists as an autostart mechanism is possible, but requires users to actually use this feature for this persistence trick to be successful. There is obviously a better way of persuading users to execute stuff and that is by manipulating the pinned applications themselves.

Microsoft doesn’t document the interface used by the Pinned Apps, but others do. Windows folks do it on purpose – pretty much any exposed element of GUI has been abused in the past in many ways so protecting the taskbar and pinned apps is definitely in the user’s best interest. Still, there are already documented ways to modify the Pinned Apps list – one can use a script published by Microsoft itself on the MSDN blog back in 2009; there also seems to be a way of modifying the list of pinned apps during the DASH process by modifying the entries under the following key:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn

To test the idea, I wrote a small test app that ‘talks’ to Pinned Apps directly and swaps the pinned app’s target executable path to one that is potentially malicious. The program enumerates the pinned apps, checks if the link points to internet explorer and then replaces the pinned app with one that points to c:\test\malware.exe. The ‘malware.exe’ is actually a copy of ‘iexplore.exe’ (I was too lazy to create my own test app with the icon identical to Internet Explorer’s).

The path change can be confirmed by checking the properties of the first pinned application on the Taskbar:


The list of links for all pinned apps before and after the modification are shown below (pinenum.exe is a small tool that enumerates all pinned apps):


 For obvious reasons, I won’t release the code publicly.

If you want the pinenum.exe tool go to this post.

Share this :)

Comments are closed.