Beyond good ol’ Run key, Part 11

April 27, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

I must admit that finding new paths that could be exploited as a persistence mechanism is a silly hobby of mine. When I started this series I thought that a few posts will suffice, but to my surprise it’s already #11. For your convenience, these are links to the older posts::

You may also want to have a look at ‘A Collection of Autostart Locations’ – a very large and comprehensive list of autostart entries collected by Tony Klein

Back to the #11.

In the part #10 (Office Test) I mentioned that Microsoft products seem to be heavily integrated with various testing platforms. I also referenced various aspects of performance analysis, profiling, monitoring and debugging in parts #4 (various debuggers), #6 (VBA Monitors), #7 (OAClient). There is one more trick that we can add to the list – legitimate, developer-friendly profiling mechanisms that can be enabled on non-developer systems and… act as a persistence mechanism.

The profiling mechanisms described further require a persistent environment variable to be set. This can be achieved by setting the respective values under HKCU or HKLM:

  • HKEY_CURRENT_USER\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

The values that need to be placed under the Environment keys depend on the profiling mechanism – these are listed below:



Example for JS_PROFILER:

Adding the following Registry entries:



will ensure that c:\test\test.dll (added as a REG_EXPAND_SZ value using ‘@=hex(2):…’) is loaded anytime Internet Explorer is executed or its control instantiated (JS_PROFILER is used internally by JSCRIPT*.DLLs – they handle scripting and they are used by Internet Explorer).




Comments are closed.