Beyond good ol’ Run key, Part 11

April 27, 2014 in Anti-Forensics, Autostart (Persistence), Forensic Analysis, Malware Analysis

I must admit that finding new paths that could be exploited as a persistence mechanism is a silly hobby of mine. When I started this series I thought that a few posts will suffice, but to my surprise it’s already #11. For your convenience, these are links to the older posts::

You may also want to have a look at ‘A Collection of Autostart Locations’ – a very large and comprehensive list of autostart entries collected by Tony Klein

Back to the #11.

In the part #10 (Office Test) I mentioned that Microsoft products seem to be heavily integrated with various testing platforms. I also referenced various aspects of performance analysis, profiling, monitoring and debugging in parts #4 (various debuggers), #6 (VBA Monitors), #7 (OAClient). There is one more trick that we can add to the list – legitimate, developer-friendly profiling mechanisms that can be enabled on non-developer systems and… act as a persistence mechanism.

The profiling mechanisms described further require a persistent environment variable to be set. This can be achieved by setting the respective values under HKCU or HKLM:

  • HKEY_CURRENT_USER\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

The values that need to be placed under the Environment keys depend on the profiling mechanism – these are listed below:

 

 

Example for JS_PROFILER:

Adding the following Registry entries:

[HKEY_CLASSES_ROOT\CLSID\{12345678-1234-1234-1234-123456789abc}\InprocServer32]
@=hex(2):63,00,3A,00,5C,00,74,00,65,00,73,00,74,00,5C,00,74,00,65,00,\
  73,00,74,00,2E,00,64,00,6C,00,6C,00,00,00

[HKEY_CURRENT_USER\Environment]
"JS_PROFILER"="{12345678-1234-1234-1234-123456789abc}"

will ensure that c:\test\test.dll (added as a REG_EXPAND_SZ value using ‘@=hex(2):…’) is loaded anytime Internet Explorer is executed or its control instantiated (JS_PROFILER is used internally by JSCRIPT*.DLLs – they handle scripting and they are used by Internet Explorer).

 

 

 

Comments are closed.