Beyond good ol’ Run key, Part 31

May 29, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

The last piece in the series talked about Synaptics software – a program to manage the touchpad on some of the popular laptops (e.g. from Toshiba).

Turns out Synaptics is not the only company providing a software managing the touchpad extensions and this short post introduces yet another one – from Alps company. The relationship between these two aforementioned companies seems to be actually quite close; I have not investigated it very thoroughly, but if you google these two, you will find a lot of overlaps; I personally don’t care too much – at the end of the day they both use different Registry entries, and this is all that matters ;).

So, anyways, Alps touchpads can be found on many popular laptops e.g. from Dell and Toshiba. Here, I will talk about the Dell version.

Looking at available options we can easily find the familiar ‘Run’ command that can be associated with buttons’ activities:

DellA simple test (Run Notepad when we click Left button on the touchpad) allows us to quickly discover the location in the Registry where the settings are stored:

AlpsThe key is located under HKCU:

  • HKEY_CURRENT_USER\Software\Alps

and the specific settings for buttons are located at:

  • HKEY_CURRENT_USER\Software\Alps\Apoint\Button

where:

  • AppReg1 = <path to executable>
  • ButtonFunction1 = 0x1b to run the program (while default=0x5 means simply ‘Click’)

(this is for the Left button specifically – other buttons use consecutive numbers i.e. AppReg2, AppReg3; ButtonFunction2, ButtonFunction3)

Again, it’s more  a curiosity than a real threat, but still good to have it documented, even if that briefly 🙂

If you know any other software like this, and can send me screenshots/reg entries I will be forever grateful 🙂 Thanks in advance.

Share this :)

Comments are closed.