Beyond good ol’ Run key, Part 48
October 21, 2016 in Anti-Forensics, Autostart (Persistence), Forensic Analysis, Incident Response, Malware Analysis
I have just updated my very old post about HKLM\SOFTWARE\Microsoft\VBA\Monitors. I discovered its additional ‘properties’ while looking at the VBE (Visual Basic Engine). On the way, I have also discovered that Visual Basic for Application’s old-school IDE allows programmers to create Add-ins. A quick googling followed and I immediately found a number of Addins for VBE – I was actually quite surprised that there are so many!
Seriously, there is a huge interest in it! With all the C, Java, python programmers out there… it would seem that VBA is strong and here to stay…
So, anyway… I didn’t spend much time on it as many programmers already provide good examples of VBE Add-ins, so I will just document where to find the possible persistence entries.
The Add-ins are discovered by VBE by enumeration of the following key:
- HKCU\Software\Microsoft\VBA\VBE\6.0\Addins\<AddInName>\…
Each Add-in has a dedicated subkey where it lists the properties:
- Description – Full description
- FriendlyName – Short name
- LoadBehavior – A DWORD that indicates whether the Add-in is loaded at startup (1), is currently unloaded (0)
- SatelliteDllName + SatelliteDllPath – references to localized information about the plug-in
So, anyone wanting to load the VBE Add-in needs to set up the Registry key with the aforementioned values, and then create the appropriate entries under HKCR:
- HKCR\<AddInName>\Clsid = <GUID>
- HKCR\CLSID\{<GUID>}\InprocServer32 = …
Comments are closed.