Beyond good ol’ Run key, Part 59

January 29, 2017 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

In my last post I talked about Bluetooth. I have a mixed luck testing anything related to this technology…

You see, there is that one more potential persistence mechanism associated with Bluetooth which I was unable to test successfully. Despite my efforts it didn’t work, but this is probably because I don’t have a proper set up. Perhaps people owning a laptop with the Windows 8 on it (and not Windows 8.1 or newer) could give it a go… It is another documented feature of Windows, so it should work.

So… there is a thing called ‘Bluetooth Software Radio Switch Function Prototypes’ described on the Microsoft page here.

Adding the entry

  • HKLM\SYSTEM\CurrentControlSet\Services\
    
    BTHPORT\Parameters\Radio Support\
    
    SupportDLL = Path to DLL

should allow vendors to register a DLL that will handle requests to Bluetooth radio to switch it on or off.

The Microsoft page provides a link to another page that is describing the sample source code demonstrating to programmers how to build your own supporting DLL. The funny thing is that the demo code uses a different key (BthServ instead of BTHPORT service) than the previous page, and a Unicode path instead of an ANSI path provided in the documentation. Searching for strings within c:\windows directory I could find references to BTHPORT\Parameters\Radio Support and not BthServ\Parameters\Radio Support so the documentation is probably okay, and the demo is not.

Well, in any case. It should work.

Share this :)

Comments are closed.