Beyond good ol’ Run key, Part 83

August 4, 2018 in Autostart (Persistence)

If you ever downloaded a file using IE, Firefox, Chrome, Thunderbird you might have seen messages from these programs telling you that the files being downloaded are being scanned by the antivirus program. The way the scanning works on Windows is quie simple: the programs use IOfficeAntiVirus and IAttachmentExecute interfaces. These in turn rely on a Registry entries for COM objects that implement the ‘antivirus’ category and advertise it by adding ‘tags’ under their respective CLSID entries.

The ‘tag’ for IOfficeAntiVirus is a GUID 56FFCC30-D398-11D0-B2AE-00A0C908FA49). For example, ‘Windows Defender IOfficeAntiVirus implementation’ has the following Registry entry:

  • HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}
    • (Default) = Windows Defender IOfficeAntiVirus implementation
    • Implemented Categories
      • {56FFCC30-D398-11D0-B2AE-00A0C908FA49}

When IOfficeAntiVirus::Scan method is called by the programs (or internally via IAttachmentExecute) the system enumerates the Registry, collects info about all components implementing IOfficeAntiVirus, and stores them inside the following location:

  • HKCU\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Discardable\
    PostSetup\Component Categories\
    {56FFCC30-D398-11D0-B2AE-00A0C908FA49}\
    Enum

and its 64-bit version equivalent:

  • HKCU\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Discardable\
    PostSetup\Component Categories64\
    {56FFCC30-D398-11D0-B2AE-00A0C908FA49}\
    Enum

It then instantiates them, and calls the Scan method one by one. The Registry enumeration is quite slow so the caching mechanism (obviously) speeds things up (as a result, any new component added should always delete this cache to ensure it is properly loaded next time the Scan method is called).

The topic is very old, and there are tones of descriptions, discussions, and actual sample code snippets available online, but it’s always worth documenting possible persistence mechanisms.

References:

  • A source code showing on how to implement IOfficeAntiVirus component can be found here.
  • A good discussion about both interfaces (IOfficeAntiVirus and IAttachmentExecute) with regards to Firefox can be found here.
  • A source code of Firefox using these interfaces can be found here.
  • A good discussion about the interfaces, their internals and their impact on Chrome development can be found here.

And in case it’s not obvious yet, a custom component implementing IOfficeAntiVirus interface could act as a very persistent ‘antivirus’ 🙂

Share this :)

Comments are closed.