Beyond good ol’ Run key, Part 110

July 13, 2019 in Anti-Forensics, Autostart (Persistence)

This is rather short post and it refers to a qt.conf file. If you can find such a file on a system it can be often modified to affect the settings of a Qt framework that is used by some application installed on your system. You may find many occurrences of this file in the environment. Not all the programs respect these settings though.

The change could be redirecting Qt framework to load plugins from a different directory than expected, etc. See the first link that explains the settings stored inside the file.

There are tones of applications leveraging Qt and actually more and more are Enterprise solutions so it’s a kinda unexpected, but still decent persistence mechanism and due to unpredictability of the qt.conf file file location – kinda stealthy.

How to do ‘the bad’ stuff?

This simple config will load plugins from a c:\test path:

[Paths]
Plugins=c:\test

Obviously, real plugins need to be loaded as well so it’s a bit like a path companion type of persistence that needs some housekeeping to make it work.

Share this :)

Comments are closed.