You are browsing the archive for Anti-Forensics.

The little known (I think) secret of hosts.ics

March 31, 2018 in Anti-Forensics, Compromise Detection

Today I discovered that while everyone knows one can use the c:\WINDOWS\system32\drivers\etc\hosts file to introduce static entries to the DNS resolver there is one more file that can be utilized for this purpose.

It is a hosts.ics (c:\WINDOWS\system32\drivers\etc\hosts.ics) file that was originally designed to support the Internet Connection Sharing service. It looks like it is being ingested by the DNS resolver same way as the hosts file.

So… yet another place to look at.

After introducing the file on my system to a test Win 10 box I got the following results:

Beyond good ol’ Run key, Part 74

March 26, 2018 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Riddles, Incident Response

This is a very obscure persistence mechanism that affects VMWare Tools versions that utilize the vm3dum DLL (‘VMware SVGA 3D Usermode’):

  • c:\Program Files\Common Files\VMware\Drivers\video_wddm\vm3dum.dll

When loaded (which happens e.g. when Internet Explorer is launched) the DLL checks the content of the following registry key:

  • HKLM\SOFTWARE\VMware, Inc.\VMware Tools\Usermode\
    AdapterShimPath=<path>

and loads library that the path points to.

There is also one more key:

  • HKLM\SOFTWARE\VMware, Inc.\VMware Tools\Usermode\
    ShimPath=<path>

but the condition for loading this DLL is not entirely clear to me.