You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 68

December 8, 2017 in Anti-*, Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

Modification of Software\Classes\CLSID branches is a well-known trick used by malware for ages. It is important to recognize though that there are many variants of the trick – the keys are used by different applications and libraries, and for really different purposes – there is no end to possibilities they offer to malware authors.

Here’s a probably less-known CLSID branch that could be used to execute malware anytime you press WIN+E to open a new Windows Explorer window.

Example for calculator (tested on win10):

HKCU\Software\Classes\CLSID\
{52205fd8-5dfb-447d-801a-d0b52f2e83e1}\
shell\opennewwindow\command
"DelegateExecute"=""
@="c:\\windows\\system32\\calc.exe"

Update

There is a side-effect to this setting; launching explorer.exe – whether via WIN+E or directly via clicking explorer.exe inside Windows Explorer, or running it via WIN+R will always end up with calc.exe being executed. The malware would need to handle these situation with an appropriate action.

Beyond good ol’ Run key, Part 67

October 21, 2017 in Anti-*, Autostart (Persistence), Compromise Detection, Forensic Analysis

New versions of Windows are shipped with an on-screen keyboard that – amongst other features – allows us to enter the text in a handwritten form:

The task of handwritten text analysis and input training is ‘outsourced’ to dedicated libraries that are loaded from the following locations in the Registry:

  • HKLM\SOFTWARE\Microsoft\TPG\System Recognizers
  • HKLM\SOFTWARE\Microsoft\TPG\Recognizers

Adding an entry that replaces an entry for e.g. English:


leads to the library being loaded anytime the TabTip.exe process is executed (one that presents the ‘tablet’ to handwrite on):

For what its worth, my test DLL broke the handwriting input as it doesn’t do any proxy work.

Probably not the most used feature on your desktop computer, but it could work on many tabletish computers in Asia where ideograms and other complex characters are commonly used (plus users use handwriting input a lot!).