 |
 |
 |
 |
 |
 |
June 13, 2019 in Anti-Forensics, Autostart (Persistence)
I rarely link to other people’s research, but in this case I make an exception, because the technique is pretty cool and I never heard of it before.
Look for 3.3. API Set Extensions abuse inside this document [PDF Warning]. Thanks to Ange for sending it my way.
June 7, 2019 in Anti-Forensics, Autostart (Persistence), Code Injection, Living off the land, LOLBins
This is a persistence, and a code injection trick in one. It affects only environments where NVIDIA CUDA Toolkit is present. If it is the case, the system will have these two environment variables present:
They typically point to legitimate NVIDIA DLLs, but one could replace them with anything. The DLLs are loaded via LoadLibrary.
This is not a backdoor of any sort – just a legitimate profiler interface.