You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 107

June 7, 2019 in Anti-Forensics, Autostart (Persistence), Code Injection, Living off the land, LOLBins

This is a persistence, and a code injection trick in one. It affects only environments where NVIDIA CUDA Toolkit is present. If it is the case, the system will have these two environment variables present:

  • CUDA_INJECTION32_PATH
  • CUDA_INJECTION64_PATH

They typically point to legitimate NVIDIA DLLs, but one could replace them with anything. The DLLs are loaded via LoadLibrary.

This is not a backdoor of any sort – just a legitimate profiler interface.

Beyond good ol’ Run key, Part 106

June 1, 2019 in Anti-Forensics, Archaeology, Autostart (Persistence)

This persistence trick has a historical value only (at least as far as I can tell). It only works on old Windows XP, and only on systems with IME e.g. Chinese.

On these systems when console window is created, the kernel32.dll reaches out to the following Registry entry:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME

It then fetches the string that is stored there. If the entry is not present, the default ‘conime.exe’ string is assumed.

The conime.exe, or its replacement is then launched.

In the demo below, I run a test on Chinese Windows XP, where I set the value to calc.exe. You can’t specify a full path – the system will prepend the value with a path referring to its system directory (e.g. c:\windows\system32\). Of course, we can always use parent directory trick to run any file from any location on a system (e.g. ..\..\test\malware.exe will run c:\test\malware.exe)