You are browsing the archive for Compromise Detection.

Beyond good ol’ Run key, Part 31

May 29, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

The last piece in the series talked about Synaptics software – a program to manage the touchpad on some of the popular laptops (e.g. from Toshiba).

Turns out Synaptics is not the only company providing a software managing the touchpad extensions and this short post introduces yet another one – from Alps company. The relationship between these two aforementioned companies seems to be actually quite close; I have not investigated it very thoroughly, but if you google these two, you will find a lot of overlaps; I personally don’t care too much – at the end of the day they both use different Registry entries, and this is all that matters ;).

So, anyways, Alps touchpads can be found on many popular laptops e.g. from Dell and Toshiba. Here, I will talk about the Dell version.

Looking at available options we can easily find the familiar ‘Run’ command that can be associated with buttons’ activities:

DellA simple test (Run Notepad when we click Left button on the touchpad) allows us to quickly discover the location in the Registry where the settings are stored:

AlpsThe key is located under HKCU:

  • HKEY_CURRENT_USER\Software\Alps

and the specific settings for buttons are located at:

  • HKEY_CURRENT_USER\Software\Alps\Apoint\Button

where:

  • AppReg1 = <path to executable>
  • ButtonFunction1 = 0x1b to run the program (while default=0x5 means simply ‘Click’)

(this is for the Left button specifically – other buttons use consecutive numbers i.e. AppReg2, AppReg3; ButtonFunction2, ButtonFunction3)

Again, it’s more  a curiosity than a real threat, but still good to have it documented, even if that briefly :)

If you know any other software like this, and can send me screenshots/reg entries I will be forever grateful :-) Thanks in advance.

Beyond good ol’ Run key, Part 30

April 26, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

Many laptops come with preinstalled packages that enhance user experience by responding to gestures and shortcuts available via a touchpad. One of the most popular packages offering such functionality comes from Synaptics. My old laptop has it preinstalled as well and… that’s how this post was born.

While exploring the options of the program I discovered that you can associate a lot of various actions with buttons and areas/zones of the touchpad. Turns out that one such interesting action is… running an arbitrary program :)

synaptics1Clicking the Configure button allows us to choose the path to the program:

synaptics2Same goes for the right button (and also zones shown at the bottom of the left pane):

synaptics3Once I configured these I was able to launch the program of my choice by just playing with the touchpad.

I must mention that it is not a vulnerability – it is just a flexibility offered by the program allowing user to define what they want to do with their computer. But of course it could be abused as a persistence mechanism.

The place in the Registry where these paths are stored is shown below:

  • HKCU\Software\Synaptics\SynTPEnh\PlugInConfig\TouchPadPS2

synaptics4The information about what action should be triggered is stored here:

  • HKCU\Software\Synaptics\SynTP\TouchPadPS2
    • LeftButtonAction = if equal 0 the default touchpad action is overridden with the action of the plugin defined by the next 2 entries below (LeftButtonPlugInID & LeftButtonPlugInActionID)
    • LeftButtonPlugInID = changed to ‘SynTP’
    • LeftButtonPlugInActionID = if this ActionID is equal to 5 then it is program execution

synaptics5Right button (and other buttons, if present)  as well as zones all have similar set of settings (again, their actual availability depends on a touchpad model/hardware/); the respective registry entries are:

  • TopLeftCornerPlugInID=
  • TopRightCornerPlugInID=
  • BottomLeftCornerPlugInID=
  • BottomRightCornerPlugInID=
  • LeftButtonPlugInID=
  • MiddleButtonPlugInID=
  • RightButtonPlugInID=
  • UpButtonPlugInID=
  • DownButtonPlugInID=
  • 2FingerTapPlugInID=
  • 3FingerTapPlugInID=
  • ExButton1PlugInID=
  • ExButton2PlugInID=
  • ExButton3PlugInID=
  • ExButton4PlugInID=
  • ExButton5PlugInID=
  • ExButton6PlugInID=
  • ExButton7PlugInID=
  • ExButton8PlugInID=
  • PressToSelectPlugInID=
  • Button5PlugInID=
  • ButtonModePlugInID=
  • 3FingerPressPlugInID=
  • PalmOnPadPlugInID=
  • 2FingerDoubleTapPlugInID=

and each of them have the respective ‘ActionID’ settings e.g.:

  • TopRightCornerPlugInID -> TopRightCornerPlugInActionID

The chance we will come across it on real cases are pretty low, but just adding it here for completeness.