You are browsing the archive for Forensic Analysis.

3R updated to cover new RegRipper plug-ins

October 24, 2014 in 3R, Forensic Analysis

Two days ago Harlan Carvey pushed his RegRipper to github and on the way added a few new plug-ins so it was a good occasion to update the 3R – the list of registry keys RegRipper covers and its plugins – there are over 300 plug-ins there.

If you need to quickly build a new RegRipper plug-in you can always try using 3RPG.

Thx To Harlan for correcting a mistake I made in the original post (incorrect information about new release of RegRipper while it was new plug-ins only).

Beyond good ol’ Run key, Part 17

August 31, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

.NET components (a couple of DLLs loaded anytime .NET apps are executed) in the Windows 8.X have been somehow modified and when they are loaded they look for an environment variable called APPX_PROCESS. I am not sure what it is – googling around didn’t bring any results, but experimenting with it led me to a discovery of yet another phantom DLL called WinAppXRT.dll. If the environment variable is set anytime some .NET components are loaded they in turn will attempt to load the aforementioned DLL (e.g. launching powershell or any .NET app should be enough).

Since environment variables can be set via Registry we can use it to develop yet another persistence mechanism.

Adding the following:

[HKEY_CURRENT_USER\Environment]
"APPX_PROCESS"="1"

and dropping the WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the WinAppXRT.dll is loaded everytime user launches an application using .NET.

WinAppXRT