You are browsing the archive for Incident Response.

Beyond good ol’ Run key, Part 59

January 29, 2017 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

In my last post I talked about Bluetooth. I have a mixed luck testing anything related to this technology…

You see, there is that one more potential persistence mechanism associated with Bluetooth which I was unable to test successfully. Despite my efforts it didn’t work, but this is probably because I don’t have a proper set up. Perhaps people owning a laptop with the Windows 8 on it (and not Windows 8.1 or newer) could give it a go… It is another documented feature of Windows, so it should work.

So… there is a thing called ‘Bluetooth Software Radio Switch Function Prototypes’ described on the Microsoft page here.

Adding the entry

  • HKLM\SYSTEM\CurrentControlSet\Services\
    
    BTHPORT\Parameters\Radio Support\
    
    SupportDLL = Path to DLL

should allow vendors to register a DLL that will handle requests to Bluetooth radio to switch it on or off.

The Microsoft page provides a link to another page that is describing the sample source code demonstrating to programmers how to build your own supporting DLL. The funny thing is that the demo code uses a different key (BthServ instead of BTHPORT service) than the previous page, and a Unicode path instead of an ANSI path provided in the documentation. Searching for strings within c:\windows directory I could find references to BTHPORT\Parameters\Radio Support and not BthServ\Parameters\Radio Support so the documentation is probably okay, and the demo is not.

Well, in any case. It should work.

Beyond good ol’ Run key – All parts

January 28, 2017 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Forensic Riddles, Incident Response, Malware Analysis

Here are the links to all the ‘Beyond good ol’ Run key’ posts so far. I will try to extract the Registry keys into a CSV soon.