Beyond good ol’ Run key, Part 48

October 21, 2016 in Anti-Forensics, Autostart (Persistence), Forensic Analysis, Incident Response, Malware Analysis

I have just updated my very old post about HKLM\SOFTWARE\Microsoft\VBA\Monitors. I discovered its additional ‘properties’ while looking at the VBE (Visual Basic Engine). On the way, I have also discovered that Visual Basic for Application’s old-school IDE allows programmers to create Add-ins. A quick googling followed and I immediately found a number of Addins for VBE – I was actually quite surprised that there are so many!

Seriously, there is a huge interest in it! With all the C, Java, python programmers out there… it would seem that VBA is strong and here to stay…

So, anyway… I didn’t spend much time on it as many programmers already provide good examples of VBE Add-ins, so I will just document where to find the possible persistence entries.

The Add-ins are discovered by VBE by enumeration of the following key:

  • HKCU\Software\Microsoft\VBA\VBE\6.0\Addins\<AddInName>\…

Each Add-in has a dedicated subkey where it lists the properties:

  • Description – Full description
  • FriendlyName – Short name
  • LoadBehavior – A DWORD that indicates whether the Add-in is loaded at startup (1), is currently unloaded (0)
  • SatelliteDllName + SatelliteDllPath  – references to localized information about the plug-in

So, anyone wanting to load the VBE Add-in needs to set up the Registry key with the aforementioned values, and then create the appropriate entries under HKCR:

  • HKCR\<AddInName>\Clsid = <GUID>
  • HKCR\CLSID\{<GUID>}\InprocServer32 = …

Comments are closed.