Beyond good ol’ Run key, Part 74

March 26, 2018 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Riddles, Incident Response

This is a very obscure persistence mechanism that affects VMWare Tools versions that utilize the vm3dum DLL (‘VMware SVGA 3D Usermode’):

  • c:\Program Files\Common Files\VMware\Drivers\video_wddm\vm3dum.dll

When loaded (which happens e.g. when Internet Explorer is launched) the DLL checks the content of the following registry key:

  • HKLM\SOFTWARE\VMware, Inc.\VMware Tools\Usermode\

and loads library that the path points to.

There is also one more key:

  • HKLM\SOFTWARE\VMware, Inc.\VMware Tools\Usermode\

but the condition for loading this DLL is not entirely clear to me.

Comments are closed.