Beyond good ol’ Run key, Part 106

June 1, 2019 in Anti-Forensics, Archaeology, Autostart (Persistence)

This persistence trick has a historical value only (at least as far as I can tell). It only works on old Windows XP, and only on systems with IME e.g. Chinese.

On these systems when console window is created, the kernel32.dll reaches out to the following Registry entry:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME

It then fetches the string that is stored there. If the entry is not present, the default ‘conime.exe’ string is assumed.

The conime.exe, or its replacement is then launched.

In the demo below, I run a test on Chinese Windows XP, where I set the value to calc.exe. You can’t specify a full path – the system will prepend the value with a path referring to its system directory (e.g. c:\windows\system32\). Of course, we can always use parent directory trick to run any file from any location on a system (e.g. ..\..\test\malware.exe will run c:\test\malware.exe)

Comments are closed.