Category Archives: Anti-Forensics

Rundll32 with a vbscript: protocol

Posted on by

Inspired by a question posted on Twitter by Tim, I tried to modify a well-known rundll32 javascript: trick (introduced by poweliks around July 2014 if I am not wrong) to use vbscript. I felt we should be able to make the code work the very same way as the JavaScript.

It turned out to be a bit tricky, because vbscript doesn’t seem to like any whitespace characters in the payload, including encoded spaces, new lines and carriage returns.

I eventually decided to follow a different path and focused on a fact that a first argument passed from this sneaky payload to VBScript interpreter is a string. And since strings can be not only commands, but also actual data bits that can be added together I tried doing so. Using a String function I encapsulated / casted the result of my calculator-launcher code to a string… and the trick worked like a charm:

Here’s a snippet:

rundll32 vbscript:”\..\mshtml,RunHTMLApplication “+String(CreateObject(“Wscript.Shell”).Run(“calc.exe”),0)

Beyond good ol’ Run key, Part 121

Posted on by

This is a very convoluted way of creating a persistence mechanism, but it’s worth describing.

The SPReview.exe I covered previously has an interesting option: /WuExecuted or /WusaExecuted. When it is executed with one of these as an argument it does a lot of stuff, but the most important from our perspective is this bit:

  • It reads value of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler=<file>
  • It copies that value to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SPReview=<file>
  • It then deletes the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler entry

So… as long as you set up the SPReviewEnabler and run the SPReview.exe with one of the WU* options you will have your chosen file executed once the very next time current user logs on. The cycle can be then repeated to establish a permanent persistence…