Category Archives: Anti-Forensics

Beyond good ol’ Run key, Part 122

Posted on by

This is another quickie: there is an established process for using the OCSetup program that is available on a couple of Windows versions. When this tool is executed it checks a number of Registry entries which it then interprets, and executes programs (.exe) or installers (.msi, .msp) listed under these entries.

The entries of interest are as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\<ComponentName>\CustomSetup = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\<ComponentName>\Component = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\PatchFiles = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\CustomSetup = <file>

Rundll32 with a vbscript: protocol

Posted on by

Inspired by a question posted on Twitter by Tim, I tried to modify a well-known rundll32 javascript: trick (introduced by poweliks around July 2014 if I am not wrong) to use vbscript. I felt we should be able to make the code work the very same way as the JavaScript.

It turned out to be a bit tricky, because vbscript doesn’t seem to like any whitespace characters in the payload, including encoded spaces, new lines and carriage returns.

I eventually decided to follow a different path and focused on a fact that a first argument passed from this sneaky payload to VBScript interpreter is a string. And since strings can be not only commands, but also actual data bits that can be added together I tried doing so. Using a String function I encapsulated / casted the result of my calculator-launcher code to a string… and the trick worked like a charm:

Here’s a snippet:

rundll32 vbscript:”\..\mshtml,RunHTMLApplication “+String(CreateObject(“Wscript.Shell”).Run(“calc.exe”),0)