Category Archives: Anti-Forensics

Beyond good ol’ Run key, Part 114

Posted on by

Ability to extend AutoPlay functionality with dedicated handlers is well-known and documented. The Registry key shown below is where these get added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\Handlers\

Instead of describing this persistence mechanism in detail, I will focus on a slightly different aspect.

Lots of software out there registers their own “personalized” handlers. While such software may no longer be used today too frequently it still comes pre-installed on many laptops and workstations.

One could modify these existing handlers to redirect them to a malicious component. How to find these? There are at least two ways. Use a predefined list, or enumerate all handlers and find these that point to handlers that reside within Program File directory (with an exclusion for Media Player).

The second task is trivial, and the first task is not too difficult either. Looking at installers of media burning software one can quickly find a lot of candidates:

  • AntsDVDDVDMovieOnArrival
  • ASHAshampoo_Burning_Studio_12BURNONARRIVAL
  • ASHAshampoo_Burning_Studio_12COPYONARRIVAL
  • ASHAshampoo_Burning_Studio_12RIPONARRIVAL
  • ASHAshampoo_Burning_Studio_2013BURNONARRIVAL
  • ASHAshampoo_Burning_Studio_2013COPYONARRIVAL
  • ASHAshampoo_Burning_Studio_2013RIPONARRIVAL
  • ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL
  • ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL
  • ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL
  • AVSCaptureVideoCameraArrival
  • BBShowPictureEventHandler
  • BlindWriteAutoplay_741406
  • BurnAware
  • CCShowPicturesOnArrival
  • CDBurnerXP
  • CopyToDVDAutoplay_741406
  • daccdrip
  • DVDClonerBackupDVDMovieOnArrival
  • dvdXsoftRipDVDMovieOnArrival
  • ExsateDVCLHandler
  • ExsateVideoExpressHandler
  • HeliconBurnerOnArrival
  • HMMAddToDatabaseHandler
  • HMMMTPHandler
  • HMMPlayHandler
  • HMMRipAudioCDHandler
  • JoyceCD
  • LightImageResizerAutoplay_741406
  • MagicBurnStudioOpenHandler
  • MPCPlayBluRayOnArrival
  • MPCPlayCDAudioOnArrival
  • MPCPlayDVDMovieOnArrival
  • MPCPlayMusicFilesOnArrival
  • MPCPlayVideoFilesOnArrival
  • P2GCDBurningOnArrival
  • P2GDVDBurningOnArrival
  • PicsPrintAutoplay
  • PIETransfer
  • PlayWithBlazeDVD
  • PlayWithDVDXPlayer
  • Power2GoPlayCDAudioOnArrival
  • PrintstationPrint
  • PStarterBlankCDArrival
  • PStarterDVDBurningOnArrival
  • PStarterMixedCDArrival
  • PStarterMusicFilesArrival
  • PStarterPicturesArrival
  • PStarterVideoFilesArrival
  • S4BCaptureVideoCameraArrival
  • SpybotScanFiles\
  • VCUPlayDVDMovieOnArrival
  • VMP1PlayBluRayMovieOnArrival
  • VMP1PlayDVDMovieOnArrival
  • VMP1PlayMusicFilesOnArrival
  • VMP1PlayVideoFilesOnArrival

Of course, such persistence method could be only used as a Plan B. After all, who is still burning CDs today…

Sitting on the Lolbins, 12

Posted on by

What is a LOLBIN? Does it need to be signed?

These questions are not important really. If you can find a clean executable and make it run another program then it is already a… lolwin.

The unsigned SetupProxy.exe program does exactly that. All you have to do is to provide a setup.ini file that the setup program expects to see. Inside this .ini file you have to specify what programs to run for 32- and 64- bit systems e.g.:

[SETUP]
InstallPath=..\..\windows\system32\notepad.exe
InstallPath64=..\..\windows\system32\notepad.exe

You need to use a directory traversal trick as the program expects paths relative to the one it is ran from.

That’s it really.

Okay, one more thing… the program stores a verbose info about the setup progress inside a %TEMP%\LxProxy.log file:

/———————————————————————–\
| Friday, September 06, 2019 14:31:42
| Setup.exe
| Version:
|
| SetupProxy: to Launch Install GUI.
———————————————————————–/
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy::read registry for the language: Software\inkjet\install
SetupProxy::language from the regstry:
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy:: the setup.ini exists; Launch InstallGUI: C:\foo\bar….\windows\system32\notepad.exe
Finished SetupProxy : Friday, September 06, 2019 14:31:44

Sample:

1DFFF3F5934AB61C861620CF2C6BC81FF8AF9A1E5F6A3D31B3315F8BE8BC3360