Category Archives: Anti-Forensics

Beyond good ol’ Run key, Part 106

Posted on by

This persistence trick has a historical value only (at least as far as I can tell). It only works on old Windows XP, and only on systems with IME e.g. Chinese.

On these systems when console window is created, the kernel32.dll reaches out to the following Registry entry:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME

It then fetches the string that is stored there. If the entry is not present, the default ‘conime.exe’ string is assumed.

The conime.exe, or its replacement is then launched.

In the demo below, I run a test on Chinese Windows XP, where I set the value to calc.exe. You can’t specify a full path – the system will prepend the value with a path referring to its system directory (e.g. c:\windows\system32\). Of course, we can always use parent directory trick to run any file from any location on a system (e.g. ..\..\test\malware.exe will run c:\test\malware.exe)

Beyond good ol’ Run key, Part 105

Posted on by

Windows Installer is a pretty complex software that helps to install software packages in a safe, and predictable way – offering at the same time a chance to undo/rollback, uninstall or fix the installation. It’s de facto standard for many programs nowadays to use it as their installer of choice.

There is at least one area where I think persistence could be achieved with a help of this technology – it’s this set of Registry entries:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
  • HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries

This is a place where MSIEXEC stores info about all command line arguments it wants to pass to itself after reboot. So, if it is not empty, it could be something interesting to look at.

btw. wine/reactos source codes have the following comment around the code that does implement this behavior:

If the args begin with /@ IDENT then we need to load the real command line out of the RunOnceEntries key in the registry. We do that before starting to process the real commandline, then overwrite the commandline again.