Anti-Forensics | Hexacorn

This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated with ‘viewing source of web pages’, and using Microsoft Office for editing HTML documents:

HKCU\Software\Microsoft\Shared\HTML\Default Editor
HKCU\SOFTWARE\Microsoft\Shared\HTML\Old Default Editor
HKLM\SOFTWARE\Microsoft\Shared\HTML\Old Default Editor
HKCU\Software\Microsoft\Internet Explorer\Default HTML Editor
HKCU\Software\Microsoft\Internet Explorer\Default MHTML Editor
HKLM\Software\Microsoft\Internet Explorer\Default HTML Editor
HKLM\Software\Microsoft\Internet Explorer\Default MHTML Editor
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor

All the entries use the very same shell entries as shown on the below example:

I thought Propagate technique is a dead horse. Described, implemented, used in malware.

But.

There is perhaps one more possibility, or four.

When you open Windows Explorer and Ribbons are enabled:

the UIRibbon.dll DLL gets loaded into this process address space:

One of the things the DLL does is setting properties of its internal windows using the following methods:

HWndContainer::Build(HWND hWnd, char a2, struct HWndContainer **a3)
- Property:0xA91C
OfficeSpace::Root::SetEventLogger(OfficeSpace::Root *this, struct IUIEventLogger *a2)
- Property: 0xBCDE
NetUI::SetCommandManager(HWND hWnd, HWND hData, struct NetUI::ICommandManager *a3)
- Property:0xBCDF
UXHwndEffectsManager::FInitialize@(HANDLE hData@, HWND hWnd@, bool a3, bool a4, bool a5)
- Property (atom name): SCENIC_UXHWNDEFFECTSMANAGER_WINDOW_PROP

Example:

So, what do we do with this?

These are all possible targets for a Propagate code injection as all these properties appear to be holding virtual table pointers…

Hexacorn

Hexacorn

Category Archives: Anti-Forensics

Beyond good ol’ Run key, Part 131

Propagate, Ribbonate