Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 135

Posted on by

These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? 🙂

Still, good to document some of it in a more permanent way so this is the persistence bit I posted about yesterday:

A number of tools inside the c:\WINDOWS\system32\oobe\ folder:

  • audit.exe
  • oobeldr.exe
  • Setup.exe
  • windeploy.exe
  • winsetup.dll

include references to c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd.

Turns out, if you drop your payload to c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd the c:\WINDOWS\system32\oobe\Setup.exe will load it anytime there is an error. The most trivial way to trigger it is by running setup.exe w/o any arguments.

I have not checked the other executables, but it’s most likely the case as well.

Beyond good ol’ Run key, Part 134

Posted on by

This one is for historical reasons, primarily.

Old Adobe Photoshop/ImageReady used to have a feature called “Jump to” which is neatly described here.

The feature was implemented via a simple directory structure located here:

  • c:\Program Files\Adobe\Adobe Photoshop CS2\Helpers

and its 2 subdirectories:

  • Jump To Graphics Editor
  • Jump To HTML Editor

Dropping your own LNK, EXE or any executable file inside these subdirectories would enable you to extend the menu, or… replace the existing LNK file. Basically implementing a lame persistent mechanism e.g. as shown on the below pic: