Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 114

Posted on by

Ability to extend AutoPlay functionality with dedicated handlers is well-known and documented. The Registry key shown below is where these get added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\Handlers\

Instead of describing this persistence mechanism in detail, I will focus on a slightly different aspect.

Lots of software out there registers their own “personalized” handlers. While such software may no longer be used today too frequently it still comes pre-installed on many laptops and workstations.

One could modify these existing handlers to redirect them to a malicious component. How to find these? There are at least two ways. Use a predefined list, or enumerate all handlers and find these that point to handlers that reside within Program File directory (with an exclusion for Media Player).

The second task is trivial, and the first task is not too difficult either. Looking at installers of media burning software one can quickly find a lot of candidates:

  • AntsDVDDVDMovieOnArrival
  • ASHAshampoo_Burning_Studio_12BURNONARRIVAL
  • ASHAshampoo_Burning_Studio_12COPYONARRIVAL
  • ASHAshampoo_Burning_Studio_12RIPONARRIVAL
  • ASHAshampoo_Burning_Studio_2013BURNONARRIVAL
  • ASHAshampoo_Burning_Studio_2013COPYONARRIVAL
  • ASHAshampoo_Burning_Studio_2013RIPONARRIVAL
  • ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL
  • ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL
  • ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL
  • AVSCaptureVideoCameraArrival
  • BBShowPictureEventHandler
  • BlindWriteAutoplay_741406
  • BurnAware
  • CCShowPicturesOnArrival
  • CDBurnerXP
  • CopyToDVDAutoplay_741406
  • daccdrip
  • DVDClonerBackupDVDMovieOnArrival
  • dvdXsoftRipDVDMovieOnArrival
  • ExsateDVCLHandler
  • ExsateVideoExpressHandler
  • HeliconBurnerOnArrival
  • HMMAddToDatabaseHandler
  • HMMMTPHandler
  • HMMPlayHandler
  • HMMRipAudioCDHandler
  • JoyceCD
  • LightImageResizerAutoplay_741406
  • MagicBurnStudioOpenHandler
  • MPCPlayBluRayOnArrival
  • MPCPlayCDAudioOnArrival
  • MPCPlayDVDMovieOnArrival
  • MPCPlayMusicFilesOnArrival
  • MPCPlayVideoFilesOnArrival
  • P2GCDBurningOnArrival
  • P2GDVDBurningOnArrival
  • PicsPrintAutoplay
  • PIETransfer
  • PlayWithBlazeDVD
  • PlayWithDVDXPlayer
  • Power2GoPlayCDAudioOnArrival
  • PrintstationPrint
  • PStarterBlankCDArrival
  • PStarterDVDBurningOnArrival
  • PStarterMixedCDArrival
  • PStarterMusicFilesArrival
  • PStarterPicturesArrival
  • PStarterVideoFilesArrival
  • S4BCaptureVideoCameraArrival
  • SpybotScanFiles\
  • VCUPlayDVDMovieOnArrival
  • VMP1PlayBluRayMovieOnArrival
  • VMP1PlayDVDMovieOnArrival
  • VMP1PlayMusicFilesOnArrival
  • VMP1PlayVideoFilesOnArrival

Of course, such persistence method could be only used as a Plan B. After all, who is still burning CDs today…

Beyond good ol’ Run key, Part 113

Posted on by

This is another one where I just document things that are not commonly known, but _are_ very well documented for years, and defo still worth describing in this series.

While looking at the well-known dbghelp.dll library I noticed that it looks for entries under:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls

These entries are enumerated and then loaded via LoadLibrary

Quick google session followed and I found this awesome post from 2007.

—–Original Message—–
From:
Subject: RE: managed minidump
Auxiliary DLLs are loaded inside of MiniDumpWriteDump when it finds a registered auxiliary DLL for a module in the target process. The lookup is to take the full path of the module and see if there’s a registered auxiliary DLL. You can’t have multiple aux DLLs for a single module path.
—–Original Message—–
From: Junfeng Zhang
Subject: RE: managed minidump
When are auxiliary dlls loaded?
What is the behavior when there are multiple entries under each key?
—–Original Message—–
From:
Subject: RE: managed minidump
Both are filled with string values of the form = . MiniDumpAuxiliaryDlls lists helper DLLs that the minidump code can use to get additional data during dump generation. For example, mscorwks.dll has a registered auxiliary of mscordacwks.dll, which provides extra CLR memory data for a minidump.
KnownManagedDebuggingDlls is a security measure so that a debugger, when attempting to load extra support DLLs for managed debugging, can know what DLLs are approved for use on the system. The CLR registers mscordacwks.dll here, for example.
Both are kept in HKLM so that they can only be written by an admin.
—–Original Message—–
From: Junfeng Zhang
Subject: managed minidump
How does OS use the following two registry keys?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls

As you see, not only KnownManagedDebuggingDlls, but also MiniDumpAuxiliaryDlls branch is of value for threat hunters.