In my recent post on Mastodon I asked if there is any repo of Shadowpad side-loading combos. I asked, because long time ago I have created one for PlugX, and was hoping that maybe there is one for Shadowpad that I am not aware of.

I was aware of two existing combos at the time of posting, but googling around I found some more.

Here they are:

• AppLaunch.exe (Microsoft) [source]
  • mscoree.dll
• hpqhvind.exe (Hewlett Packard) [source]
  • hpqhvsei.dll
• consent.exe (Microsoft) [source]
  • secur32.dll
    • secur32.dll.dat
• TosBtKbd.exe (Toshiba) [source]
  • tosbtkbd.dll
• BDReinit.exe (BitDefender) [source]
  • log.dll
    • log.dll.dat
• Oleview.exe (Microsoft) [source]
  • iviewers.dll
    • iviewers.dll.dat
• RasTls.exe [source]
  • RasTls.dll (thx @fe7ch)
    • RasTls.dat

This is a real oldie, but still worth a mention…

Java gives us a lot of persistence possibilities and one of them are environment variables; when set, they will be adhered to, and as such, can be abused:

• JAVA_HOME – where java run-time resides
• LIBRARY_PATH – where the Java libraries sit
• JVM_DLL – this is a juicy one, which Java virtual machine DLL to load

If you see these set on the system, keep an eye on what they are pointing to.