Category Archives: Compromise Detection

Beyond good ol’ Run key, Part 73

Posted on by

If you have a dvdplay.exe program on your system you can quickly do two things with it:

  • use it to disturb the process tree
  • leveraging the fact it is a signed binary – add it to any common startup place and achieve a nice, invisible persistence mechanism, possibly bypassing some security  solutions (they will just detect entries pointing to a signed binary and nothing else)

How?

The dvdplay.exe program is a simple wrapper that actually calls wmplayer.exe. But not the one you would expect.

In order to find a path to the wmplayer, it reads the following Registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
"Path"="c:\\malware\\"

So… changing that path to any path in your control, you can drop your wmplayer.exe there and voila!

Beyond good ol’ Run key, Part 72

Posted on by

In my old post I described a simple trick that shows how to set up a hot key that can be assigned to execute shortcuts (.LNK files) placed on a Desktop or in a Start Menu. This action survives reboots and logon/logoffs so it’s a nice, and somehow accidental persistence mechanism.

Turns out there is one more variant of this trick that relies on using the .URL files.

Placing a .URL files containing the following data:

[InternetShortcut]
URL=file:///c:/windows/system32/calc.exe
HotKey=768

on a Desktop will assign CTRL+SHIFT sequence to an action that will trigger the execution of the calculator.

The Hotkey can be assigned either manually (via properties):

– in such case you won’t be able to assign the more trickier combinations like CTRL+SHIFT. Or we can do it manually, and in such case all the hotkey tricks are available. All you have to do is to assign a proper value to the HotKey parameter inside the .url file.

You can find out what values represent what codes or by experimenting… or… you can cheat and read this old guide: An Unofficial Guide to the URL File Format.