Links to post series

ximad pinged me asking if I can make some of the content more readable – I will think of it and perhaps convert some of this stuff into a PDF, but in the mean time providing a series of links for the ‘longer’ series on the blog

Da Li’L World of DLL Exports and Entry Points

Da Li’L World of DLL Exports and Entry Points, Part 1
https://www.hexacorn.com/blog/2013/08/08/da-lil-world-of-dll-exports-and-entry-points-part-1/

Da Li’L World of DLL Exports and Entry Points, Part 2
https://www.hexacorn.com/blog/2013/08/11/da-lil-world-of-dll-exports-and-entry-points-part-2/

Da Li’L World of DLL Exports and Entry Points, Part 3
https://www.hexacorn.com/blog/2013/08/21/da-lil-world-of-dll-exports-and-entry-points-part-3/

Anti-forensics

The shortest anti-forensics code in the world
https://www.hexacorn.com/blog/2012/01/21/the-shortest-anti-forensics-code-in-the-world/

The shortest anti-forensics code in the world – take #2
https://www.hexacorn.com/blog/2012/03/16/the-shortest-anti-forensics-code-in-the-world-take-2/

Purple Haze – Anti-forensics and anti-detection
https://www.hexacorn.com/blog/2012/02/13/purple-haze-anti-forensics-and-andi-detection/

Anti-forensics – live examples
https://www.hexacorn.com/blog/2012/02/18/anti-forensics-live-examples/

Anti-forensics – live examples, Part 2
https://www.hexacorn.com/blog/2014/06/27/anti-forensics-live-examples-part-2/

Anti-forensics – live examples, Part 3
https://www.hexacorn.com/blog/2014/08/29/anti-forensics-live-examples-part-3/

Enter Sandbox Series

Enter Sandbox – part 1: All APIs are equal, but some APIs are more equal than others
https://www.hexacorn.com/blog/2015/05/29/enter-sandbox-part-1-all-api-are-equal-but-some-apis-are-more-equal-than-others/

Enter Sandbox – part 2: COM, babe COM
https://www.hexacorn.com/blog/2015/06/09/enter-sandbox-part-2-com-babe-com/

Enter Sandbox – part 3: If you see Native code is creative
https://www.hexacorn.com/blog/2015/06/10/enter-sandbox-part-3-if-you-see-native-code-is-creative/

Enter Sandbox – part 4: In search for Deus Ex Machina
https://www.hexacorn.com/blog/2015/06/12/enter-sandbox-part-4-in-search-for-deus-ex-machina/

Enter Sandbox – part 5: In search for Deus Ex Machina II
https://www.hexacorn.com/blog/2015/06/17/enter-sandbox-part-5-in-search-for-deus-ex-machina-ii/

Enter Sandbox – part 6: The Nullsoft hypothesis and other installers' conundrums
https://www.hexacorn.com/blog/2015/06/26/enter-sandbox-part-6-the-nullsoft-hypothesis-and-other-installers-conundrums/

Enter Sandbox – part 7: Hello, مرحبا, 您好, здравствуйте, γεια σας
https://www.hexacorn.com/blog/2015/06/27/enter-sandbox-part-7-hello-%d9%85%d8%b1%d8%ad%d8%a8%d8%a7-%e6%82%a8%e5%a5%bd-%d0%b7%d0%b4%d1%80%d0%b0%d0%b2%d1%81%d1%82%d0%b2%d1%83%d0%b9%d1%82%d0%b5-%ce%b3%ce%b5%ce%b9%ce%b1-%cf%83/

Beyond good ol’ Run key

Beyond good ol’ Run key

 https://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/

  •  A large number of different, more and less known mechanisms described – firts part of the series and as such, quite a big post
  • ICQ
    • HKCU\Software\Mirabilis\ICQ\Agent\Apps
  • Standard apps that contain functionality / options to launch mandatory programs(P2P apps, etc.)
  • ‘Scanning’ files with AV when downloaded
  • Windows Shell alternatives
  • AutoStart when Scanner button is pressed
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\Handlers
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications
    • HKLM\SYSTEM\CurrentControlSet\Control\StillImage\Events\STIProxyEvent
  • Autostart by re-using existing autostart entries
  • Autostart via Plugins
  • File System infection

Beyond good ol’ Run key, Part 2

https://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/

  • Focused on standard apps that contain functionality / options to launch mandatory programs (Archivers, downloaders, Messengers, etc.) and the functionality is related to external viewers, AV scanners
    • WinRar
      • HKCU\Software\WinRAR\Viewer\ExternalViewer
      • HKCU\Software\WinRAR\VirusScan\Name
    • WinZip
      • HKCU\Software\Nico Mak Computing\WinZip\programs\zip2exe
      • HKCU\Software\Nico Mak Computing\WinZip\programs\viewer
      • HKCU\Software\Nico Mak Computing\WinZip\programs\vviewer
      • HKCU\Software\Nico Mak Computing\WinZip\programs\arc
      • HKCU\Software\Nico Mak Computing\WinZip\programs\arj
      • HKCU\Software\Nico Mak Computing\WinZip\programs\lha
      • HKCU\Software\Nico Mak Computing\WinZip\programs\scan
      • HKCU\Software\Nico Mak Computing\WinZip\programs\viewer
      • HKCU\Software\Nico Mak Computing\WinZip\programs\zip2exe
    • Internet Download Manager
      • HKCU\Software\DownloadManager\VScannerProgram
    • Download Accelerator Plus (DAP)
      • HKCU\Software\SpeedBit\Download Accelerator\AntiVirusEXE
    •  Orbit Downloader
      • %USERPROFILE%\Application Data\Orbit\conf.dat%USERPROFILE%\Application Data\Orbit\conf.dat
    •  Windows Live Messenger
      • HKCU\Software\Microsoft\MSNMessenger\AntiVirus
    • Miranda
      • %USERPROFILE%\Application Data\Miranda\PROFILEFOLDER\PROFILEFILENAME.dat

Beyond good ol’ Run key, Part 3

https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/

  • Code-in-the-middle proxy
  • Application Registration (App Paths) hijacking
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
  • Text Services (TSF)
  • DLL load order
  • IIS Server Extensions (ISAPI filters)
  • AppCertDlls
    • HKLM\CurrentControlSet\Control\Session Manager\AppCertDlls

Beyond good ol’ Run key, Part 4
https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/

  • Hijacking debuggers
    • Standalone Debugger (32- and 64- bit)
      • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
      • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
    • NET Debugger (32- and 64- bit)
      • HKLM\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
      • HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
    • Script Debugger
      • HKCR\CLSID\{834128A2-51F4-11D0-8F20-00805F2CD064}\LocalServer32\@
  • Hijacking Process Debug Manager
    • HKLM\SOFTWARE\Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32\@
  • ServiceDll Hijack
    • ServiceDll parameter under HKLM\SYSTEM\CurrentControlSet\Services\
  • Mapi32 Stub Library
    • HKLM\Software\Clients\Mail::(default)\DLLPath
    • HKLM\Software\Clients\Mail::(default)\DLLPathEx
  • Hijacking Client executables
    • HKLM\Software\Clients\ f.ex.
      • HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\HideIconsCommand
      • HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\ReinstallCommand
      • HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\ShowIconsCommand
  • Windows 2000 Welcome
    • C:\WINNT\Welcome.exe via
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\tips\Show

Beyond good ol’ Run key, Part 5
https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

  • A number of Phantom DLLs that are loaded as code via LoadLibrary variants, but not present on a system in its default install

Beyond good ol’ Run key, Part 6
https://www.hexacorn.com/blog/2014/01/10/beyond-good-ol-run-key-part-6-2/

  • Visual Basic persistence via
    • HKLM\SOFTWARE\Microsoft\VBA\Monitors

Beyond good ol’ Run key, Part 7
https://www.hexacorn.com/blog/2014/02/09/beyond-good-ol-run-key-part-7/

  • Oasys (Office Automation System) loading %windir%\system32\BTLOG.DLL via
    • HKLM\SOFTWARE\Microsoft\OASys\OAClient

Beyond good ol’ Run key, Part 8
https://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/

  • Persistence via Jumplists, including Multiple Link functionality that launches more than one application with one click

Beyond good ol’ Run key, Part 9
https://www.hexacorn.com/blog/2014/03/02/beyond-good-ol-run-key-part-9/

  • Persistence via Pinned Apps pointing to malicious components

Beyond good ol’ Run key, Part 10
https://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/

  • HKCU\Software\Microsoft\Office Test\Special\Perf (used by Sofacy)
  • WWLIBcxm.DLL proxy loaded via
    • HKCU\Software\Microsoft\Office\14.0\Word

Beyond good ol’ Run key, Part 11
https://www.hexacorn.com/blog/2014/04/27/beyond-good-ol-run-key-part-11/

  • Added large repository of autoruns mechanisms
    • http://gladiator-antivirus.com/forum/index.php?showtopic=24610
  • Persistence via modified Environment variables (permanently set inside the Registry)
    • HKCU\Environment

 

Beyond good ol’ Run key, Part 12
https://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/

Beyond good ol’ Run key, Part 13
https://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/

Beyond good ol’ Run key, Part 14
https://www.hexacorn.com/blog/2014/07/08/beyond-good-ol-run-key-part-14/

Beyond good ol’ Run key, Part 15
https://www.hexacorn.com/blog/2014/08/04/beyond-good-ol-run-key-part-15/

Beyond good ol’ Run key, Part 16
https://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/

Beyond good ol’ Run key, Part 17
https://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/

Beyond good ol’ Run key, Part 18
https://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/

Beyond good ol’ Run key, Part 19
https://www.hexacorn.com/blog/2014/12/04/beyond-good-ol-run-key-part-19/

Beyond good ol’ Run key, Part 20
https://www.hexacorn.com/blog/2015/01/01/beyond-good-ol-run-key-part-20/

Beyond good ol’ Run key, Part 21
https://www.hexacorn.com/blog/2015/01/03/beyond-good-ol-run-key-part-21/

Beyond good ol’ Run key, Part 22
https://www.hexacorn.com/blog/2015/01/06/beyond-good-ol-run-key-part-22/

Beyond good ol’ Run key, Part 23
https://www.hexacorn.com/blog/2015/01/09/beyond-good-ol-run-key-part-23/

Beyond good ol’ Run key, Part 24
https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/

Beyond good ol’ Run key, Part 25
https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-25/

Beyond good ol’ Run key, Part 26
https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-26/

Beyond good ol’ Run key, Part 27
https://www.hexacorn.com/blog/2015/02/19/beyond-good-ol-run-key-part-27/

Beyond good ol’ Run key, Part 28
https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/

Beyond good ol’ Run key, Part 29
https://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/

Beyond good ol’ Run key, Part 30
https://www.hexacorn.com/blog/2015/04/26/beyond-good-ol-run-key-part-30/

Beyond good ol’ Run key, Part 31
https://www.hexacorn.com/blog/2015/05/29/beyond-good-ol-run-key-part-31/

Beyond good ol’ Run key, Part 32
https://www.hexacorn.com/blog/2015/09/12/beyond-good-ol-run-key-part-32/

Beyond good ol’ Run key, Part 33
https://www.hexacorn.com/blog/2015/10/20/beyond-good-ol-run-key-part-33/

Beyond good ol’ Run key, Part 34
https://www.hexacorn.com/blog/2016/02/16/beyond-good-ol-run-key-part-34/

Beyond good ol’ Run key, Part 35
https://www.hexacorn.com/blog/2016/03/01/beyond-good-ol-run-key-part-35/

Beyond good ol’ Run key, Part 36
https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/

Beyond good ol’ Run key, Part 37
https://www.hexacorn.com/blog/2016/03/26/beyond-good-ol-run-key-part-37/

Beyond good ol’ Run key, Part 38
https://www.hexacorn.com/blog/2016/05/27/beyond-good-ol-run-key-part-38/

Beyond good ol’ Run key, Part 39
https://www.hexacorn.com/blog/2016/05/30/beyond-good-ol-run-key-part-39/

Beyond good ol’ Run key, Part 40
https://www.hexacorn.com/blog/2016/06/02/beyond-good-ol-run-key-part-40/

Beyond good ol’ Run key, Part 41
https://www.hexacorn.com/blog/2016/07/08/beyond-good-ol-run-key-part-41/

Beyond good ol’ Run key, Part 42
https://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

Beyond good ol’ Run key, Part 43
https://www.hexacorn.com/blog/2016/07/28/beyond-good-ol-run-key-part-43/

3 years in blogging

October marks the third anniversary of this blog. Since I am not a very nostalgic person I won’t be recalling all the highlights, blunders, mistakes, ups and downs of this piece of the interwebs, but want to take a second to thank all the readers for reading, providing feedback, corrections, suggestions, re-tweets and in general being really cool about this little experiment.

On a personal note writing blog is a great educational experience and I encourage anyone who never tried to actually do it and persist. It allows you to connect with lots of smart people sharing the very same passion & profession. You will be surprised how many of them are out there!

Thanks for reading!