Links to post series
July 2, 2015 in Hexacorn
ximad pinged me asking if I can make some of the content more readable – I will think of it and perhaps convert some of this stuff into a PDF, but in the mean time providing a series of links for the ‘longer’ series on the blog
Da Li’L World of DLL Exports and Entry Points
Da Li’L World of DLL Exports and Entry Points, Part 1
https://www.hexacorn.com/blog/2013/08/08/da-lil-world-of-dll-exports-and-entry-points-part-1/
Da Li’L World of DLL Exports and Entry Points, Part 2
https://www.hexacorn.com/blog/2013/08/11/da-lil-world-of-dll-exports-and-entry-points-part-2/
Da Li’L World of DLL Exports and Entry Points, Part 3
https://www.hexacorn.com/blog/2013/08/21/da-lil-world-of-dll-exports-and-entry-points-part-3/
Anti-forensics
The shortest anti-forensics code in the world
https://www.hexacorn.com/blog/2012/01/21/the-shortest-anti-forensics-code-in-the-world/
The shortest anti-forensics code in the world – take #2
https://www.hexacorn.com/blog/2012/03/16/the-shortest-anti-forensics-code-in-the-world-take-2/
Purple Haze – Anti-forensics and anti-detection
https://www.hexacorn.com/blog/2012/02/13/purple-haze-anti-forensics-and-andi-detection/
Anti-forensics – live examples
https://www.hexacorn.com/blog/2012/02/18/anti-forensics-live-examples/
Anti-forensics – live examples, Part 2
https://www.hexacorn.com/blog/2014/06/27/anti-forensics-live-examples-part-2/
Anti-forensics – live examples, Part 3
https://www.hexacorn.com/blog/2014/08/29/anti-forensics-live-examples-part-3/
Enter Sandbox Series
Enter Sandbox – part 1: All APIs are equal, but some APIs are more equal than others
https://www.hexacorn.com/blog/2015/05/29/enter-sandbox-part-1-all-api-are-equal-but-some-apis-are-more-equal-than-others/
Enter Sandbox – part 2: COM, babe COM
https://www.hexacorn.com/blog/2015/06/09/enter-sandbox-part-2-com-babe-com/
Enter Sandbox – part 3: If you see Native code is creative
https://www.hexacorn.com/blog/2015/06/10/enter-sandbox-part-3-if-you-see-native-code-is-creative/
Enter Sandbox – part 4: In search for Deus Ex Machina
https://www.hexacorn.com/blog/2015/06/12/enter-sandbox-part-4-in-search-for-deus-ex-machina/
Enter Sandbox – part 5: In search for Deus Ex Machina II
https://www.hexacorn.com/blog/2015/06/17/enter-sandbox-part-5-in-search-for-deus-ex-machina-ii/
Enter Sandbox – part 6: The Nullsoft hypothesis and other installers' conundrums
https://www.hexacorn.com/blog/2015/06/26/enter-sandbox-part-6-the-nullsoft-hypothesis-and-other-installers-conundrums/
Enter Sandbox – part 7: Hello, مرحبا, 您好, здравствуйте, γεια σας
https://www.hexacorn.com/blog/2015/06/27/enter-sandbox-part-7-hello-%d9%85%d8%b1%d8%ad%d8%a8%d8%a7-%e6%82%a8%e5%a5%bd-%d0%b7%d0%b4%d1%80%d0%b0%d0%b2%d1%81%d1%82%d0%b2%d1%83%d0%b9%d1%82%d0%b5-%ce%b3%ce%b5%ce%b9%ce%b1-%cf%83/
Beyond good ol’ Run key
Beyond good ol’ Run key
https://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/
- A large number of different, more and less known mechanisms described – firts part of the series and as such, quite a big post
- ICQ
- HKCU\Software\Mirabilis\ICQ\Agent\Apps
- Standard apps that contain functionality / options to launch mandatory programs(P2P apps, etc.)
- ‘Scanning’ files with AV when downloaded
- Windows Shell alternatives
- AutoStart when Scanner button is pressed
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\Handlers
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications
- HKLM\SYSTEM\CurrentControlSet\Control\StillImage\Events\STIProxyEvent
- Autostart by re-using existing autostart entries
- Autostart via Plugins
- File System infection
Beyond good ol’ Run key, Part 2
https://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/
- Focused on standard apps that contain functionality / options to launch mandatory programs (Archivers, downloaders, Messengers, etc.) and the functionality is related to external viewers, AV scanners
- WinRar
- HKCU\Software\WinRAR\Viewer\ExternalViewer
- HKCU\Software\WinRAR\VirusScan\Name
- WinZip
- HKCU\Software\Nico Mak Computing\WinZip\programs\zip2exe
- HKCU\Software\Nico Mak Computing\WinZip\programs\viewer
- HKCU\Software\Nico Mak Computing\WinZip\programs\vviewer
- HKCU\Software\Nico Mak Computing\WinZip\programs\arc
- HKCU\Software\Nico Mak Computing\WinZip\programs\arj
- HKCU\Software\Nico Mak Computing\WinZip\programs\lha
- HKCU\Software\Nico Mak Computing\WinZip\programs\scan
- HKCU\Software\Nico Mak Computing\WinZip\programs\viewer
- HKCU\Software\Nico Mak Computing\WinZip\programs\zip2exe
- Internet Download Manager
- HKCU\Software\DownloadManager\VScannerProgram
- Download Accelerator Plus (DAP)
- HKCU\Software\SpeedBit\Download Accelerator\AntiVirusEXE
- Orbit Downloader
- %USERPROFILE%\Application Data\Orbit\conf.dat%USERPROFILE%\Application Data\Orbit\conf.dat
- Windows Live Messenger
- HKCU\Software\Microsoft\MSNMessenger\AntiVirus
- Miranda
- %USERPROFILE%\Application Data\Miranda\PROFILEFOLDER\PROFILEFILENAME.dat
- WinRar
Beyond good ol’ Run key, Part 3
https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- Code-in-the-middle proxy
- Application Registration (App Paths) hijacking
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
- Text Services (TSF)
- DLL load order
- IIS Server Extensions (ISAPI filters)
- AppCertDlls
- HKLM\CurrentControlSet\Control\Session Manager\AppCertDlls
Beyond good ol’ Run key, Part 4
https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- Hijacking debuggers
- Standalone Debugger (32- and 64- bit)
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
- NET Debugger (32- and 64- bit)
- HKLM\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
- HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
- Script Debugger
- HKCR\CLSID\{834128A2-51F4-11D0-8F20-00805F2CD064}\LocalServer32\@
- Standalone Debugger (32- and 64- bit)
- Hijacking Process Debug Manager
- HKLM\SOFTWARE\Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32\@
- ServiceDll Hijack
- ServiceDll parameter under HKLM\SYSTEM\CurrentControlSet\Services\
- Mapi32 Stub Library
- HKLM\Software\Clients\Mail::(default)\DLLPath
- HKLM\Software\Clients\Mail::(default)\DLLPathEx
- Hijacking Client executables
- HKLM\Software\Clients\ f.ex.
- HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\HideIconsCommand
- HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\ReinstallCommand
- HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\ShowIconsCommand
- HKLM\Software\Clients\ f.ex.
- Windows 2000 Welcome
- C:\WINNT\Welcome.exe via
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\tips\Show
Beyond good ol’ Run key, Part 5
https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- A number of Phantom DLLs that are loaded as code via LoadLibrary variants, but not present on a system in its default install
Beyond good ol’ Run key, Part 6
https://www.hexacorn.com/blog/2014/01/10/beyond-good-ol-run-key-part-6-2/
- Visual Basic persistence via
- HKLM\SOFTWARE\Microsoft\VBA\Monitors
Beyond good ol’ Run key, Part 7
https://www.hexacorn.com/blog/2014/02/09/beyond-good-ol-run-key-part-7/
- Oasys (Office Automation System) loading %windir%\system32\BTLOG.DLL via
- HKLM\SOFTWARE\Microsoft\OASys\OAClient
Beyond good ol’ Run key, Part 8
https://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/
- Persistence via Jumplists, including Multiple Link functionality that launches more than one application with one click
Beyond good ol’ Run key, Part 9
https://www.hexacorn.com/blog/2014/03/02/beyond-good-ol-run-key-part-9/
- Persistence via Pinned Apps pointing to malicious components
Beyond good ol’ Run key, Part 10
https://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/
- HKCU\Software\Microsoft\Office Test\Special\Perf (used by Sofacy)
- WWLIBcxm.DLL proxy loaded via
- HKCU\Software\Microsoft\Office\14.0\Word
Beyond good ol’ Run key, Part 11
https://www.hexacorn.com/blog/2014/04/27/beyond-good-ol-run-key-part-11/
- Added large repository of autoruns mechanisms
- http://gladiator-antivirus.com/forum/index.php?showtopic=24610
- Persistence via modified Environment variables (permanently set inside the Registry)
- HKCU\Environment
Beyond good ol’ Run key, Part 12
https://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/
Beyond good ol’ Run key, Part 13
https://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/
Beyond good ol’ Run key, Part 14
https://www.hexacorn.com/blog/2014/07/08/beyond-good-ol-run-key-part-14/
Beyond good ol’ Run key, Part 15
https://www.hexacorn.com/blog/2014/08/04/beyond-good-ol-run-key-part-15/
Beyond good ol’ Run key, Part 16
https://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/
Beyond good ol’ Run key, Part 17
https://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/
Beyond good ol’ Run key, Part 18
https://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
Beyond good ol’ Run key, Part 19
https://www.hexacorn.com/blog/2014/12/04/beyond-good-ol-run-key-part-19/
Beyond good ol’ Run key, Part 20
https://www.hexacorn.com/blog/2015/01/01/beyond-good-ol-run-key-part-20/
Beyond good ol’ Run key, Part 21
https://www.hexacorn.com/blog/2015/01/03/beyond-good-ol-run-key-part-21/
Beyond good ol’ Run key, Part 22
https://www.hexacorn.com/blog/2015/01/06/beyond-good-ol-run-key-part-22/
Beyond good ol’ Run key, Part 23
https://www.hexacorn.com/blog/2015/01/09/beyond-good-ol-run-key-part-23/
Beyond good ol’ Run key, Part 24
https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
Beyond good ol’ Run key, Part 25
https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-25/
Beyond good ol’ Run key, Part 26
https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-26/
Beyond good ol’ Run key, Part 27
https://www.hexacorn.com/blog/2015/02/19/beyond-good-ol-run-key-part-27/
Beyond good ol’ Run key, Part 28
https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
Beyond good ol’ Run key, Part 29
https://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/
Beyond good ol’ Run key, Part 30
https://www.hexacorn.com/blog/2015/04/26/beyond-good-ol-run-key-part-30/
Beyond good ol’ Run key, Part 31
https://www.hexacorn.com/blog/2015/05/29/beyond-good-ol-run-key-part-31/
Beyond good ol’ Run key, Part 32
https://www.hexacorn.com/blog/2015/09/12/beyond-good-ol-run-key-part-32/
Beyond good ol’ Run key, Part 33
https://www.hexacorn.com/blog/2015/10/20/beyond-good-ol-run-key-part-33/
Beyond good ol’ Run key, Part 34
https://www.hexacorn.com/blog/2016/02/16/beyond-good-ol-run-key-part-34/
Beyond good ol’ Run key, Part 35
https://www.hexacorn.com/blog/2016/03/01/beyond-good-ol-run-key-part-35/
Beyond good ol’ Run key, Part 36
https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
Beyond good ol’ Run key, Part 37
https://www.hexacorn.com/blog/2016/03/26/beyond-good-ol-run-key-part-37/
Beyond good ol’ Run key, Part 38
https://www.hexacorn.com/blog/2016/05/27/beyond-good-ol-run-key-part-38/
Beyond good ol’ Run key, Part 39
https://www.hexacorn.com/blog/2016/05/30/beyond-good-ol-run-key-part-39/
Beyond good ol’ Run key, Part 40
https://www.hexacorn.com/blog/2016/06/02/beyond-good-ol-run-key-part-40/
Beyond good ol’ Run key, Part 41
https://www.hexacorn.com/blog/2016/07/08/beyond-good-ol-run-key-part-41/
Beyond good ol’ Run key, Part 42
https://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Beyond good ol’ Run key, Part 43
https://www.hexacorn.com/blog/2016/07/28/beyond-good-ol-run-key-part-43/