I must admit that finding new paths that could be exploited as a persistence mechanism is a silly hobby of mine. When I started this series I thought that a few posts will suffice, but to my surprise it’s already #11. For your convenience, these are links to the older posts::<\/p>\n
You may also want to have a look at ‘A Collection of Autostart Locations’ – a very large and comprehensive list of autostart entries collected by Tony Klein<\/p>\n
Back to the #11.<\/p>\n
In the part #10 (Office Test) I mentioned that Microsoft products seem to be heavily integrated with various testing platforms. I also referenced various aspects of performance analysis, profiling, monitoring and debugging in parts #4 (various debuggers), #6 (VBA Monitors), #7 (OAClient). There is one more trick that we can add to the list – legitimate, developer-friendly profiling mechanisms that can be enabled on non-developer systems and… act as a persistence mechanism.<\/p>\n
The profiling mechanisms described further require a persistent environment variable to be set. This can be achieved by setting the respective values under HKCU or HKLM:<\/p>\n
The values that need to be placed under the Environment keys depend on the profiling mechanism – these are listed below:<\/p>\n
<\/p>\n
<\/p>\n
Example for JS_PROFILER:<\/strong><\/p>\n Adding the following Registry entries:<\/p>\n will ensure that c:\\test\\test.dll (added as a REG_EXPAND_SZ value using ‘@=hex(2):…’) is loaded anytime Internet Explorer is executed or its control instantiated (JS_PROFILER is used internally by JSCRIPT*.DLLs – they handle scripting and they are used by Internet Explorer).<\/p>\n <\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" I must admit that finding new paths that could be exploited as a persistence mechanism is a silly hobby of mine. When I started this series I thought that a few posts will suffice, but to my surprise it’s already … Continue reading [HKEY_CLASSES_ROOT\\CLSID\\{12345678-1234-1234-1234-123456789abc}\\InprocServer32]\r\n@=hex(2):63,00,3A,00,5C,00,74,00,65,00,73,00,74,00,5C,00,74,00,65,00,\\\r\n 73,00,74,00,2E,00,64,00,6C,00,6C,00,00,00\r\n\r\n[HKEY_CURRENT_USER\\Environment]\r\n\"JS_PROFILER\"=\"{12345678-1234-1234-1234-123456789abc}\"<\/pre>\n