{"id":5075,"date":"2018-07-06T23:25:17","date_gmt":"2018-07-06T23:25:17","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5075"},"modified":"2018-07-06T23:48:17","modified_gmt":"2018-07-06T23:48:17","slug":"beyond-good-ol-run-key-part-80","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/07\/06\/beyond-good-ol-run-key-part-80\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 80"},"content":{"rendered":"

I talked about remapping keys a number of times (e.g. remapping Win+E<\/a>, adding sneaky hotkeys<\/a>, adding more sneaky hotkeys<\/a>).<\/p>\n

Today I am describing one more Registry entry that is a subject to remapping, and as such, may be used as yet another persistence mechanism…<\/p>\n

Modern keyboards come with a variety of ‘media’ buttons. Their assignment seems to be hardcoded, but in reality, one can change it by modifying the following entries in the Registry:<\/p>\n

HKCU or HKLM\\software\\microsoft\\windows\\\r\ncurrentversion\\explorer\\appkey\\<number>\\\r\nShellExecute=<program><\/pre>\n
The <number> is the crucial bit – e.g. the calculator button is number 18 so if you change it, anytime someone presses the Calc media button that chosen program will be launched instead.<\/p>\n
All the mappings are listed in MSDN<\/a>.<\/p>\n
You may notice that 18 that belongs to Calculator is named as APPCOMMAND_LAUNCH_APP2, but such is life. Don’t trust the documentation \ud83d\ude42<\/p>\n
Note:<\/p>\n
I didn’t discover it, but I don’t recall seeing it mentioned in a context of persistence, so documenting it for the sake of it… Having said that, I must mention that googling around led me to this blog post<\/a> where the very same trick is described as being used to deliver a clever evasion – courtesy of PlugX.<\/p>\n
Note2:<\/p>\n
Turns out there is a good post from Jan 2018<\/a> describing 2 additional registry entries that you may find under the same location:<\/p>\n