{"id":5678,"date":"2018-12-16T01:33:12","date_gmt":"2018-12-16T01:33:12","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5678"},"modified":"2018-12-16T01:33:13","modified_gmt":"2018-12-16T01:33:13","slug":"i-fought-the-autoruns-and-autoruns-won","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/12\/16\/i-fought-the-autoruns-and-autoruns-won\/","title":{"rendered":"I fought the Autoruns, and Autoruns won…"},"content":{"rendered":"\n

One of the less visible aspects of security research are constant failures. Anyone who ‘pokes around’ fails a lot. I covered some of my research fails in the past, so in a humble attempt to continue this tradition I am writing another quick post about… well… yet another fail.<\/p>\n\n\n\n

The test I came up with was based on the following:
– Anytime you disable an autorun entry, it is being removed from the startup location, and migrated to the ‘AutorunsDisabled’ bucket – either created as a Registry key or a Folder
<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

– I thought, what if I create an entry, mark it as disabled in Autoruns (forcing it to be moved to the ‘AutorunsDisabled’ bucket), and then re-add it in the same place. Without reverse-engineering the Autoruns I was hypothesizing there is a possibility that a presence of ‘AutorunsDisabled’ Registry key, or respective Folder will prevent Autoruns from displaying the entry in Autoruns, or will somehow affect the logic of this display.
<\/p>\n\n\n\n

I was wrong. A quick test confirmed that when both entries are present, Autoruns simply displays them all:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I fought the Autoruns, and Autoruns won…
<\/p>\n","protected":false},"excerpt":{"rendered":"

One of the less visible aspects of security research are constant failures. Anyone who ‘pokes around’ fails a lot. I covered some of my research fails in the past, so in a humble attempt to continue this tradition I am … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[80],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5678"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5678"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5678\/revisions"}],"predecessor-version":[{"id":5684,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5678\/revisions\/5684"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}