{"id":6755,"date":"2019-09-07T22:45:27","date_gmt":"2019-09-07T22:45:27","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6755"},"modified":"2019-09-07T22:46:51","modified_gmt":"2019-09-07T22:46:51","slug":"beyond-good-ol-run-key-part-114","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/09\/07\/beyond-good-ol-run-key-part-114\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 114"},"content":{"rendered":"\n<p>Ability to extend AutoPlay functionality with dedicated handlers is well-known and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/shell\/how-to-register-a-handler-for-a-device-event\">documented<\/a>. The Registry key shown below is where these get added:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoplayHandlers\\Handlers\\<\/p><\/blockquote>\n\n\n\n<p>Instead of describing this persistence mechanism in detail, I will focus on a slightly different aspect.<\/p>\n\n\n\n<p>Lots of software out there registers their own &#8220;personalized&#8221; handlers. While such software may no longer be used today too frequently it still comes pre-installed on many laptops and workstations.<\/p>\n\n\n\n<p>One could modify these existing handlers to redirect them to a malicious component. How to find these? There are at least two ways. Use a predefined list, or enumerate all handlers and find these that point to handlers that reside within Program File directory (with an exclusion for Media Player).<\/p>\n\n\n\n<p>The second task is trivial, and the first task is not too difficult either. Looking at installers of media burning software one can quickly find a lot of candidates:<\/p>\n\n\n\n<ul><li>AntsDVDDVDMovieOnArrival<\/li><li> ASHAshampoo_Burning_Studio_12BURNONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_12COPYONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_12RIPONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_2013BURNONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_2013COPYONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_2013RIPONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL<\/li><li> ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL<\/li><li> AVSCaptureVideoCameraArrival<\/li><li> BBShowPictureEventHandler<\/li><li> BlindWriteAutoplay_741406<\/li><li> BurnAware<\/li><li> CCShowPicturesOnArrival<\/li><li> CDBurnerXP<\/li><li> CopyToDVDAutoplay_741406<\/li><li> daccdrip<\/li><li> DVDClonerBackupDVDMovieOnArrival<\/li><li> dvdXsoftRipDVDMovieOnArrival<\/li><li> ExsateDVCLHandler<\/li><li> ExsateVideoExpressHandler<\/li><li> HeliconBurnerOnArrival<\/li><li> HMMAddToDatabaseHandler<\/li><li> HMMMTPHandler<\/li><li> HMMPlayHandler<\/li><li> HMMRipAudioCDHandler<\/li><li> JoyceCD<\/li><li> LightImageResizerAutoplay_741406<\/li><li> MagicBurnStudioOpenHandler<\/li><li> MPCPlayBluRayOnArrival<\/li><li> MPCPlayCDAudioOnArrival<\/li><li> MPCPlayDVDMovieOnArrival<\/li><li> MPCPlayMusicFilesOnArrival<\/li><li> MPCPlayVideoFilesOnArrival <\/li><li> P2GCDBurningOnArrival<\/li><li> P2GDVDBurningOnArrival<\/li><li> PicsPrintAutoplay<\/li><li> PIETransfer<\/li><li> PlayWithBlazeDVD<\/li><li> PlayWithDVDXPlayer<\/li><li> Power2GoPlayCDAudioOnArrival<\/li><li> PrintstationPrint<\/li><li> PStarterBlankCDArrival<\/li><li> PStarterDVDBurningOnArrival<\/li><li> PStarterMixedCDArrival<\/li><li> PStarterMusicFilesArrival<\/li><li> PStarterPicturesArrival<\/li><li> PStarterVideoFilesArrival<\/li><li> S4BCaptureVideoCameraArrival<\/li><li> SpybotScanFiles\\<\/li><li> VCUPlayDVDMovieOnArrival<\/li><li> VMP1PlayBluRayMovieOnArrival<\/li><li> VMP1PlayDVDMovieOnArrival<\/li><li> VMP1PlayMusicFilesOnArrival<\/li><li> VMP1PlayVideoFilesOnArrival<\/li><\/ul>\n\n\n\n<p>Of course, such persistence method could be only used as a Plan B. After all, who is still burning CDs today&#8230;<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ability to extend AutoPlay functionality with dedicated handlers is well-known and documented. The Registry key shown below is where these get added: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoplayHandlers\\Handlers\\ Instead of describing this persistence mechanism in detail, I will focus on a slightly different aspect. Lots &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/09\/07\/beyond-good-ol-run-key-part-114\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6755"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6755"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6755\/revisions"}],"predecessor-version":[{"id":6758,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6755\/revisions\/6758"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}