{"id":9652,"date":"2024-11-15T22:16:47","date_gmt":"2024-11-15T22:16:47","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9652"},"modified":"2024-12-20T00:42:59","modified_gmt":"2024-12-20T00:42:59","slug":"beyond-good-ol-run-key-part-144","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/11\/15\/beyond-good-ol-run-key-part-144\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 144"},"content":{"rendered":"\n<p>The Acrobat Reader is a very popular software installed on millions of computers worldwide.<\/p>\n\n\n\n<p>Today I noticed that anytime AcroRd32.exe program starts (tested with the latest version 24.4) it checks the following folder:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Test_Tools\\<\/pre>\n\n\n\n<p>looking for *.api files. <\/p>\n\n\n\n<p>All these files are then loaded as DLLs.<\/p>\n\n\n\n<p>The screenshot below shows what happens when the following 3 files are present in the aforementioned folder:<\/p>\n\n\n\n<ul>\n<li>aaFEAT.api<\/li>\n\n\n\n<li>Automation.api<\/li>\n\n\n\n<li>malware.api<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/11\/acrobat_reader_api.png\"><img decoding=\"async\" loading=\"lazy\" width=\"593\" height=\"230\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/11\/acrobat_reader_api.png\" alt=\"\" class=\"wp-image-9653\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/11\/acrobat_reader_api.png 593w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/11\/acrobat_reader_api-300x116.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/11\/acrobat_reader_api-500x194.png 500w\" sizes=\"(max-width: 593px) 100vw, 593px\" \/><\/a><\/figure>\n\n\n\n<p>The first two are named like the two legitimate *.api files that Acrobat Reader expects to find in the <em>Test_Tools<\/em> folder. The last one is just a randomly (well, not really) named DLL to show that any *.api file dropped there will be executed&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Acrobat Reader is a very popular software installed on millions of computers worldwide. Today I noticed that anytime AcroRd32.exe program starts (tested with the latest version 24.4) it checks the following folder: c:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Test_Tools\\ looking for &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/11\/15\/beyond-good-ol-run-key-part-144\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9652"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9652"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9652\/revisions"}],"predecessor-version":[{"id":9655,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9652\/revisions\/9655"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}