Jump to content

you know something about CLSIDs?


Recommended Posts

hello there,

I recently looked deeper into the matter of malware and since I know a little bit about how windows works, this topic is certainly of big interest for me. 

Does someone here has a clue of how exactly malware can influence existing CLSIDs?? I mean, as far as i know, malware can "use" or infect existing CLSIDs, right? but by which ways is it doing that?

I'm thankful for any answer on that! :)

Jenn

Link to post
Share on other sites

HI Jenn,

 

A CLSID, according to Microsoft, is a "globally unique identifier that identifies a COM class object”,  if you wish a "social security number"  for a Windows or third party software application or component thereof, a particular system folder, etcetera

 

 

CLSIDs are used by Windows to identify software components without having to know their "name". They can also be used by software applications to identify a computer, file or other item

 

 

If you're asking whether malware can change/use/affect a CLSID, the answer is yes:  malware, just like legitimate software,  can modify the registry, ie adding, deleting or modifying components, and of course that includes CLSIDs.

 

To give one example,  you'll be familiar with the "Open With" context menu entry you get when right-clicking a file. In the Registry it looks as follows:

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

The {09799AFB-AD67-11d1-ABCD-00C04FC30936} Class ID refers to a subkey of the same name in HKEY_CLASSES_ROOT\CLSID, whose InProcServer subkey holds the path to the context handler's dll, in this case Shell32.dll.

Now this method can also be used by malware, for example

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmmxn]
@="{f1445181-385e-4b9f-ba55-4fec86b25d01}

The InProcServer subkey to HKEY_CLASSES_ROOT\CLSID\{f1445181-385e-4b9f-ba55-4fec86b25d01} will then show the path to a  'rogue' dll that's loaded into memory.

 

 

So malware, just like regular software can certainly add new CLSIDs where it wants or modify the 'target' of existing ones.

 

 

 

Link to post
Share on other sites

thanks for the answer! i appreciate it! :)

 

ok i get your point with this nice example. 

 

 

So malware, just like regular software can certainly add new CLSIDs where it wants or modify the 'target' of existing ones.

 

 

 
which ways does malware have to use an existing CLSID for itself?
Link to post
Share on other sites

which ways does malware have to use an existing CLSID for itself?

 

 

Simply by having the InProcServer subkey for the existing CLSID point to an executable file of the malware itself.

 

Let's take as an example the way a legitimate browser helper object is registered;  here's the principle of how that goes:

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]

@="RoboForm BHO"

[HKEY_CLASSES_ROOT\CLSID\{724d43a9-0d85-11d4-9908-00400523e39a}]

@="RoboForm Toolbar Helper"

[HKEY_CLASSES_ROOT\CLSID\{724d43a9-0d85-11d4-9908-00400523e39a}\InprocServer32]

@="C:\\Program Files\\Siber Systems\\AI RoboForm\\roboform.dll"

 

 

This ensures that roboform.dll is loaded every time an instance of Internet Explorer is launched.

 

 

You can replace the path of roboform.dll by the path of a malware dll, and that dll will then be loaded instead.

 

 

 

Link to post
Share on other sites

Other than changing their 'target' or deleting them, not really.   If you change the CLSID itself, it in effect becomes a new CLSID/GUID, which equals adding a brand new one.

 

Of course, aside from CLSIDs, malware can and does add, add to, and change many other Registry keys, values and data.

 

For example, have a look at Pieter's excellent Malware Removal Guides as well as at the Collection of Autostart Locations topic in my signature

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.