bytecode77
commented
3 years ago "Null embedded character" means that the string starts with the null-terminator. This causes the string to be the equivalent of null in the collection of enumerated values. When trying to retrieve the value null, it does not return the value "\0X" but results in an error. This is why the value is invisible. It's definitely effective in hiding the value from the user.
As far as I know, AV does not clean up the registry. Anybody please correct me if this is outdated knowledge! Anyway, the only way to access or delete values with null embedded characters is to use the NT api instead of the WinAPI. Since WinAPI is very convenient, developers won't use the NT api, unless there's a good reason for it.
You can certainly run two different applications or instances. Just keep track of what registry values you are using for which. You need an additional value in the Run\ key as well as another registry key to store the injector. Be creative ;)
Hey,
I saw this line in LivingOffTheLand.cpp
"if (!nt_cpp::SetValue(nt_cpp::GetCurrentUserPath() + L"\Software\Microsoft\Windows\CurrentVersion\Run\\0X", nt_cpp::Udc(startupCommand))) return 0;"
And it seems that some data is stored in the registry key in the Run folder. But when I try to find the data, there is indeed a key withtout name or data in it. How is it possible? How can we check this value?
Do you think AV can detect this key?
I want to be able to run two instance in the same computer, and I know fore sure that the malware can be stored in just another path than Internet Explorer, but how is it possible to start 2 instance at bootup?
Thank again for your support, light me friend!