Once the user tries to uninstall the program that relies on InnoSetup uninstall process, the unins000.exe will process the content of the unins000.dat and will run the Notepad. We need to replace unins000.exe too, because the custom-made unins000.exe files that are dropped by installer may have dependencies that our unins000.dat doesn’t resolve.
Attacker could simply ‘borrow’ these and place these in a folder where there are already existing files unins000.dat and unins000.exe ( typically under c:\Program Files, or c:\Program Files (x86) subfolders). They ensure that Notepad is executed when the application is uninstalled. exe, we can collect the unins000.dat and unins000.exe that are generated during this session.
like this: įilename: "c:\windows\system32\notepad.exe"Īfter installing the. One can build a small InnoSetup script e.g. We also don’t really drop any malicious executable files, unless we have to (fileless malware could establish a persistence this way).īy leveraging the omnipresent files: unins000.dat and unins000.exe that are dropped by any setup program that is built using the InnoSetup installer. This is a bit unusual way of establishing persistence.
0 kommentar(er)
