appinit
#
$ target-query <path/to/target> -f appinit
Module |
|
Output |
|
Module documentation
Generic Windows plugin.
Provides some plugins that don’t fit in a separate plugin.
Function documentation
Return all available Application Initial (AppInit) DLLs registry key values.
AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. It can be used as a persistence mechanism and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. DLLs that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows or HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.