ZHPDIAG – O18 ADD-ON (PAPP)

Installing a protocol manager involves copying the dll or dll at an appropriate location in the %ProgramFiles% directory., then the recording of the Protocol through the registry Manager.

The installation application can also add a search root and scope rules for a scope of default analysis for the Shell data source.

The IProtocolProtocolProtocolrSite interface is used to provide a filter manager, which is housed in an isolated process. The appropriate filter manager is obtained for a persistent class identifier (CLSID), a specified document storage class or file name extension. The advantage of asking the host process to link to IFilter is that the host process can manage the process of locating an appropriate filter manager and control the security involved in the manager's call.

This module lists changes to default protocols to track extra protocols and protocol hackers.

The "Filter" and "Handler" sub-keys of the "Protocols" key are often used by malware to automatically start dynamic resources. A technique widely used by Potentially Unwanted Software (LPI/PUP).

Search on certain keys in the Base of registers as example :
[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilterdeflate]
[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFiltergzip] (Since Vista)

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFiltertext/html]
[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandlermsnim]

Overview ZHPDiag

—\\ Additional Protocol and Protocol hacking (O18)
O18 – Filter: text/html – {950238FB-C706-4791-8674-4D429F85897E} – (no file)
O18 – Protocol: MSNIM – {008030A1-22C1-4009-854F-8E305202313F} – « C:\PROGRA~1MSNMES~1msgrapp.dll ".

—\\ Additional Protocol and Protocol hacking (O18)
O18 – Filter: deflate – {8f6b0360-b80d-11d0-a9b3-006097942311} – C:\Windowssystem32urlmon.dll
O18 – Filter : gzip – {8f6b0360-b80d-11d0-a9b3-006097942311} – C:\Windowssystem32urlmon.dll

—\\ Additional Protocol and Protocol hacking (O18)
O18 – Handler: CDL – {3dd53d40-7b8b-11D0-b013-00aa0059ce02} . (.Microsoft Corporation – Extensions for Win32 OLE32.) — C:\Windowssystem32urlmon.dll

Action ZHPFix

O18 – {SubBey}: {ValueKey} – {KeyCLSID} . (…) — {FileName}

{Key} : Key to the system registry [HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLS]
{SubKey} : Subkey of the key {Key} as for example «» Handler «or «» Filter »
{KeyCLSID} : The value data «» CLSID "the key {SubKey}
{FileName} : Default value of the key [HKLMSOFTWAREClassesCLSID {KeyCLSID} \InprocServer32]

1) L’outil supprime {KeyCLSID}
2) The tool deletes the key [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{CLSIDKey}]
3) The tool deletes the key [HKEY_CLASSES_ROOTCLSID{CLSIDKey}]
4) The tool deletes the file {FileName}

Example of detection

O18 – Handler: base64 – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program FilesBrowserCompaniontdataprotocol.dll
O18 – Handler: chrome – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protacol for IE w/c.) — C:\Program FilesBrowserCompaniontdataprotocol.dll

Links

Installing and Registering Protocol Handlers