persistence_demos

Demos for the presentation "Wicked malware persistence methods".

• com_hijack - loads a demo DLL via COM hijacking
• extension_hijack - hijacks extensions handlers in order to run a demo app while the file with the given extension is opened
• shim_persist - installs a shim that injects a demo DLL into explorer.exe
• restricted_directory - drops a PE into a restricted directory (that cannot be accessed or deleted), and launches it