Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
CLSIDs and Junction Folders (Persistence and Exploitation)
('toc' missing)
Junction Folders
A junction folder in Windows is a method in which the user can cause a redirection to another folder, usually another known folder. A Junction Folder is considered a hard link. There are a couple of different ways to create junction folders. Registry modification can cause a folder junction point. Another is a desktop.ini entry inside the folder. The third, and probably most useful to us is the method that is a naming convention only. The method is simply to create the folder as such. MyFolder.{CLSID of folder you want to junction to}. Once you have named the folder as such, double clicking the folder will navigate you to the known folder represented to by the CLSID. Microsoft gives you many examples. This way you can easily create a folder that junctions to "My Documents" and call it User #77623's documents. You can also junction to Pictures, Control Panel, Internet Explorer, My Computer. All of these special folders have been assigned unique clsids. See CLSIDs (Class IDs) for availble clsids that come default on Windows. Below is example of a junction folder to My Documents.
[insert example here]
So what.
Well, what happens when the CLSID isn't of the expected folders? What if it's not a folder at all? That's where it gets a little interesting.
CLSIDs and COM Objects
Text here
User-level Persistence
Text here
Shortcut Folders + Junction Folders + Libraries + Link Files = Exploitation
Text here