Didier Stevens

Thursday 14 July 2011

Quickpost: Blocking and Detecting a Teensy Dropper

Filed under: Forensics,Hardware — Didier Stevens @ 9:58

A Teensy dropper presents itself as a keyboard (HID) to a PC and this is how it can be used to drop files even if you don’t allow removable drives.

You can prevent the installation of new HIDs, but this is an issue when you need to replace keyboards or mice. Irongeek has a good write-up.

Connected HIDs leave forensics traces in the registry, take a look under key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

Connecting a Teensy leaves these entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482\6&31417f27&0&3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_00\7&becc88c&0&0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_01\7&becc88c&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_02\7&becc88c&0&0002

Quickpost info

2 Comments »

  1. You can change the vendor and product IDs on a Teensy device, so this technique will only detect stock devices.

    Comment by Jon — Thursday 14 July 2011 @ 10:37

  2. @Jon Your correct Jon, but your comment made me think of something else. What would happen if I change the Teensy IDs to the IDs of the keyboard that is already connected, then disconnect the keyboard and connect the Teensy?

    Comment by Didier Stevens — Thursday 14 July 2011 @ 16:37


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 86 other followers