Beyond good ol’ Run key, Part 14

July 8, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

I have mentioned in my older posts that tracing, logging, debugging and various plugins, extensions and internal performance testing and development tools can be used and abused as a persistence mechanism; today’s topic is yet another list of phantom DLLs – this time courtesy of Windows Problem Reporting.

When applications crash on newer versions of Windows the WerFault.exe program is executed (subject to system’s settings); when launched at some stage it will try to locate and load the following files:

  • dbghelp.dll
  • ext.dll
  • exts.dll
  • ntsdexts.dll
  • uext.dll
  • wow64log.dll

The last one on the list may look familiar, I mentioned it in the part 5.

These DLLs are various debugger extensions that WerFault tries ‘to talk to’ when the crash occurs; the paths that WerFault is walking through is according to the Extension DLL search path – I believe this path is hard coded inside WerFault and can’t be changed (that could be yet another way to fool WerFault to look for the DLLs in other directories), but can be changed if the extensions are loaded from under WinDbg or other compatible with them debugger.

The searching activity can be easily observed using a Process Monitor and on my test system Windows 8.1 it is walking through a couple of C:\Windows\ sub-directories; the list below is a combined list from both 32- and 64-bit versions:

  • C:\Windows\ext.dll
  • C:\Windows\exts.dll
  • C:\Windows\ntsdexts.dll
  • C:\Windows\System32\ext.dll
  • C:\Windows\System32\exts.dll
  • C:\Windows\System32\ntsdexts.dll
  • C:\Windows\system32\pri\dbghelp.dll
  • C:\Windows\system32\pri\ext.dll
  • C:\Windows\system32\pri\exts.dll
  • C:\Windows\system32\pri\ntsdexts.dll
  • C:\Windows\system32\pri\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\System32\wbem\ext.dll
  • C:\Windows\System32\wbem\exts.dll
  • C:\Windows\System32\wbem\ntsdexts.dll
  • C:\Windows\System32\wbem\uext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\exts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ntsdexts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\uext.dll
  • C:\Windows\system32\winext\arcade\dbghelp.dll
  • C:\Windows\system32\winext\arcade\ext.dll
  • C:\Windows\system32\winext\arcade\exts.dll
  • C:\Windows\system32\winext\arcade\ntsdexts.dll
  • C:\Windows\system32\winext\arcade\uext.dll
  • C:\Windows\system32\winext\dbghelp.dll
  • C:\Windows\system32\winext\ext.dll
  • C:\Windows\system32\winext\exts.dll
  • C:\Windows\system32\winext\ntsdexts.dll
  • C:\Windows\system32\winext\uext.dll
  • C:\Windows\system32\WINXP\dbghelp.dll
  • C:\Windows\system32\WINXP\ext.dll
  • C:\Windows\system32\WINXP\exts.dll
  • C:\Windows\system32\WINXP\ntsdexts.dll
  • C:\Windows\system32\WINXP\uext.dll
  • C:\Windows\System32\wow64log.dll
  • C:\Windows\SysWOW64\ext.dll
  • C:\Windows\SysWOW64\exts.dll
  • C:\Windows\SysWOW64\ntsdexts.dll
  • C:\Windows\SysWOW64\pri\dbghelp.dll
  • C:\Windows\SysWOW64\pri\ext.dll
  • C:\Windows\SysWOW64\pri\exts.dll
  • C:\Windows\SysWOW64\pri\ntsdexts.dll
  • C:\Windows\SysWOW64\pri\uext.dll
  • C:\Windows\SysWOW64\uext.dll
  • C:\Windows\SysWOW64\wbem\ext.dll
  • C:\Windows\SysWOW64\wbem\exts.dll
  • C:\Windows\SysWOW64\wbem\ntsdexts.dll
  • C:\Windows\SysWOW64\wbem\uext.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ext.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\exts.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ntsdexts.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\uext.dll
  • C:\Windows\SysWOW64\winext\arcade\dbghelp.dll
  • C:\Windows\SysWOW64\winext\arcade\ext.dll
  • C:\Windows\SysWOW64\winext\arcade\exts.dll
  • C:\Windows\SysWOW64\winext\arcade\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\arcade\uext.dll
  • C:\Windows\SysWOW64\winext\dbghelp.dll
  • C:\Windows\SysWOW64\winext\ext.dll
  • C:\Windows\SysWOW64\winext\exts.dll
  • C:\Windows\SysWOW64\winext\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\uext.dll
  • C:\Windows\SysWOW64\WINXP\dbghelp.dll
  • C:\Windows\SysWOW64\WINXP\ext.dll
  • C:\Windows\SysWOW64\WINXP\exts.dll
  • C:\Windows\SysWOW64\WINXP\ntsdexts.dll
  • C:\Windows\SysWOW64\WINXP\uext.dll
  • C:\Windows\uext.dll

Writing to the Windows directory is more difficult nowadays than it was in the past, but with a growing number of tricks used to escalate privileges one should not blindly assume that these files are not going to be there, because of the directory ACLs.

To test, drop a DLL into one of these locations and crash some app – WerFault will do the rest :-)

RegRipper Ripper (3R) and the list of reg keys covered by RR plugins – update

July 2, 2014 in 3R, Forensic Analysis, Software Releases

Just a quick note that I have updated RegRipper Ripper (3R) to cover plugins from (retrieved on 2nd of July 2014). I also added parser to retrieve the keys initialized as an array and now the ‘By Plugin file name’ section lists all the keys from the plug-ins. If you spot any mistake, please let me know and I’ll fix it.