Beyond good ol’ Run key, Part 7

February 9, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

In my last post of this series I discussed the VBA Monitor mechanism that can be used to execute code anytime Visual Basic application is started. Today’s topic is similar and talks about yet another internal Microsoft component that could be abused to load arbitrary code – this time it happens anytime the application crashes. As far as I can tell, it only works on XP, so it’s a bit old and not that practically useful, but given the fact XP is still out there in large quantities it is worth documenting it.

The component that we will abuse is called OAClient. It is an agent that is a part of a distributed test management system called Oasys (Office Automation System) and which is used internally by Microsoft to test their Office suites.

How do I know?

I have read about it in this pdf (‘Exploring Cross-Platform Testing Strategies at Microsoft”) that I found online while looking for the meaning of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OASys\OAClient key – and I looked for it, because I spotted this key being queried by DWWIN.EXE anytime the application crashes under Windows XP.

Once I found out, all I had to do is to add the key, force the application to crash

notepad_crash

– so that DWWIN.EXE is launched and then confirm that the presence of the OAClient key leads the DWWIN.EXE to attempt loading of the BTLOG.DLL file from c:\windows\system32.

dwwin_load_btlog_dllThere you have it.

To reproduce:

  • Create %windir%\system32\BTLOG.DLL
  • Add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OASys\OAClient
  • Now launch the application that crashes and loads DWWIN.EXE as a result of the crash (e.g. copy notepad.exe to notepad2.exe and patch its entry point with 0xCC = int 3); the DWWIN.EXE will load the btlog.dll.

.

Share this :)

Comments are closed.