Beyond good ol’ Run key, Part 57

January 27, 2017 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

The best persistence mechanisms are these that are well documented. They work perfectly and are often compatible with many versions of Windows. Here’s a story of one.

According to Microsoft’s page, the OffloadModExpo function offloads modular exponentiation from a CSP to a hardware accelerator.

We don’t really care too much what it means other than it has something to do with the crypto**, and that the function is exported by a plug-in-like DLL that is loaded from the path specified in the following location:

HKLM\Software\Microsoft\Cryptography\
Offload\ExpoOffload = DLL Path

Yup. It’s that simple.

Add the key, add the DLL. It doesn’t even need to export the OffloadModExpo function.

The only question remaining is when.

The answer is – pretty much all the time.

The library is loaded by either dssenh.dll, or rsaenh.dll and these libraries provide crypto services to pretty much any possible software running on Windows. At some stage it’s loaded by svchost.exe, iexplore.exe (f.ex. when you visit https:// page), mscorsvw.exe, taskhostw.exe, sdiagnhost.exe and other processes.

Here’s an example log from promcon immediately after I added the .reg file that installs a rogue DLL (soon after more processes pick it up):

and the debug view log confirming the loading:

 

**Bonus:

Last, but not least – the very same thing was described in 2000 as a vulnerability; apparently the DLL will receive all the private keys used by the Crypto API 🙂

Share this :)

Comments are closed.