Beyond good ol’ Run key, Part 87

September 4, 2018 in Anti-Forensics, Autostart (Persistence)

How many ntdll does it take to change a light bulb?

For 32-bit processes on 32-bit systems – 1.

For 32-bit processes on 64-bit systems – 2.

But… are you sure?

Turns out that newer versions of Windows allow one more. It’s called a Delegated NTDLL.

When I discovered it during one of my Procmon sessions:

… I immediately googled it and found out that redplait was the first one to describe this mechanism in detail, and then there was also an article on StackOverflow about it; still, since it’s not very well-known I decided to include it in this series anyway.

How to use it?

  • Build a DLL that exports the export functions as listed in redplait’s post:
    • KiRaiseUserExceptionDispatcher
    • KiUserApcDispatcher
    • KiUserCallbackDispatcher
    • KiUserExceptionDispatcher
    • LdrInitializeThunk
    • LdrParentInterlockedPopEntrySList
    • LdrParentRtlInitializeNtUserPfn
    • LdrParentRtlResetNtUserPfn
    • LdrParentRtlRetrieveNtUserPfn
    • LdrpChildNtdll
    • LdrSystemDllInitBlock (this one is actually a pointer that must point to a dword storing a value identical with the one stored in the ntdll the delegated ntdll is for and equal e.g. 224 /0xE0/)
    • RtlDispatchAPC
    • RtlUserThreadStart
  • Drop it in the system32 directory.
  • Set up the respective IFEO key for the victim application of choice:
    • HKLM\SOFTWARE\Microsoft\Windows NT\
      CurrentVersion\Image File Execution Options\

and you are set. Next time the program is ran it will load the dll.

Note that the DLL must include the exports otherwise it won’t be executed (not even DllMain) – this is because the ntdll loads it not via LdrLoadDll, but via NtCreateSection/ZwMapViewOfSection/RtlImageNtHeader and then walks through a list of exports that it tries to resolve using LdrpGetProcedureAddress.

Comments are closed.