Beyond good ol’ Run key, Part 96

December 21, 2018 in Autostart (Persistence)

Today, while browsing through the Registry, I came across this strange set of garbled Registry keys:

  • HKCU\Software\Microsoft\Payment\PaymentApps

Not sure what they are, but when I grepped win10 for DLLs that referenced the parent key name I found the DLL called SEMgrSvc.dll.

The internal name of the DLL is ‘NFC SEManagement Service DLL’. A quick google followed and I found this post. It refers to the `Payments and NFC/SE Manager` service.

Browsing through the code of the DLL I spotted a possible persistence opportunity. I can’t test it as I really don’t know under what circumstances it is being used, but documenting in case someone wants to poke around, or one day it is actually being used:

  • HKLM\Software\Microsoft\SEMgr\Wallet\DllName=<file>

The <file> is loaded via LoadLibraryW when Wallet instance is created, and then the API GetMockWalletCOMInstance exported by the wallet DLL is executed.

If you know how it is being used, please let me know. Thanks.

Comments are closed.