Beyond good ol’ Run key, Part 108

July 11, 2019 in Anti-Forensics, Autostart (Persistence)

This is my favorite persistence trick of 2019 so far.

64-bit WOW layer got changed a lot in Windows 10, and this article covers it in-crazy-depth.

An interesting feature that comes as a result of these changes is a functionality provided by OS when the following value exists:

HKLM\SOFTWARE\Microsoft\Wow64\x86\

processname = <your DLL>

One can create e.g. :

HKLM\SOFTWARE\Microsoft\Wow64\x86\

notepad.exe = c:\test\malware.dll

And this DLL will be loaded anytime a 32-bit Notepad is executed.

Since this is a WOW key, only 32-bit programs are affected.

Now for the reason why this is my favorite persistence trick of 2019 so far? There are at least two:

  • The DLL is actually 64-bit (it replaces wow64cpu.dll) so you are basically injecting a 64-bit DLL into a 32-bit process (while this comes with limitations – no access to many APIs as the process is only about to get started – it’s a pretty cool anti-trick)
  • The DLL can be loaded from a UNC path, so it can be both a persistence and lateral movement trick

Share this :)

Comments are closed.