Beyond good ol’ Run key, Part 108
July 11, 2019 in Anti-Forensics, Autostart (Persistence)
This is my favorite persistence trick of 2019 so far.
64-bit WOW layer got changed a lot in Windows 10, and this article covers it in-crazy-depth.
An interesting feature that comes as a result of these changes is a functionality provided by OS when the following value exists:
HKLM\SOFTWARE\Microsoft\Wow64\x86\
processname = <your DLL>
One can create e.g. :
HKLM\SOFTWARE\Microsoft\Wow64\x86\
notepad.exe = c:\test\malware.dll
And this DLL will be loaded anytime a 32-bit Notepad is executed.
Since this is a WOW key, only 32-bit programs are affected.
Now for the reason why this is my favorite persistence trick of 2019 so far? There are at least two:
- The DLL is actually 64-bit (it replaces wow64cpu.dll) so you are basically injecting a 64-bit DLL into a 32-bit process (while this comes with limitations – no access to many APIs as the process is only about to get started – it’s a pretty cool anti-trick)
- The DLL can be loaded from a UNC path, so it can be both a persistence and lateral movement trick
Comments are closed.