Beyond good ol’ Run key, Part 109

July 12, 2019 in Anti-Forensics, Autostart (Persistence)

This is probably the least practical persistence mechanism I came across. This is because as far as I know loading external DLLs into Metro apps requires a lot effort (file need to be signed, have special rights, be included in a manifest, etc. — see the linked post for more details). In other words, it is practically impossible, unless there is some newer research that I missed. And in any case, even if we managed to load that DLL it would end up inside a process space of a low privilege app.

However… always good to document it. Especially that this is about a close cousin of old Office Test key I covered in 2014 & I think it’s my first Metro persistence trick.

When you run the Mail program that is built-in windows 10 you are actually running a Metro app HxOutlook.exe that executes from the following location:

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11425.20190.0_x64__8wekyb3d8bbwe\HxOutlook.exe

If you look at the Process Monitor logs collected during this app start-up you will notice that the app tries to read the following key:

\REGISTRY\…\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office Test\Special\PerfImm

Of course, when I saw it, I immediately thought of my old post, because the key name looks so similar.

Now, the Registry entry shown above may be a bit confusing. It is HKCU location, but since this is a Metro app you won’t find these entries inside your user hive. Instead, you will need to look for a small, app-dedicated hive placed in the following location:

c:\Users\<user>\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat

The rule of a thumb is that if you see LocalState in a Registry entry, it means it’s a app hive.

In order to modify it, you need to:

  • kill all the processes that access this hive file first (e.g. HxOutlook.exe process); otherwise you will get access denied errors
  • use reg load command to attach it to HCU or HKLM hive
  • from there, you can navigate to the appropriate Office Test location via Regedit
  • modify the entry
  • run reg unload to save the changes to the settings.dat file

It’s actually a very straightforward process.

Okay. Once I did it I re-run the program and discovered what value the program is actually looking for is this:

EnableCodeMarkerCallback

If this value is set, the program will try to load the following library:

appcodemarkerimm.dll

The library is loaded via LoadPackagedLibrary API, and then the program tries to resolve a bunch of functions exported by this library:

  • GetPerfhostHookVersion
  • InitPerf
  • PerfCodeMarker
  • InitPerf_v3
  • PerfCodeMarker_v3
  • UnInitPerf_v3

I have not implemented a PoC, because of the issues I mentioned earlier, and it doesn’t seem to be worth trying it at all, but it’s an interesting curiosity nevertheless…

And there is a little bit more…

By looking for instances of appcodemarkerimm inside all files in the HxOutlook directory, I came across a few more ‘potentials’ e.g. Spy.dll and XamlSpy.dll referenced by a number of libraries. These two are not present so probably are also a part of a testing suite.

Share this :)

Comments are closed.