Beyond good ol’ Run key, Part 113

August 26, 2019 in Anti-Forensics, Autostart (Persistence)

This is another one where I just document things that are not commonly known, but _are_ very well documented for years, and defo still worth describing in this series.

While looking at the well-known dbghelp.dll library I noticed that it looks for entries under:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls

These entries are enumerated and then loaded via LoadLibrary

Quick google session followed and I found this awesome post from 2007.

—–Original Message—–
From:
Subject: RE: managed minidump
Auxiliary DLLs are loaded inside of MiniDumpWriteDump when it finds a registered auxiliary DLL for a module in the target process. The lookup is to take the full path of the module and see if there’s a registered auxiliary DLL. You can’t have multiple aux DLLs for a single module path.
—–Original Message—–
From: Junfeng Zhang
Subject: RE: managed minidump
When are auxiliary dlls loaded?
What is the behavior when there are multiple entries under each key?
—–Original Message—–
From:
Subject: RE: managed minidump
Both are filled with string values of the form = . MiniDumpAuxiliaryDlls lists helper DLLs that the minidump code can use to get additional data during dump generation. For example, mscorwks.dll has a registered auxiliary of mscordacwks.dll, which provides extra CLR memory data for a minidump.
KnownManagedDebuggingDlls is a security measure so that a debugger, when attempting to load extra support DLLs for managed debugging, can know what DLLs are approved for use on the system. The CLR registers mscordacwks.dll here, for example.
Both are kept in HKLM so that they can only be written by an admin.
—–Original Message—–
From: Junfeng Zhang
Subject: managed minidump
How does OS use the following two registry keys?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls

As you see, not only KnownManagedDebuggingDlls, but also MiniDumpAuxiliaryDlls branch is of value for threat hunters.

Share this :)

Comments are closed.