You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 77

April 23, 2018 in Anti-*, Autostart (Persistence), Living off the land, LOLBins

This is one more about hh.exe program that is used when you open the .chm files.

The hh.exe functionality is implemented by the hhctrl.ocx library. When hh.exe is started it tries to find the hhctrl.ocx library by checking the following Registry value:

HKCR\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32

The library that the value points to is then loaded.

If the library doesn’t exist, or the loading didn’t succeed the hh.exe gives it another go and attempts to load the library using the hard-coded name hhctrl.ocx and relying on the LoadLibrary function (and as a result is a subject to side-loading attacks).

As such, there seem to be at least 2 opportunities here:

  • Drop c:\WINDOWS\hhctrl.ocx and delete the HKCR\CLSID\{52A2AAAE… value so running hh.exe will sideload the c:\WINDOWS\hhctrl.ocx
  • Replace the value of the HKCR\CLSID\{52A2AAAE… to point to your own lib and run hh.exe – this will load the lib of choice

Both can be used as a LOLBin / Persistence trick (or a combo).

Beyond good ol’ Run key, Part 76

April 22, 2018 in Anti-*, Autostart (Persistence)

Here’s yet another trick you can use to achieve persistence; this time the DLL of your choice will be loaded anytime the old-school .chm file is opened. While the documentation in this format slowly disappears from new programs you can still find plenty of software that uses it.

In order to achieve the persistence this way one has to add the following Registry key:

[HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author]
"location"="c:\\test\\test.dll"