Beyond good ol’ Run key, Part 130

October 19, 2020 in Anti-Forensics, Autostart (Persistence)

Yet another short one, courtesy of @tiraniddo who pointed me to this Microsoft article describing SERVICE_FAILURE_ACTIONSW structure. In essence, you use it to tell service controller what to do when your service breaks. I have seen this technique abused by malware over 10 years ago, but completely forgot about it.

James not only provided the link, but also suggested that you could register a service which you’ll know crashes if you get it bad input on command line but what you really want is it to fail so that it runs the backup command. And you can delay the command for a long time to disconnect between the failure and the command execution.

Thanks James!

Comments Off on Beyond good ol’ Run key, Part 130

Beyond good ol’ Run key, Part 129

October 17, 2020 in Anti-Forensics, Autostart (Persistence)

Browsing through windows libraries I came across a few that had an intriguingly named function being resolved during run-time: DllBidEntryPoint.

The libraries referencing this API are:

  • msado15.dll
  • msadomd.dll
  • msadox.dll
  • msadrh15.dll
  • msadce.dll
  • msadco.dll
  • msadds.dll
  • msdaprst.dll
  • msdarem.dll
  • msdaora.dll
  • msdasql.dll
  • msdatl3.dll
  • oledb32.dll
  • sqloledb.dll

As usual, the first thing was to go to Google and soon I discovered that it’s a part of a documented tracing interface used by SQL Server called Built-in Diagnostics (BID).

One can use one of these keys:

  • HKLM\Software\Microsoft\BidInterface\Loader
  • HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\BidInterface\Loader

and add ‘:Path ‘ value name pointing to a DLL that will act as a tracing DLL.

As usual, the linked document contains all the gore details.

Comments Off on Beyond good ol’ Run key, Part 129

← Previous Entries