Beyond good ol’ Run key, Part 134

May 3, 2021 in Archaeology, Autostart (Persistence)

This one is for historical reasons, primarily.

Old Adobe Photoshop/ImageReady used to have a feature called “Jump to” which is neatly described here.

The feature was implemented via a simple directory structure located here:

  • c:\Program Files\Adobe\Adobe Photoshop CS2\Helpers

and its 2 subdirectories:

  • Jump To Graphics Editor
  • Jump To HTML Editor

Dropping your own LNK, EXE or any executable file inside these subdirectories would enable you to extend the menu, or… replace the existing LNK file. Basically implementing a lame persistent mechanism e.g. as shown on the below pic:

Non-debugging uses of CDB

May 3, 2021 in Forensic Analysis, Living off the land, LOLBins

Catching up with another tweet from 3 months ago.

VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it during engagement. Other than the obvious “I can run and manipulate other processes with it”, here are 2 other ideas:

AeDebug setup

Using -iae -iaec options you can use cdb.exe to install itself as a AeDebug debugger. So, if you do so, cdb.exe will be the signed Microsoft binary doing the dirty deed for you, and you can then swap it with your malicious cdb.exe.

-iae install as AeDebug debugger
-iaec install as AeDebug debugger with given command tail

Launch programs via COMSPEC abuse

Cdb allows us to switch to shell temporarily, a bit like ftp.exe, and lo-and-behold, it relies on COMSPEC environment variable too. Hence we can launch a program via it e.g. like this:

The obvious question is – why – after all, cdb.exe is a debugger and we can launch programs anyway. Apart from the obvious “why not” – this way we can launch a program w/o debugging flags (e.g. DEBUG_ONLY_THIS_PROCESS).