Beyond good ol’ Run key, Part 14

July 8, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

I have mentioned in my older posts that tracing, logging, debugging and various plugins, extensions and internal performance testing and development tools can be used and abused as a persistence mechanism; today’s topic is yet another list of phantom DLLs – this time courtesy of Windows Problem Reporting.

When applications crash on newer versions of Windows the WerFault.exe program is executed (subject to system’s settings); when launched at some stage it will try to locate and load the following files:

  • dbghelp.dll
  • ext.dll
  • exts.dll
  • ntsdexts.dll
  • uext.dll
  • wow64log.dll

The last one on the list may look familiar, I mentioned it in the part 5.

These DLLs are various debugger extensions that WerFault tries ‘to talk to’ when the crash occurs; the paths that WerFault is walking through is according to the Extension DLL search path – I believe this path is hard coded inside WerFault and can’t be changed (that could be yet another way to fool WerFault to look for the DLLs in other directories), but can be changed if the extensions are loaded from under WinDbg or other compatible with them debugger.

The searching activity can be easily observed using a Process Monitor and on my test system Windows 8.1 it is walking through a couple of C:\Windows\ sub-directories; the list below is a combined list from both 32- and 64-bit versions:

  • C:\Windows\ext.dll
  • C:\Windows\exts.dll
  • C:\Windows\ntsdexts.dll
  • C:\Windows\System32\ext.dll
  • C:\Windows\System32\exts.dll
  • C:\Windows\System32\ntsdexts.dll
  • C:\Windows\system32\pri\dbghelp.dll
  • C:\Windows\system32\pri\ext.dll
  • C:\Windows\system32\pri\exts.dll
  • C:\Windows\system32\pri\ntsdexts.dll
  • C:\Windows\system32\pri\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\System32\wbem\ext.dll
  • C:\Windows\System32\wbem\exts.dll
  • C:\Windows\System32\wbem\ntsdexts.dll
  • C:\Windows\System32\wbem\uext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\exts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ntsdexts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\uext.dll
  • C:\Windows\system32\winext\arcade\dbghelp.dll
  • C:\Windows\system32\winext\arcade\ext.dll
  • C:\Windows\system32\winext\arcade\exts.dll
  • C:\Windows\system32\winext\arcade\ntsdexts.dll
  • C:\Windows\system32\winext\arcade\uext.dll
  • C:\Windows\system32\winext\dbghelp.dll
  • C:\Windows\system32\winext\ext.dll
  • C:\Windows\system32\winext\exts.dll
  • C:\Windows\system32\winext\ntsdexts.dll
  • C:\Windows\system32\winext\uext.dll
  • C:\Windows\system32\WINXP\dbghelp.dll
  • C:\Windows\system32\WINXP\ext.dll
  • C:\Windows\system32\WINXP\exts.dll
  • C:\Windows\system32\WINXP\ntsdexts.dll
  • C:\Windows\system32\WINXP\uext.dll
  • C:\Windows\System32\wow64log.dll
  • C:\Windows\SysWOW64\ext.dll
  • C:\Windows\SysWOW64\exts.dll
  • C:\Windows\SysWOW64\ntsdexts.dll
  • C:\Windows\SysWOW64\pri\dbghelp.dll
  • C:\Windows\SysWOW64\pri\ext.dll
  • C:\Windows\SysWOW64\pri\exts.dll
  • C:\Windows\SysWOW64\pri\ntsdexts.dll
  • C:\Windows\SysWOW64\pri\uext.dll
  • C:\Windows\SysWOW64\uext.dll
  • C:\Windows\SysWOW64\wbem\ext.dll
  • C:\Windows\SysWOW64\wbem\exts.dll
  • C:\Windows\SysWOW64\wbem\ntsdexts.dll
  • C:\Windows\SysWOW64\wbem\uext.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ext.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\exts.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ntsdexts.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\uext.dll
  • C:\Windows\SysWOW64\winext\arcade\dbghelp.dll
  • C:\Windows\SysWOW64\winext\arcade\ext.dll
  • C:\Windows\SysWOW64\winext\arcade\exts.dll
  • C:\Windows\SysWOW64\winext\arcade\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\arcade\uext.dll
  • C:\Windows\SysWOW64\winext\dbghelp.dll
  • C:\Windows\SysWOW64\winext\ext.dll
  • C:\Windows\SysWOW64\winext\exts.dll
  • C:\Windows\SysWOW64\winext\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\uext.dll
  • C:\Windows\SysWOW64\WINXP\dbghelp.dll
  • C:\Windows\SysWOW64\WINXP\ext.dll
  • C:\Windows\SysWOW64\WINXP\exts.dll
  • C:\Windows\SysWOW64\WINXP\ntsdexts.dll
  • C:\Windows\SysWOW64\WINXP\uext.dll
  • C:\Windows\uext.dll

Writing to the Windows directory is more difficult nowadays than it was in the past, but with a growing number of tricks used to escalate privileges one should not blindly assume that these files are not going to be there, because of the directory ACLs.

To test, drop a DLL into one of these locations and crash some app – WerFault will do the rest 🙂

Comments are closed.