Beyond good ol’ Run key, Part 35

Posted on by

A long time ago in a galaxy far, far away…. Microsoft was releasing new versions of a super uber cool pre-web era editing control called Rich Edit. I remember programming one of my early Windows API apps ages ago and at that time I was a bit puzzled. Puzzled, because I had to distinguish a version of Rich Edit control I could use and then I had to ensure that I load respective library myself to use certain features of the Rich Edit control.

The Rich Edit control was and still is a great editing control – it supports multi-line editing, Unicode, COM, and lots of other whistles and fireworks. It became a foundation of many applications and editors and in many aspects was ahead of its time. The libraries used by the various versions of the library are as follows:

  • 1.0 – Riched32.dll
  • 2.0 – Riched20.dll
  • 3.0 – Riched20.dll
  • 4.1 – Msftedit.dll

And yes, you know where it is going…

Many apps following the Microsoft’s mantra of loading the appropriate Rich Edit control would use LoadLibrary API and open it up to a nice DLL hijack.

Dropping malicious Riched20.dll and/or Riched32.dll in the same directory as the applications relying on Rich Edit control will lead to the execution of the malicious code each time the app is launched.

A popular example of such app is WinRar. Many people use it as a standalone app and winrar.exe works w/o any supporting files so can be dropped anywhere. Other examples include a very old, but still popular Resource Hacker, as well as some tools from Sysinternals f.ex. ADInsight.exe, Bginfo.exe, FileInsight from McAfee, old EditPad, OllyDbg, and many more…

riched

The newer version of Rich Edit DLL (Msftedit.dll) is maybe less common, but can be still found in popular applications. One I came across is aswMBR.exe from AVAST – the below pops up with my decoy DLL being dropped inside the same dir as aswMBR.exe and activates when I try to Save the log.

Msftedit

Since many applications using the Rich Edit are signed, the unsigned DLL may be loaded in a very same manner as PlugX malware i.e. signed .exe loading an unsigned .dll.