Beyond good ol’ Run key, Part 78

April 29, 2018 in Autostart (Persistence), Random ideas

This is an idea I had for a very long time, and I partially described it in the past except this time the mechanism I am thinking of is slightly different; I hesitated to come back to it because unlike SysLink example I still have not found a good candidate to demonstrate it. I do have one or two examples that should potentially work except it’s a functionality that is probably discontinued (as far as I can tell); and even if it is not it’s still one that is used so rarely that it doesn’t really matter from a practical point of view; I will refer to these candidates below.

In any case I think it’s good to add 5 cents to the old idea itself as it shows yet another potential way of achieving stealthy persistence w/o modifying Registry and .exe files.

The concept is as I described previously and based on the fact some programmers are trying to squeeze in all the data into program resources. In the past many of these resources would reside directly inside the program’s .exe file, nowadays a lot of them are stored inside the .mui files. If you don’t know what .mui file are – they are Multilingual User Interface resource files.

To get quickly familiar with their importance try to copy c:\windows\notepad.exe to a different folder and launch it from there. You won’t see Notepad starting, because it requires these .mui program resources. And these are stored under the OS directory inside a dedicated language folder e.g. on American English Windows it’s c:\windows\system32\en-US. In order to run Notepad from a different folder you need to copy not only notepad.exe to the new folder, but also its resources en-US\notepad.exe.mui (and you have to preserve this language symbol-based directory structure).

The modification of the .mui file is handy from a localization perspective, but not only. Imagine a piece of code that reaches out to .mui resources, fetches a string and then passes it directly to ShellExecute function (or one of its variants). Something along these lines:

If you can modify the string inside the resources you will control what is being passed to ShellExecute API. As such, you may achieve a very stealthy persistence, or perhaps LOLBIN-like functionality.

Now… the problem is finding such candidate program.

This is incredibly difficult, but not impossible. The above snippet of code comes from shwebsvc.dll. From a bit of a research and guesswork I did it seems to be executed when users of the Order Print function decide to print photos using the online services (these are provided by various retailers in their area). This blog post shows how it looks like in practice. As far as I can tell the string 2505 from my example is used when the user clicks ‘please read our privacy statement’ link:

(Copyright notice: the screenshot copied from the post).

So, it is very similar to the SysLink example except here there is a direct handling of the click inside the DLL.The second candidate is inside the comsnap.dll that is a COM+ Explorer MMC Snapin. Again, its usefulness for this sort of trick is a subject for a debate.

I doubt further research will discover lots more of such candidate files, not only inside the native OS libraries, but also in popular software, but who knows…

Comments are closed.