Yearly Archives: 2019

Beyond good ol’ Run key, Part 108

Posted on by

This is my favorite persistence trick of 2019 so far.

64-bit WOW layer got changed a lot in Windows 10, and this article covers it in-crazy-depth.

An interesting feature that comes as a result of these changes is a functionality provided by OS when the following value exists:

HKLM\SOFTWARE\Microsoft\Wow64\x86\

processname = <your DLL>

One can create e.g. :

HKLM\SOFTWARE\Microsoft\Wow64\x86\

notepad.exe = c:\test\malware.dll

And this DLL will be loaded anytime a 32-bit Notepad is executed.

Since this is a WOW key, only 32-bit programs are affected.

Now for the reason why this is my favorite persistence trick of 2019 so far? There are at least two:

  • The DLL is actually 64-bit (it replaces wow64cpu.dll) so you are basically injecting a 64-bit DLL into a 32-bit process (while this comes with limitations – no access to many APIs as the process is only about to get started – it’s a pretty cool anti-trick)
  • The DLL can be loaded from a UNC path, so it can be both a persistence and lateral movement trick

Bring your own lolbas?

Posted on by

Recently, I was wondering what is the best term for binaries/scripts that are signed, can do the Lolbas thing, but are not necessarily installed on the system.

So far I have been covering many of these using a generic term ‘Re-usigned binaries’ (portmanteau of ‘reuse’ and ‘signed’). But it’s not catchy enough. Could a better term be ‘Bring your own lolbas/lolbin’? BYOL? Kinda similar to Bring Your Own Vulnerability (BYOV)? In fact a BYOL is a subset of BYOV.

I have covered many BYOL examples before. And I believe there will be a lot more in the future. After a very fertile research period lolbin fans explored most of the native OS executables, DLLs, scripts. It’s a natural course of events that their eyes will eventually turn to the other stuff.

The other stuff can be e.g. 7Zip program signed by legitimate companies. @Oddvarmoe posted about it on Twitter in April:

It triggered my interest and I set on a path to discover more instances of various 7zip components signed by legitimate companies. The results of a very basic research are very promising: there are plenty of these:

  • ASUSTeK Computer Inc.
  • HUAWEI Technologies Co., Ltd.
  • NVIDIA Corporation
  • Samsung Electronics CO., LTD.
  • Trend Micro, Inc.

I won’t be posting hashes, because… well… why burning them… The other less obvious bit is that these signed components are often old and could contain unpatched vulnerabilities as well.