Beyond good ol’ Run key, Part 129
October 17, 2020 in Anti-Forensics, Autostart (Persistence)
Browsing through windows libraries I came across a few that had an intriguingly named function being resolved during run-time: DllBidEntryPoint.
The libraries referencing this API are:
- msado15.dll
- msadomd.dll
- msadox.dll
- msadrh15.dll
- msadce.dll
- msadco.dll
- msadds.dll
- msdaprst.dll
- msdarem.dll
- msdaora.dll
- msdasql.dll
- msdatl3.dll
- oledb32.dll
- sqloledb.dll
As usual, the first thing was to go to Google and soon I discovered that it’s a part of a documented tracing interface used by SQL Server called Built-in Diagnostics (BID).
One can use one of these keys:
- HKLM\Software\Microsoft\BidInterface\Loader
- HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\BidInterface\Loader
and add ‘:Path ‘ value name pointing to a DLL that will act as a tracing DLL.
As usual, the linked document contains all the gore details.
Comments are closed.