TestHooks, take 2

December 2, 2020 in Archaeology

In my older post I mentioned TestHooks in a context of Windows Update. Studying Windows 10 binaries brings more interesting findings. Few days ago I stumbled upon Test_TestHookIndex string inside explorer.exe and almost immediately I asked about it on Twitter. This is because googling brought only one interesting hit – a blog post from… 2013. I couldn’t believe that in last 7 years no one else looked at it. Hmm…

One of my fav. researchers @0gtweet jumped on it straight away and we had a quick exchange about possibilities. We concluded that there may be some persistence trick hiding there, somewhere. The TestHook values seem to be overriding some flags for the actual tasks executed by Windows Explorer.

I am a bit lazy these days (thx covid). So, to help with research I kicked off Procmon with a filter for TestHook, and then ran it with booting enabled and restarted my VM box.

One of the first findings after the system restart was that Procmon highlighted a missing file RdvTestHooks.dll – quick google confirmed that this find has been already covered in this nice blog post – a beautiful example of a phantom DLL.

As for the Registry entries I got these (this is a subset from Explorer only, but there is more from more processes!):

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Test_TestHookAppReadinessBypass
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Test_TestHookIndex
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Test_TestHookRunMethod
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Test_TestHookStartPhase
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Test_TestHookStartWait
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Test_TestHookWaitPhase
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TestHookDisableNthMSA

So, the the string I found inside Windows Explorer is actually referenced during run-time and that makes it interesting. Looking at the code in IDA confirmed that @0gtweet‘s feel about these reg entries was also spot on. BUT. As far as I can tell all these Windows Explorer entries are DWORDs so we can’t change too much there (in terms of providing a path to a test DLL, or whatever). And the settings appear to be affecting tasks executed by Windows Explorer during start and tagged as follows:

  • PreRoamingTasks
  • PreShellTasks
  • ShellInitTasks
  • UserOobeTasks
  • PreStartTasks
  • PostStartTasks
  • BasicCXHTasks

While I was not able to find a way to (ab)use these, this is yet another unfinished research…

Comments are closed.