Beyond good ol’ Run key, Part 132

February 24, 2021 in Anti-Forensics, Autostart (Persistence)

This is a very unpromising persistence mechanism relying on environment variables (again).

Combing through OpenSSL source code I came across two variables that it relies on and they are described here:

  • OPENSSL_MODULES – Specifies the directory from which cryptographic providers are loaded.
  • OPENSSL_ENGINES – Specifies the directory from which dynamic engines are loaded

Example of a code excerpt from a signed DLL that is compiled with a support for OPENSSL_MODULES is shown below:

The good news is that most of Windows-based executables and DLLs that are compiled from OpenSSL sources do not have these variables built-in. I have checked my repo and online repositories as well and it looks like there really are not too many of them available (barely a few). Second good news is that even if compiled with support for these variables, they won’t be used unless specific functions of OpenSSL are called. Despite some moderate efforts to produce a POC I couldn’t find any good candidate. As such, using them as a persistence mechanism is a poor choice indeed. Still, worth documenting, as usual.

Comments are closed.