Yearly Archives: 2022

Yara Carpet Bomber, Part 2

Posted on by

Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules:

that help to find all references to API names (including API names spelled backward) within a given binary e.g. in this case Notepad executable. It may come handy if you want to quickly check for API references that are inside any place of the files including import tables and strings used to resolve APIs dynamically:

The list includes APIs from the following libraries:

  • advapi32.dll
  • avicap32.dll
  • cabinet.dll
  • combase.dll
  • crypt32.dll
  • dbghelp.dll
  • dbnetlib.dll
  • gdi32.dll
  • icmp.dll
  • IPHLPAPI.DLL
  • kernel32.dll
  • mfc140.dll
  • MFCaptureEngine.dll
  • mpr.dll
  • mscoree.dll
  • mstask.dll
  • ntdll.dll

You can download the set here.

Beyond good ol’ Run key, Part 136

Posted on by

I love Office-based Persistence mechanisms, because there is always… one more to discover 🙂

Take your Winword.exe from Office 2021 or Office 365. When it loads, it check if the following value exists in Registry and is not equal 0:

HKCU\SOFTWARE\Microsoft\Office\16.0\Word\WwlibtDll != 0

And if it is the case… instead of loading wwlib.dll, it will load wwlibt.dll.

So, place your payload in wwlibt.dll and winword will load it for you.

This trick can be used as a traditional sideloading LOLBIN, and as a persistence mechanism, because wwlibt.dll could be made to load the wwlib.dll. Or, could temporary remove the value inRegistry and re-launch winword.exe.

Interestingly, PowerPoint has the same ‘feature’:

HKCU\SOFTWARE\Microsoft\Office\16.0\PowerPoint\PPCoreTDLL != 0

and the DLL name is ppcoret.dll (instead of ppcore.dll).