Yes, they keep coming.

There are still many Windows persistence mechanisms that are not described properly and my mission is to cover it all.

Some of these mechanisms may be seen as archaic, unusual, or ‘there is no way it affects me’, but the reality is that with the gazillions of Windows installs worldwide, with the gazillion of random software installs on top of the main OS, we better do a good job in describing persistence mechanisms that are kinda niche, yet may still affect lots of people.

The old Xerox libraries include an interesting export function: XRTLLoadDebugger.

When it’s executed, it tries to load a DLL from one of these locations:

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Xerox\CentreWare\Infrastructure\XDebug\ReleaseDll
• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Xerox\CentreWare\Infrastructure\XDebug\DebugDll

and

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Xerox\CentreWare\Infrastructure\XDebug\Enabled must be a REG_DWORD equal to 1.

One can use this mechanism for persistence, other may try to use it as a lolbin.

Example samples:

• 189D385DEAC14F3FFDCE54BB492846A0D7E44B52617AFABDDC5BED023699E741_9EAF1FF74ADDB00474E05E062DA3194BDAD92D17_3F61204C6AF09F52BBEB52DBDA9A0CC3