Today I wanted to upgrade my Ghidra setup so I downloaded its latest version. Now, I really don’t like running installers in general, because they clutter the system and the Registry, so I was nicely surprised when I learned that both the latest version of Ghidra, and also latest version of Java’s JDK that Ghidra requires can be downloaded as a ZIP file (aka portable version)…
So, with that in mind, it turns out that today you can install Ghidra in a portable way w/o running any installers! All you have to do is this:
Download https://download.oracle.com/java/23/latest/jdk-23_windows-x64_bin.zip and unpack it to say c:\jdk-23.0.1\
Download https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.2_build/ghidra_11.2_PUBLIC_20240926.zip and unpack it to say c:\ghidra_11.2_PUBLIC\
You then run:
cmd.exe cd c:\ghidra_11.2_PUBLIC\ path=c:\jdk-23.0.1\bin;%PATH% ghidraRun
That’s it!
When you launch Ghidra this way, you will soon be seeing the familiar EULA window:
This entry is a bit convoluted, but it’s still quite interesting. I have discovered it today only to google around and find out someone posted the info about it back in 2013. So, I will describe what they did in 2013 + will add one extra bit.
The trick relies on the way the UserInstStubWrapper API exported by advpack.dll / IEAdvpack.dll works.
When you execute a command like this:
rundll32.exe advpack.dll, UserInstStubWrapper test
the UserInstStubWrapper function will read the value from RealStubPath:
and execute the program referenced by it (in this case Notepad).
As for the extra, there is a twin function called UserUnInstStubWrapper. This one requires admin privileges to run, but it behaves in a similar manner – f.ex. for the command:
rundll32.exe advpack.dll, UserUnInstStubWrapper test
it will reach out to Registry and fetch the value of RealStubPath as well, but this time the key it accesses will be the name passed via the command line, but slightly modified by adding a suffix .Restore to it:
So, a persistence opportunity relies on populating these Registry entries first, and then ensuring one of the following commands is executed during autostart by leveraging any of the existing persistence locations (f.ex. Run key):
rundll32.exe advpack.dll, UserInstStubWrapper test
rundll32.exe advpack.dll, UserInstStubWrapper test
rundll32.exe ieadvpack.dll, UserUnInstStubWrapper test
rundll32.exe ieadvpack.dll, UserUnInstStubWrapper test
If we enable the advpack logging we can see these test log entries:
-------------------- advpack.dll is loaded or Attached ------------------------------
Date: 10/19/2024 (mm/dd/yyyy) Time: 15:11:52 (hh:mm:ss)
UserInstStubWrapper:
LaunchAndWait: Cmd=c:\windows\notepad.exe
-------------------- advpack.dll is loaded or Attached ------------------------------
Date: 10/19/2024 (mm/dd/yyyy) Time: 15:11:58 (hh:mm:ss)
UserUnInstStubWrapper:
LaunchAndWait: Cmd=c:\windows\system32\calc.exe
LaunchAndWait: End hr=0x0, c:\windows\system32\calc.exe
UserUnInstStubWrapper: End hr=0x0
-------------------- advpack.dll is unloaded or Detached ----------------------------
