Author Archives: adam

Beyond good ol’ Run key, Part 57

Posted on by

The best persistence mechanisms are these that are well documented. They work perfectly and are often compatible with many versions of Windows. Here’s a story of one.

According to Microsoft’s page, the OffloadModExpo function offloads modular exponentiation from a CSP to a hardware accelerator.

We don’t really care too much what it means other than it has something to do with the crypto**, and that the function is exported by a plug-in-like DLL that is loaded from the path specified in the following location:

HKLM\Software\Microsoft\Cryptography\
Offload\ExpoOffload = DLL Path

Yup. It’s that simple.

Add the key, add the DLL. It doesn’t even need to export the OffloadModExpo function.

The only question remaining is when.

The answer is – pretty much all the time.

The library is loaded by either dssenh.dll, or rsaenh.dll and these libraries provide crypto services to pretty much any possible software running on Windows. At some stage it’s loaded by svchost.exe, iexplore.exe (f.ex. when you visit https:// page), mscorsvw.exe, taskhostw.exe, sdiagnhost.exe and other processes.

Here’s an example log from promcon immediately after I added the .reg file that installs a rogue DLL (soon after more processes pick it up):

and the debug view log confirming the loading:

 

**Bonus:

Last, but not least – the very same thing was described in 2000 as a vulnerability; apparently the DLL will receive all the private keys used by the Crypto API 🙂

Hunting for a better hex dump tool

Posted on by

Many command line tools are written with an ancient 80×25 terminal size in mind and as such their output is often limited (at least, for a current standard). This is quite amazing that a concept of writing tools destined for such a small terminal is so omnipresent given the fact high resolution computer screens, as well as dual- and multi- monitor setups are now such a common thing.

With this in mind a few years ago I coded a simple hex dump tool which I now use quite often – it gives me a better output than a typical hexdump, and… it was a fun exercise to do. The script is written in perl, fully portable (no dependencies) and… it can for sure be a) buggy b) improved in many ways – use at your own risk 🙂

The idea that I came with was based on a large amount of unused space I have observed on my terminal (one that I use on Windows). It is typically at least 140×50 and even more, when needed. As such, the 80 columns used by the standard hex dump tool leaves an empty space of at least 70 characters…

Let’s have a look at cygwin’s hexdump ran in a canonical mode:

I had an idea that this gap could be utilized to present more data. So, my script prints the output similar to the canonical output of hexdump, plus a bonus. The bonus includes:

  • the data decimal offset
  • extracted strings (both ANSI and wide) that start within the current line

The output looks like this:

Isn’t that cool?

You can immediately copy many of the strings to clipboard w/o using strings tool.

This is how to run the script:

perl hex.pl <filename>
perl hex.pl -s <filename>
perl hex.pl -S <filename>
where:
-s - extract strings
-S - extract strings, and skip output lines w/o strings

You can download the script here.

If you find any bugs or run into any issue, please let me know.