Author Archives: adam

Beyond good ol’ Run key, Part 155

Posted on by

Leveraging popular software for persistence is a clever way to survive in heavily monitored environments of today. The last post discussed GhostScript, and today I will cover a popular gaming platform called GOG.

Games using GOG use HKLM Registry configuration stored under keys listed below (this is a representative subset, obviously):

  • SOFTWARE\GOG.com\Games\1207662533
  • SOFTWARE\GOG.com\Games\1207664543
  • SOFTWARE\GOG.COM\Games\1207664623
  • SOFTWARE\GOG.com\Games\1207665673
  • SOFTWARE\GOG.COM\GOGADVENTURESSHUGGY
  • SOFTWARE\GOG.COM\GOGANODYNE
  • SOFTWARE\GOG.COM\GOGDARKLANDS
  • SOFTWARE\GOG.COM\GOGEARTH2140D
  • SOFTWARE\GOG.COM\GOGGOBLINS1
  • SOFTWARE\GOG.COM\GOGGOBLINS1FDD
  • SOFTWARE\GOG.COM\GOGGOBLINS2
  • SOFTWARE\GOG.COM\GOGGOBLINS2FDD
  • SOFTWARE\GOG.COM\GOGGOBLINS3
  • SOFTWARE\GOG.COM\GOGGOBLINS3FDD
  • SOFTWARE\GOG.COM\GOGINTERSTATE82
  • SOFTWARE\GOG.COM\GOGLAMULANA
  • SOFTWARE\GOG.COM\GOGRETURNTOKRONDOR
  • SOFTWARE\GOG.COM\GOGT7G

The thing is, that under these keys, there is a Registry ValueName called GOGGAMEDLL that points to a GOG DLL – and as you suspect, this entry can be potentially replaced by a proxy DLL.

Beyond good ol’ Run key, Part 154

Posted on by

In this series I describe a lot of Windows persistence mechanisms. Most of them are ‘native’ to the OS, but I sometimes cover opportunities offered by popular software too. Today’s case is one of these.

Ghostscript is a superpopular:

suite of software based on an interpreter for Adobe Systems’ PostScript and Portable Document Format (PDF) page description languages

that can be found installed on many Windows endpoints today. It is often being installed as a dependent component supporting a lot of various applications, including PDF software, games, etc.

What we can find as particularly interesting from a persistence standpoint, is this Registry entry:

(HKCU|HKLM)\Software\GPL Ghostscript\<version>\GS_DLL=<DLL library>

Any software relying on Ghostscript will eventually refer to it, and load the DLL this entry points to. As such, it can be leveraged for persistence (proxy DLL).

This mechanism is described in detail here.

If you read the linked article, you will notice that there is an alternative way to set the value of GS_DLL by using the environmental variable. This feature can be abused for both persistence and lolbin activities.