This post is a nothing burger. I didn’t make it work, but I still want to document it.
When I came across a ‘GPExtensionDLL’ entry expected under
HKLM\SYSTEM\CurrentControlSet\Services\MPSSVC\Parameters
I got excited, because it looked like a typical undocumented registry entry that can be abused for persistence.
After setting it up, as usual, to point to my test DLL I restarted the system only to discover the system … crashing.
After a few back and forth, it downed on me that the code that loads that DLL is surrounded by other code that relies on code pointers expected to be hard coded to point to proper function addresses, which is not always the case, hence system BSODs after calls to a null pointer-based function.
So, does this entry deserve to be even mentioned in this series?
I think so.
We cannot exclude the possibility someone will figure it out better than me, there is always an opportunity to stop the execution after the main DLL module is loaded, and in general, one of the goals of this series is to document ALL possible persistence mechanisms out there, no matter how difficult it is to actually take advantage of them…