Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 97

Posted on by

When I explore new persistence mechanisms, I usually try to focus on a native OS functionality. The main reason for such approach is the omnipresence of these mechanisms – they can be used on most versions of the Windows OS no matter what other software is present.

Every once in a while I do look at other persistence ‘vectors’ tho. Ones that focus on popular applications e.g. Office, Total Commander, popular archivers, email or torrent clients. They are so prevalent that they form a separate ‘cloud’ of apps that can be abused for persistence simply because they are so popular.

Today’s subject is a software that is very unusual – the burning software. 15 years ago everyone was using it. Today it’s really a bit of a remnant of the good old times. I have not burnt a single CD/DVD since 2009-2010. I really can’t recall any instance where I would do so within last 8 years. The cloud, the USB 3.0, and capacity of external drives pretty much rendered media burning obsolete.

Except, according to my quick Twitter quiz question many still use it.

Nero was and still is one of the best media burning applications. While I won’t cover its features in detail I do want to acknowledge its role in shaping the media burning industry – at some stage it was a staple program used by many ‘burners’.

Its popularity, even today, can be used for not-so-nice-reasons.

How?

The simplest way is to drop a fake plug-in inside the following location:

  • c:\Program Files\Common Files\Ahead\AudioPlugins

The plug-in must be a DLL file named with a ‘nx’ prefix, and exporting two functions:

  • NERO_PLUGIN_GetPrimaryAudioObject
  • NERO_PLUGIN_ReadyToFinish

Such plug-in can be then loaded anytime user wants to burn the Audio CD. For testing purposes, the easiest way to ‘trigger’ the execution is by going to Tools, and looking at Plugins Options. All the DLLs, as long as properly named, will load and execute at least their DllMain.

There are more locations that can be potentially abused:

  • HKLM\SOFTWARE\Ahead\Shared\AudioEffects\DXPlugins
  • HKLM\SOFTWARE\Ahead\Nero PhotoSnap Shared\PluginManager\Plugins
  • HKLM\SOFTWARE\Ahead\Nero Mobile\Installer\Signed=<exe>
  • HKLM\SOFTWARE\Ahead\Nero Mobile\Installer\Unsigned=<exe>
  • HKLM\SOFTWARE\Ahead\Nero BurnRights\PathToBurnRights =<exe>
  • HKLM\SOFTWARE\Ahead\InCD\UI\LaunchOnBlankDisc=<exe>
  • HKLM\SOFTWARE\Ahead\Shared\<various registry names can be replaced>

Some of these executable paths could be replaced with others (man in the middle attack). Some can point to new plugins added under respective Nero applications suite.

And Nero is just an example. I think most of the popular applications that thrived in early noughties and survived to this day can be abused in a similar way as long as they offer some options for customization, and support plugins.

Beyond good ol’ Run key, Part 96

Posted on by

Today, while browsing through the Registry, I came across this strange set of garbled Registry keys:

  • HKCU\Software\Microsoft\Payment\PaymentApps

Not sure what they are, but when I grepped win10 for DLLs that referenced the parent key name I found the DLL called SEMgrSvc.dll.

The internal name of the DLL is ‘NFC SEManagement Service DLL’. A quick google followed and I found this post. It refers to the `Payments and NFC/SE Manager` service.

Browsing through the code of the DLL I spotted a possible persistence opportunity. I can’t test it as I really don’t know under what circumstances it is being used, but documenting in case someone wants to poke around, or one day it is actually being used:

  • HKLM\Software\Microsoft\SEMgr\Wallet\DllName=<file>

The <file> is loaded via LoadLibraryW when Wallet instance is created, and then the API GetMockWalletCOMInstance exported by the wallet DLL is executed.

If you know how it is being used, please let me know. Thanks.