Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 94

Posted on by

This is a short post to cover a ‘new feature’ of Windows 10 that some users complain about online.

When you use this ugly system for a while, and at some time need to restart it, you may notice that sometimes applications that are running prior to restart are re-launched after you log on.

A good example is Regedit. If you open it, restart the system, the application will be re-launched after the reboot.

How does the Windows 10 know which processes to re-launch after the reboot?

Prior to restart the system populates the RunOnce key adding a list of items in a form of:

  • HKCU\SOFTWARE\Microsoft\
    Windows\CurrentVersion\
    RunOnce\Application Restart #N
    =<Application Path>

where N is a number (the code is inside the winsrvext.dll).

So, if you come across entries like this, at least we can guess where they come from.

Now, how does the OS actually know which programs to restart?

If you ever used OSX you may be familiar with the a cool feature of re-opening currently opened applications after the reboot. Could that be that Windows 10 is following this path? Turns out that the truth is far more boring. This is actually not a Mac OSX-like feature at all. The OS simply grabs a list of programs that called the RegisterApplicationRestart API during their run-time, and only these will be added to the RunOnce key.

Last, but not least, I have no idea why Regedit calls this API at all…

btw. I am getting old, I covered it in the past here, although in a different context.

How to find new persistence tricks?

Posted on by

Every once in a while people ask me how do I find all this stuff.

The TL;DR; answer is simple: curiosity + reading Microsoft documentation + other peoples’ research + applying some automation.

At first, it was really just some curiosities that I could not explain when I was less experienced in reversing e.g. the Visual Basic VBA Monitors. When you use Procmon a lot, some of the stuff you see in the logs eventually gets stuck in your head and becomes really familiar. Such was the case with the HKLM\SOFTWARE\Microsoft\VBA\Monitors key that I saw anytime I was analysing a VB application with Procmon. I could not explain it and was curious what it is for…. googling around didn’t bring any answers. Eventually I started analysing the actual code that triggers that behavior and that’s how Beyond good ol’ Run key, Part 6 was born…

Then there is obviously a number of them that was a result of manual, often annoyingly time-consuming code analysis. There were times where I couldn’t find anything new for a few months. Perhaps assumptions were wrong; perhaps we have already discovered it all… at least so I thought every once in a while…. But… then… they keep coming… not only from me, but also from others… And it’s hard to explain how it is even possible… For instance, the recent one is a perfect example of a situation where the random luck played a role a lot. While looking at some unrelated stuff inside the kernel32.dll I happened to spot the bit that was loading the callback DLLs. With so many people looking at kernel32.dll over the years I still find it amazing we find new stuff there all the time.

Many other cases were a result of a more deliberate research; for instance, many persistence mechanisms I described rely on the fact that some programs or components load a number of DLLs that are executed one by one after they are listed under a certain location in the Registry. Such activity needs to rely on Registry enumeration APIs. If you can find programs or DLLs that use these functions you will most likely find possible persistence mechanisms!

And then there are keywords e.g. ‘providers’, a very popular way to name a place in the Registry where a lot of plug-ins are loaded from. Example of possible enumerations for some keys that include the keyword ‘providers’ is shown below:

  • SYSTEM\CurrentControlSet\Control\Cryptography\Providers
  • System\CurrentControlSet\Control\SecurityProviders\SSI\Providers
  • SYSTEM\CurrentControlSet\Services\LanmanServer\ShareProviders
  • System\CurrentControlSet\Services\RemoteAccess\Accounting\Providers
  • System\CurrentControlSet\Services\RemoteAccess\Authentication\Providers
  • SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders
  • SYSTEM\CurrentControlSet\Services\WbioSrvc\Service Providers
  • SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
  • System\CurrentControlSet\Services\WinTrust\TrustProviders
  • System\CurrentControlSet\Services\WlanSvc\Parameters\ComInterfaceProviders
  • System\CurrentControlSet\Services\WlanSvc\Parameters\VendorSpecificIEProviders

I also mentioned Microsoft Documentation; it’s like a RFC for Windows programming. I have read a lot of it over the years, and every once in a while some of that old knowledge comes back to me. Ideas for tricks around DDE, WM_HTML_GETOBJECT  as well as the Propagate trick (SetProp) are result of my experience actually coding for Windows for more than 10 years. These (especially old, legacy) things stay with you and sometimes bring some really refreshing ideas. Not only for persistence tricks.

Then there are ‘magic’ APIs… if you read code and see references to ShellExecute, WinExec, CreateProcess, LoadLibrary, CoCreateInstance and their numerous variations and wrappers you will soon discover that the Windows ecosystem hardly re-uses code; or, more precisely, it does re-use a lot of it, but it also relies on lots of custom paths that are added to it. Lots of code snippets you come across look like a custom programming endeavor of the coder who wrote that part of the program just to test an idea. It’s actually a normal, even expected behavior in such a sea of code. But… quite frankly…. we really have to thank Microsoft Programmers for all the testing & debugging code and error messages/strings that are shipped with the OS. This helps a lot!

All of these unexpected and probably meant-private/for lab-only code paths provide a lot of interesting opportunities… both for persistence, and LOLBINs; anyone who just dares to look for it will eventually find something.

I am fascinated by it; the actual persistence bit is less important, even if on occasion the ‘novelty’ of some of these techniques may have the ‘wow’ factor ; the real pleasure for me is derived from these three things:

a) an opportunity to read lots of other peoples’ code and sharpen my reverse engineering skills

b) learn how the system works under the hood

c) being ahead of a curve with regards to forensic analysis

Actually, the a) and b) are equivalent… the c) is an obvious bit.

If you think of the books like Windows Internals, or The Art of Memory Forensics, the majority of the information that the authors rely on is a result of direct or indirect contact with the actual system internals (and these guys did it a lot). There is no magic wand. Yes, there are source leaks, there are ex-MS programmers becoming researchers who had an access to the source at some stage and for some time can leverage their privileged position, but I’d say that majority of the discoveries presented at conferences over last 30 years, as well in books and written on the blogs is relying on the work of all these poor reversing souls sitting and digging in the OS code all the time. Some of them even become famous and get hired by Microsoft :).

Many developers curse unpredictable behavior of some APIs, complain about the way things work, yet often are unable to pinpoint the exact reason for a certain behavior so that the root case can be analyzed. In my eyes, an ability to dig into code of others, whether the source is available or not, is the core skill of any programmer, and… perhaps even information security professional. None of the reversing, forensic, vulnerability research tools would exist w/o this ‘poke around in other people’s code’ infosec branch.

So… if you want to find new persistence tricks… pick up any code you think has a potential, start digging, and actually discover how things work under the hood. Or at least 0,000001% of it. And no, whatever you find, you don’t need to blog about these new persistence discoveries at all – get out of my lawn! 😉