The program has been changed since win10 and it now loads wdscore.dll almost immediately after it starts. Unfortunately, while it does so via LoadLibraryEx, the API is called in a way that is identical with calling LoadLibrary (both LoadLibraryEx arguments are zeroes).
As such, one can copy the file to some other folder, and load malicious wdscore.dll.
The program in the title of this post is not very well-known. It’s being used for some random Bluetooth stuff that not too many PC users care about (okay, it’s a bit of a stretch, but I guess it’s really not very well-known).
How do you make a use of a binary no one cares about?
When I first looked at fsquirt.exe‘s command line arguments, I immediately thought of using it in my Beyond Good Ol’ Run key series as it was really a perfect candidate – until I discovered that despite behaving in a predictable way, delivering what I needed it to, I could not write the new post in that series, because the intended trick simply didn’t work.
I know it sounds dramatic, but this is a nature of the research.
I still wanted to make a triumph of the discovery though, so here we are…
When you run fsquirt.exe with the -Register argument it will create a LNK file c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK that will lead Explorer to add the following item under your Send To Explorer submenu:
Running it with -UnRegister argument will remove this entry.
But here’s the secret…
Run:
c:\windows\System32\fsquirt.exe -Register
To ensure that this LNK file is created:
c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK
Add a legitimate Run entry pointing to the LNK created in last step:
reg add "hkcu\software\microsoft\windows\currentversion\run" /v foo /d "c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK"
Copy c:\windows\System32\fsquirt.exe to a different folder f.ex. c:\test by running a command like this:
copy c:\windows\System32\fsquirt.exe c:\test
Re-register it to a different location:
c:\test\fsquirt.exe -Register
This will overwrite the LNK file above to point to c:\test\fsquirt.exe.
Overwrite c:\test\fsquirt.exe with any executable of your choice – now you have an executable that will run anytime user logs on.
It’s a classic bait and switch.