Category Archives: LOLBins

Beyond good ol’ Run key, Part 77

Posted on by

This is one more about hh.exe program that is used when you open the .chm files.

The hh.exe functionality is implemented by the hhctrl.ocx library. When hh.exe is started it tries to find the hhctrl.ocx library by checking the following Registry value:

HKCR\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32

The library that the value points to is then loaded.

If the library doesn’t exist, or the loading didn’t succeed the hh.exe gives it another go and attempts to load the library using the hard-coded name hhctrl.ocx and relying on the LoadLibrary function (and as a result is a subject to side-loading attacks).

As such, there seem to be at least 2 opportunities here:

  • Drop c:\WINDOWS\hhctrl.ocx and delete the HKCR\CLSID\{52A2AAAE… value so running hh.exe will sideload the c:\WINDOWS\hhctrl.ocx
  • Replace the value of the HKCR\CLSID\{52A2AAAE… to point to your own lib and run hh.exe – this will load the lib of choice

Both can be used as a LOLBin / Persistence trick (or a combo).

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 6

Posted on by

In my recent post I documented how you can drop your own wmplayer.exe and force it to be loaded via dvdplay.exe. Here, I will show one of many DLLs that we can force to execute a specifically-named executable – mstran40.exe.

The msrepl40.dll’s internal name is ‘Microsoft Replication Library’ – as far as I can guess it is used by the Microsoft database engine – well, at least it exports a number of database-related functions so it must be somehow related. It doesn’t matter too much.

We are going to use one of the exported functions (#2091) that is kind enough to run any executable that is named mstran40.exe – provided a specific registry key is set. The internal name of the aforementioned function #2091 is JetTrClientInit. The mstran40.exe doesn’t exist on Windows 7 and XP, so while attempting to execute it system will search the PATH directories and since it won’t find it it will run it from a current directory. The trick doesn’t work on Win 10 :(.

The Registry key in question is this:

  • HKLM\SOFTWARE\Microsoft\Jet\4.0\Transporter\TransporterId=GUID

where GUID can be simply this:

  • {00000000-0000-0000-0000-000000000000}

It is required so that the function IIDFromString can succeed in converting it into a proper GUID. We are just providing the conditions for the JetTrClientInit function not to exit prematurely.

See attached animation to see how it works in practice:

Here’s a list of commands:

reg add HKLM\SOFTWARE\Microsoft\Jet\4.0\Transporter /v TransporterId /t REG_SZ /d {00000000-0000-0000-0000-000000000000}

md en-US
copy c:\WINDOWS\system32\en-US\calc.exe.mui c:\test\en-US\mstran40.exe.mui
copy c:\windows\system32\calc.exe c:\test\mstran40.exe

rundll32.exe msrepl40.dll,#2091

And if you are wondering why am I copying the En-us directory and the MUI file; this is to ensure calc.exe (renamed to mstran40.exe) finds its resources which are stored in a separate file (if I chose a different .exe e.g. any console-based program this wouldn’t be necessary, but we all want to see that Calculator, don’t we…).