Beyond good ol’ Run key, Part 90

Posted on by

After finding the ‘injection’ trick for Metro Apps I thought I will query the system files for any ‘inject’-ion related strings. This prove to be a fruitful exercise and I found one more possible key that I bet can be used for persistence. I say ‘bet’, because it’s one of the rare occasions in this series when I didn’t manage to successfully test it. It’s really late when I write it and I just found it  + I don’t really fully understand how to test it yet 🙂 More research is needed.

The key is loaded from DscCore.dll that in turn seems to be loaded by the Microsoft.Windows.DSC.CoreConfProviders.dll. The latter seems to be associated with the Desired State Configuration:

  • HKLM\SOFTWARE\Microsoft\
    Windows\CurrentVersion\
    WSMAN\NitsInjector=<DLL>

In any case, worth adding to your monitoring toolkit. If you manage to trigger it please let me know… Thanks!

Additional IEFO keys for Metro Apps

Posted on by

In my previous post I described how Metro Apps are hosted by wwahost.exe process which in turn leverages its IEFO (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wwahost.exe) key to store its additional execution configuration.

Looking closer at Procmon logs I noticed that the actual Metro App itself also leverages IEFO keys. I am not sure what the purpose of all of them is, but in some cases we can try to guess by looking at the names, and 2 of them were already described in my older posts.

  • IFEO\wwahost.exe
    • AllowTopLevelNavigation
    • BreakOnInitializeProcessFailure
    • CFGOptions
    • CustomUAActive
    • CWDIllegalInDLLSearch
    • DebugProcessHeapOnly
    • DelegatedNtdll
    • DeveloperAuthList
    • DisableByteCodeCache
    • disableCSP
    • DisableExceptionChainValidation
    • DisableHeapLookaside
    • DpiAwareness
    • EnabledTestHook
    • ExecuteOptions
    • FrontEndHeapDebugOptions
    • GdiScaling
    • GlobalFlag
    • KeepActivationContextsAlive
    • LogConsoleToDebugPort
    • MaxDeadActivationContexts
    • MaxLoaderThreads
    • MinimumStackCommitInBytes
    • PerProcessSystemDpi
    • RpcRuntimeConfigFlags
    • SearchPathMode
    • ShutdownFlags
    • TestEffectiveWebPlatformVersion
    • TracingFlags
    • TrackActivationContextReleases
    • UnloadEventTraceDepth
    • UseFilter
    • UseImpersonatedDeviceMap
    • WebInstanceUseAdapter
    • WindowsComponentEnabled
    • WWAInject
  • IFEO\wwahost.exe\4DF9E0F8.Netflix_6.81.325.0_x86__mcm4njqhnhss8!Netflix.App
    • DebugProcessHeapOnly
    • DisableHeapLookaside
    • FrontEndHeapDebugOptions
    • GlobalFlag
    • MaxLoaderThreads
    • ShutdownFlags
    • TracingFlags
    • UnloadEventTraceDepth
    • UseImpersonatedDeviceMap
  • IFEO\4df9e0f8.netflix
    • CustomUAActive
    • EnabledTestHook
    • LogConsoleToDebugPort
  • IFEO\WebView
    • AnyScriptNotify
  • IFEO\WebView\4df9e0f8.netflix
    • ExecutionMode