Beyond good ol’ Run key, Part 85

Posted on by

This is a LOLbinish 2-stage persistence trick. One where we add startup items to point to OS  binaries, and – while they will be ignored by many users and security solutions (at least at first glance) – they will be launching the second stage of the persistence mechanism for us…

Many people who use win7-win10 know that the Werfault.exe process is all over the place. It’s a process ‘repairer’ or ‘fixer’ that handles crashes or other unpleasant activities of other processes. It turns out you can launch werfault.exe with a number of specific command line arguments. One of these modes is called ‘reflective debugger’ and is very interesting to us. To launch werfault in this mode we need to provide the following parameters:

  • werfault.exe -pr <somevalue>

And  how does it load the debugger?

By reading:

  • HKLM\Software\Microsoft\Windows\
    Windows Error Reporting\Hangs\ReflectDebugger=
    <path>

and… executing it.

That’s it.

So if we add a Run key like this:

– it will in the end launch our program of choice when the user logs on.

acw.exe – perhaps the last true Lolbin standing…

Posted on by

As I mentioned I won’t be covering lolbins anymore until I find something new/interesting.

I guess an OS-native rundll32.exe replacement is kinda interesting, especially that it seems to be present by default on some Windows Server installations (e.g. 2008) and sometimes is installed by other software.

The binary in question is part of a Guided Help a.k.a. Active Content Wizard component and the .exe in question is acw.exe.

It has a nice command line argument that allows us to load and execute any DLL:

  • %systemroot%\system32\acw.exe -Extensions <dll>

Known locations of acw.exe are:

  • c:\Program Files\ACW\acw.exe
  • c:\windows\system32\acw.exe
  • c:\windows\syswow64\acw.exe