Beyond good ol’ Run key, Part 84

Posted on by

This is just a blurb to include this particular technique in the series. It’s not new at all, and it has been covered in the past by others e.g. recent ‘Windows Operating System Archaeology’ preso by @enigma0x3 and @subTee. IMHO it’s still worth documenting it anyway.

COM Objects are created when the program calls one of the instantiation APIs e.g. CoCreateInstance. The API takes the CLSID, finds its entry in the Registry (under CLSID node) and loads the DLL or EXE associated with it (it’s a bit more complex than that, but that’s the gist of it).

Now, if the CLSID  entry contains the key ‘TreatAs’ the instantiation process will change – the API will pick up a CLSID that ‘TreatAs’ points to and instantiate this object instead. This allows anyone to hook all the instantiation events of a particular COM object and as a result load anytime that object is istantiated. Which sounds like a nice persistence trick…

This is actually a documented feature and it’s described on MSDN in a help for the CoTreatAsClass API and the TreatAs key itself; the internals were also described in this Microsoft blog post.

So… anytime you see ‘TreatAs’ key, ensure it’s not a COM hijack 🙂

A few more LOLBins…

Posted on by

There are a few more quick wins for loading DLLs using native .exe files from Windows 10… courtesy of good ol’ LoadLibraryA e.g.:

  • fixmapi.exe
    • Copy c:\WINDOWS\System32\fixmapi.exe to your folder
    • Drop malicious mapistub.dll there
    • Run fixmapi.exe
  • mshta.exe
    • Copy c:\WINDOWS\System32\mshta.exe to your folder
    • Drop malicious WLDP.DLL there
    • Run mshta.exe
  • mshta.exe
    • Temporary change HKCR\clsid\
      {25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
      to point to malicious DLL
    • Run mshta.exe
    • Restore the Registry entry

This is obviously not the end.

There are so many potentials that it gets really boring to enumerate all this stuff:

  • Apart from LoadLibraryA, there is LoadLibraryW which is very prevalent.
  • There are cases of LoadLibraryExA and LoadLibraryExW that still use parameters that allow abuse.
  • There are also functions that allow environment variables to resolve paths for libraries they load – bad choice.
  • Pretty much every single .exe that is dependent on statically linked DLLs that are not on the KnownDLL list may be used as a lolbin e.g.
    • certutil.exe relies on certcli.dll
      • certcli.dll in turn relies on certca.dll
        so you can just produce DLLs that include all the exported functions like the original ones and let the certutil.exe load them.
  • And there are non-OS binaries that are highly prevalent in various environments that offer lots of opportunities for side-loading or proxy execution.

The possibilities are almost endless. Unless I find something really new/cool I won’t be posting about Lolbins anymore as at this stage I am bored with it 🙂