{"id":10073,"date":"2025-07-11T23:10:40","date_gmt":"2025-07-11T23:10:40","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10073"},"modified":"2025-12-31T00:49:09","modified_gmt":"2025-12-31T00:49:09","slug":"beyond-good-ol-run-key-part-149","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/07\/11\/beyond-good-ol-run-key-part-149\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 149"},"content":{"rendered":"\n<p><strong>Update<\/strong><\/p>\n\n\n\n<p>See this <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/12\/31\/beyond-good-ol-run-key-part-149-update\/\">post<\/a>.<\/p>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>This post is a nothing burger. I didn&#8217;t make it work, but I still want to document it.<\/p>\n\n\n\n<p>When I came across a &#8216;GPExtensionDLL&#8217; entry expected under<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">HKLM\\SYSTEM\\CurrentControlSet\\Services\\MPSSVC\\Parameters<\/pre>\n\n\n\n<p>I got excited, because it looked like a typical undocumented registry entry that can be abused for persistence.<\/p>\n\n\n\n<p>After setting it up, as usual, to point to my test DLL I restarted the system only to discover the system &#8230; crashing.<\/p>\n\n\n\n<p>After a few back and forth, it downed on me that the code that loads that DLL is surrounded by other code that relies on code pointers expected to be hard coded to point to proper function addresses, which is not always the case, hence system BSODs after calls to a null pointer-based function. <\/p>\n\n\n\n<p>So, does this entry deserve to be even mentioned in this series?<\/p>\n\n\n\n<p>I think so.<\/p>\n\n\n\n<p>We cannot exclude the possibility someone will figure it out better than me, there is always an opportunity to stop the execution after the main DLL module is loaded, and in general, one of the goals of this series is to document ALL possible persistence mechanisms out there, no matter how difficult it is to actually take advantage of them&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update See this post. Old Post This post is a nothing burger. I didn&#8217;t make it work, but I still want to document it. When I came across a &#8216;GPExtensionDLL&#8217; entry expected under HKLM\\SYSTEM\\CurrentControlSet\\Services\\MPSSVC\\Parameters I got excited, because it looked &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/07\/11\/beyond-good-ol-run-key-part-149\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10073"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10073"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10073\/revisions"}],"predecessor-version":[{"id":10295,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10073\/revisions\/10295"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}