{"id":2646,"date":"2014-12-04T18:13:00","date_gmt":"2014-12-04T18:13:00","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2646"},"modified":"2014-12-08T08:07:11","modified_gmt":"2014-12-08T08:07:11","slug":"beyond-good-ol-run-key-part-19","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2014\/12\/04\/beyond-good-ol-run-key-part-19\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 19"},"content":{"rendered":"<p>In my last post <a title=\"Sysinternals\u2019  Eulagoogoolizer\" href=\"https:\/\/www.hexacorn.com\/blog\/2014\/11\/30\/sysinternals-eulagoogoolizer\/\">I mentioned Sysinternals<\/a>. While combining the info for that post I came across a few things that gave me enough material to write a #19 in the series.<\/p>\n<p>And it&#8217;s based on bugs in Sysinternals&#8217; tools. Bugs that can be spotted easily. Today I&#8217;ll explain how you can utilize these bugs to create new persistent mechanisms.<\/p>\n<p>Say, you like Process Explorer.<\/p>\n<p>Nowadays 64-bit systems are very popular so running procexp.exe on a 64-bit system ends up with a procexp.exe dropping its 64-bit version into a %TEMP% folder and launching it.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/12\/procexp1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-2650\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/12\/procexp1.png\" alt=\"procexp\" width=\"151\" height=\"46\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/12\/procexp1.png 151w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/12\/procexp1-150x46.png 150w\" sizes=\"(max-width: 151px) 100vw, 151px\" \/><\/a><\/p>\n<p>Now, what you can do is f.ex. copy your notepad.exe to %TEMP% and name it procexp64.exe. Then you need to set up 2 access rights for everyone:<\/p>\n<ul>\n<li>One that forbids deleting %temp%\\procexp64.exe (on the file itself)<\/li>\n<li>One that forbids deleting subfolders and files inside %TEMP% (on the %TEMP% folder); this is btw. one of the WTFs of NTFS system where prohibiting deletion of the files needs to be extended to its parent folder; there must be some reasons for that, but it is not something you can learn about from a cryptic Security Properties tab<\/li>\n<\/ul>\n<p>From now on, launching procexp.exe on a 64-bit system will always launch notepad.exe. A nice man-in-the-middle attack especially if the malicious notepad.exe actually does spawn the legitimate procexp64.exe and hides its presence somehow from the Process Explorer GUI.<\/p>\n<p>Of course blocking %TEMP% from deletion is a silly idea, but:<\/p>\n<ul>\n<li>it is an example only<\/li>\n<li>it actually works<\/li>\n<li>there are many other ways to prevent deletion of the procexp64.exe by procexp.exe (on exit), or at least ensure the malicious procexp64.exe is restored after it is being deleted<\/li>\n<\/ul>\n<p>Another bug I spotted was the way vmmap.exe craves for dbghelp.dll.<\/p>\n<p>VMMAP is not a very popular program and I bet not too many people use it daily, but the way it works requires a special attention; it&#8217;s an example of a difference between programming for your own use vs. programming for &#8216;public&#8217;. As a non-professional programmer who writes buggy programs every day I am actually quite surprised by it. Yes, it&#8217;s that buggy.<\/p>\n<p>Let me elaborate.<\/p>\n<p>VMMAP has a very peculiar way for searching for dbghelp.dll:<\/p>\n<p>First, it searches for the entry in the Registry:<\/p>\n<ul>\n<li>HKCU\\Software\\Sysinternals\\VMMap\\DbgHelpPath32 = &lt;path to dbghelp.dll&gt;<\/li>\n<li>#persistence #1\n<ul>\n<li>By modifying HKCU\\Software\\Sysinternals\\VMMap\\DbgHelpPath32 to point to a malicious DLL we can ensure that DLL is loaded every time VMMAP is launched<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If it is not found, VMMAP goes ballistic (#persistence #2..N).<\/p>\n<p>It calls a LoadLibraryW with a NULL which is a (sort of) result of retrieving data from a non-existing HKCU\\Software\\Sysinternals\\VMMap\\DbgHelpPath32 value.<\/p>\n<p>This is when things get crazy. The craving goes totally addictive.<\/p>\n<p>NULL is a Pandora&#8217;s box (Or&#8217; Pandor&#8217;s since the author is a male) open for LoadLibraryW.<\/p>\n<p>It means it will walk through every directory listed in the PATH environment variable and will attempt to load a library called &#8216;.dll&#8217; from every single directory on that list.<\/p>\n<p>Yes, &#8216;.dll&#8217; is a valid library name i.e. a NULL with a &#8216;.dll&#8217; extension.<\/p>\n<p>So, you can place a DLL called &#8220;.dll&#8221; in any location that is covered by a PATH environment variable and you will have it launched by VMMAP anytime it starts.<\/p>\n<p>You probably want to hear that this is the end of the story.<\/p>\n<p>Not quite so.<\/p>\n<p>There are still a few places to look at:<\/p>\n<ul>\n<li>C:\\Program Files\\Debugging Tools for Windows (x86)\\dbghelp.dll<\/li>\n<li>C:\\Program Files\\Debugging Tools for Windows\\dbghelp.dll<\/li>\n<li>C:\\Debuggers\\dbghelp.dll<\/li>\n<\/ul>\n<p>Dropping a dbghelp.dll in the &#8230;<\/p>\n<p>yawnz&#8230;<\/p>\n<p>you know the drill \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my last post I mentioned Sysinternals. While combining the info for that post I came across a few things that gave me enough material to write a #19 in the series. And it&#8217;s based on bugs in Sysinternals&#8217; tools. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/12\/04\/beyond-good-ol-run-key-part-19\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2646"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2646"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2646\/revisions"}],"predecessor-version":[{"id":2676,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2646\/revisions\/2676"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}