{"id":2774,"date":"2015-01-09T18:11:14","date_gmt":"2015-01-09T18:11:14","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2774"},"modified":"2015-01-09T18:19:58","modified_gmt":"2015-01-09T18:19:58","slug":"beyond-good-ol-run-key-part-23","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/01\/09\/beyond-good-ol-run-key-part-23\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 23"},"content":{"rendered":"<p>Today I will talk about something that can be called &#8216;the god of all persistence mechanisms&#8217;. One that is so powerful that can use pretty much any .exe on your system as a persistence mechanism.<\/p>\n<p>It&#8217;s called dotlocal (.local).<\/p>\n<p>If you run Process Monitor often enough you will (sooner or later) discover that anytime you launch an .exe the system will always try to find a file or a directory called &lt;filename.exe&gt;.local.<\/p>\n<p>That &#8211; my friend &#8211; is a debugging feature.<\/p>\n<p>It is a <a href=\"http:\/\/blogs.msdn.com\/b\/junfeng\/archive\/2006\/01\/24\/517221.aspx\">redirection mechanism designed to test COM objects<\/a> and pretty much means that if either a file or directory named\u00a0&lt;filename.exe&gt;.local exists the OS will understand it as a &#8216;testing in progress&#8217; signal and will attempt to load DLLs from a different directory than usual. In other words, it will search for dependent DLL libraries in a path different from the typical <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms682586%28v=vs.85%29.aspx\">DLL search order<\/a>. This allows us to intercept pretty much any DLL dependency we wish except for these that are listed under KnownDLLs registry key (HKLM\\CurrentControlSet\\Control\\Session Manager\\KnownDlls).<\/p>\n<p>For the sake of a demo, I will show you a very stupid example using the least malicious program on your system called&#8230; Notepad.<\/p>\n<p>Notepad relies on a couple of libraries, most of them are present on the Known DLLs list (can&#8217;t be abused unless you remove them from the Registry and reboot the system); except for comctl32.dll. This library has many versions and thanks to that requires a dedicated entry in the manifest solving the so-called DLL hell problem:<\/p>\n<pre>&lt;dependency&gt;\r\n\u00a0\u00a0\u00a0 &lt;dependentAssembly&gt;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;assemblyIdentity\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 type=\"win32\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 name=\"Microsoft.Windows.Common-Controls\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 version=\"6.0.0.0\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 processorArchitecture=\"x86\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 publicKeyToken=\"6595b64144ccf1df\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 language=\"*\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/&gt;\r\n\u00a0\u00a0\u00a0 &lt;\/dependentAssembly&gt;\r\n&lt;\/dependency&gt;<\/pre>\n<p>The practical implication of this manifest file is that OS will try to load the following comctl32.dll file (on Windows XP)<\/p>\n<p>x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\\comctl32.dll<\/p>\n<p>located inside the Windows directory (c:\\WINDOWS\\WinSxS\\).<\/p>\n<p>Introducing a directory c:\\windows\\system32\\notepad.exe.local we can force the OS to leverage the dotlocal &#8216;feature&#8217; and load the following &#8216;malicious&#8217; library instead:<\/p>\n<p>c:\\WINDOWS\\system32\\<strong>notepad.exe.local<\/strong>\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\\comctl32.dll<\/p>\n<p>It works on Windows 10 too, except that it will be loaded from a different path:<\/p>\n<p>c:\\WINDOWS\\system32\\<strong>notepad.exe.local<\/strong>\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9841.0_none_38d154a85935aa0a\\comctl32.dll<\/p>\n<p>The following example shows the moment of a malicious DLL loaded via dotlocal mechanism into a Notepad session on Windows 10.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-2776\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10.png\" alt=\"notepad10\" width=\"486\" height=\"293\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10.png 486w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10-300x181.png 300w\" sizes=\"(max-width: 486px) 100vw, 486px\" \/><\/a><\/p>\n<p>Notepad obviously crashes, cuz I was lazy and just implemented a dummy comctl32.dll, but in a real-case scenario one could hide the presence of such a malicious DLL by using it as a proxy and redirecting all API calls to the legitimate comctl32.dll DLL.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10_2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-2778\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10_2.png\" alt=\"notepad10_2\" width=\"476\" height=\"165\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10_2.png 476w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/01\/notepad10_2-300x104.png 300w\" sizes=\"(max-width: 476px) 100vw, 476px\" \/><\/a><\/p>\n<p>In other words, dropping the malicious comctl32.dll in these directories on respective systems will ensure that these malicious DLLs are loaded anytime someone starts Notepad.<\/p>\n<p>Now, for the scary part. Notepad was a stupid example as it requires admin rights to write to c:\\WINDOWS\\system32\\notepad.exe.local\\ on Windows 10, but any file outside of areas protected by system is a much easier target.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I will talk about something that can be called &#8216;the god of all persistence mechanisms&#8217;. One that is so powerful that can use pretty much any .exe on your system as a persistence mechanism. It&#8217;s called dotlocal (.local). If &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/01\/09\/beyond-good-ol-run-key-part-23\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2774"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2774"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2774\/revisions"}],"predecessor-version":[{"id":2781,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2774\/revisions\/2781"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}