{"id":3513,"date":"2016-03-01T01:49:45","date_gmt":"2016-03-01T01:49:45","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3513"},"modified":"2016-03-01T02:08:32","modified_gmt":"2016-03-01T02:08:32","slug":"beyond-good-ol-run-key-part-35","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/03\/01\/beyond-good-ol-run-key-part-35\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 35"},"content":{"rendered":"<p>A long time ago in a galaxy far, far away&#8230;. Microsoft was releasing new versions of a super uber cool pre-web era editing control called <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb787605%28v=vs.85%29.aspx\">Rich Edit<\/a>. I remember programming one of my early Windows API apps ages ago and at that time I was a bit puzzled. Puzzled, because I had to distinguish a version of Rich Edit control I could use and then I had to ensure that I load respective library myself to use certain features of the Rich Edit control.<\/p>\n<p>The Rich Edit control was and still is a great editing control &#8211; it supports multi-line editing, Unicode, COM, and lots of other whistles and fireworks. It became a foundation of many applications and editors and in many aspects was ahead of its time. The libraries used by the various versions of the library are as follows:<\/p>\n<ul>\n<li>1.0 &#8211; Riched32.dll<\/li>\n<li>2.0 &#8211; Riched20.dll<\/li>\n<li>3.0 &#8211; Riched20.dll<\/li>\n<li>4.1 &#8211; Msftedit.dll<\/li>\n<\/ul>\n<p>And yes, you know where it is going&#8230;<\/p>\n<p>Many apps following the Microsoft&#8217;s <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/hh298375%28v=vs.85%29.aspx\">mantra<\/a> of loading the appropriate Rich Edit control would use LoadLibrary API and open it up to a nice DLL hijack.<\/p>\n<p>Dropping malicious Riched20.dll and\/or Riched32.dll in the same directory as the applications relying on Rich Edit control will lead to the execution of the malicious code each time the app is launched.<\/p>\n<p>A popular example of such app is WinRar. Many people use it as a standalone app and winrar.exe works w\/o any supporting files so can be dropped anywhere. Other examples include a very old, but still popular Resource Hacker, as well as some tools from Sysinternals f.ex. ADInsight.exe, Bginfo.exe, FileInsight from McAfee, old EditPad, OllyDbg, and many more&#8230;<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/riched.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3514\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/riched-300x132.png\" alt=\"riched\" width=\"398\" height=\"175\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/riched-300x132.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/riched.png 682w\" sizes=\"(max-width: 398px) 100vw, 398px\" \/><\/a><\/p>\n<p>The newer version of Rich Edit DLL (Msftedit.dll) is maybe less common, but can be still found in popular applications. One I came across is aswMBR.exe from AVAST &#8211; the below pops up with my decoy DLL being dropped inside the same dir as aswMBR.exe and activates when I try to Save the log.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/Msftedit.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3515\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/Msftedit-300x132.png\" alt=\"Msftedit\" width=\"398\" height=\"175\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/Msftedit-300x132.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/03\/Msftedit.png 682w\" sizes=\"(max-width: 398px) 100vw, 398px\" \/><\/a><\/p>\n<p>Since many applications using the Rich Edit are signed, the unsigned DLL may be loaded in a very same manner as PlugX malware i.e. signed .exe loading an unsigned .dll.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A long time ago in a galaxy far, far away&#8230;. Microsoft was releasing new versions of a super uber cool pre-web era editing control called Rich Edit. I remember programming one of my early Windows API apps ages ago and &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/03\/01\/beyond-good-ol-run-key-part-35\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3513"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3513"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3513\/revisions"}],"predecessor-version":[{"id":3521,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3513\/revisions\/3521"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}