When Windows 10 accepts the remote desktop session, it queries the following Registry key:<\/p>\n
- \n
- HKLM\\SYSTEM\\CurrentControlSet\\Control\\
\nTerminal Server\\AddIns\\TestDVCPlugin<\/li>\n<\/ul>\nIf such key exists, the OS will attempt to read the Path<\/em> value underneath.<\/p>\n
Once the Path<\/em> is read, the DLL that it points to will be loaded via LoadLibrary.<\/p>\n
And that’s it! We now have yet another persistent mechanism to load the DLL. Anytime the first remote desktop session is established…<\/p>\n
An example of the potential malicious Registry Entry is shown below:<\/p>\n
![\"TestDVCPlugin0\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/07\/TestDVCPlugin0-300x222.png\")
<\/a><\/p>\nIn a test scenario, I created a DLL that – when loaded – creates a c:\\test\\test_attached file.<\/p>\n
The following screenshot shows what happens:<\/p>\n
- \n
- The user is logged on (console session) – the two first commands show situation at that moment and no presence of the file created by the DLL<\/li>\n
- The user then logs on remotely (under the same account – rdp-tcp#1 session).<\/li>\n
- The moment user logs on, the c:\\test\\test_attached file is created – the code is loaded<\/li>\n<\/ul>\n
![\"TestDVCPlugin1\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/07\/TestDVCPlugin1-300x190.png\")
<\/a><\/p>\nThe c:\\test\\test.dll is loaded into svchost.exe process and stays resident (until reboot\/service restart)<\/p>\n
![\"TestDVCPlugin2\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/07\/TestDVCPlugin2-300x241.png\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Testing, testing, testing… such an important part of the software development cycle. So important that its components are often referenced in the release code. The testing functionality in Microsoft products is nothing new. I wrote about it here, and here. … Continue reading