{"id":4118,"date":"2017-01-27T00:13:40","date_gmt":"2017-01-27T00:13:40","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4118"},"modified":"2017-01-27T00:24:28","modified_gmt":"2017-01-27T00:24:28","slug":"beyond-good-ol-run-key-part-57","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/01\/27\/beyond-good-ol-run-key-part-57\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 57"},"content":{"rendered":"

The best persistence mechanisms are these that are well documented. They work perfectly and are often compatible with many versions of Windows. Here’s a story of one.<\/p>\n

According to Microsoft’s page, the OffloadModExpo<\/a> function offloads modular exponentiation from a CSP to a hardware accelerator.<\/p>\n

We don’t really care too much what it means other than it has something to do with the crypto**, and that the function is exported by a plug-in-like DLL that is loaded from the path specified in the following location:<\/p>\n

HKLM\\Software\\Microsoft\\Cryptography\\\r\nOffload\\ExpoOffload = DLL Path<\/pre>\n
Yup. It’s that simple.<\/p>\n
Add the key, add the DLL. It doesn’t even need to export the OffloadModExpo function.<\/p>\n
The only question remaining is when.<\/p>\n
The answer is – pretty much all the time.<\/p>\n
The library is loaded by either dssenh.dll, or rsaenh.dll and these libraries provide crypto services to pretty much any possible software running on Windows. At some stage it’s loaded by svchost.exe, iexplore.exe (f.ex. when you visit https:\/\/ page), mscorsvw.exe, taskhostw.exe, sdiagnhost.exe and other processes.<\/p>\n
Here’s an example log from promcon immediately after I added the .reg file that installs a rogue DLL (soon after more processes pick it up):<\/p>\n
<\/a>and the debug view log confirming the loading:<\/p>\n
\"\"<\/a><\/p>\n
 <\/p>\n
**Bonus:<\/p>\n
Last, but not least – the very same thing was described in 2000<\/a> as a vulnerability; apparently the DLL will receive all the private keys used by the Crypto API \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
The best persistence mechanisms are these that are well documented. They work perfectly and are often compatible with many versions of Windows. Here’s a story of one. According to Microsoft’s page, the OffloadModExpo function offloads modular exponentiation from a CSP … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4118"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4118"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4118\/revisions"}],"predecessor-version":[{"id":4124,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4118\/revisions\/4124"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}