It has two interesting properties:<\/p>\n
- \n
- It can be used as a persistence mechanism<\/li>\n
- It can also mysteriously make files re-appear on the system as the mechanism is used to update files and as such, the entries are being used to copy files during the system start (by the ‘svchost.exe -k netsvcs’ process)<\/li>\n<\/ul>\n
This is an example entry:<\/p>\n
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Setup\\ServiceStartup\\malware.dll\r\n\"RegistrationFlags\"=dword:00000001\r\n\"CacheFile\"=\"C:\\\\test\\\\malware.dll\"\r\n\"TargetFile\"=\"C:\\\\WINDOWS\\\\system32\\\\malware.dll\"<\/pre>\n
The entry will force the file:<\/p>\n
- \n
- \n
C:\\test\\malware.dll<\/pre>\n<\/li>\n<\/ul>\n
to be loaded.<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/03\/ServiceStartup1-300x130.png\")
<\/a><\/p>\nIt will be also copied to:<\/p>\n
- \n
- \n
C:\\WINDOWS\\system32\\malware.dll<\/pre>\n<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/03\/ServiceStartup2-300x168.png\")
<\/a><\/p>\nNote that you can also simply ignore the copying and drop the file anywhere, and just point ‘CacheFile’ and ‘TargetFile’ to it.<\/p>\n
If you look at the first screenshot you will notice the Procmon logs show a reference to the ’20MUIFixUp’ entry.<\/p>\n
Interestingly, this entry can be used to just copy files, so adding a reg combo as below:<\/p>\n
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Setup\\ServiceStartup\\malware.dll\r\n\"20MUIFixUp\"=dword:00000001\r\n\"CacheFile\"=\"C:\\\\test\\\\malware.dll\"\r\n\"TargetFile\"=\"C:\\\\WINDOWS\\\\system32\\\\malware.dll\"<\/pre>\n
will create ‘C:\\WINDOWS\\system32\\malware.dll’ anytime you boot the system (but the file won’t be loaded\/executed). The’ 20MUIFixUp’ entry in the Registry will be deleted afterwards (so it needs to be re-created).<\/p>\n
Interestingly, the information about the loaded DLLs can be found inside the Windows Update log file:<\/p>\n
- \n
- c:\\WINDOWS\\WindowsUpdate.log<\/li>\n<\/ul>\n
Here’s an excerpt:<\/p>\n
Misc\u00a0\u00a0\u00a0 Registering binary: C:\\WINDOWS\\system32\\regsvr32.exe\u00a0 \/s \"C:\\WINDOWS\\system32\\malware.dll\"\r\nMisc\u00a0\u00a0\u00a0 FATAL: Self registration of C:\\WINDOWS\\system32\\malware.dll failed, error = 0x8024D007\r\nSetup\u00a0\u00a0\u00a0 FATAL: Failed to register C:\\WINDOWS\\system32\\malware.dll: error 0x8024d007\r\nSetup\u00a0\u00a0\u00a0 FATAL: ProcessDelayedCopies failed: 0x8024d007\r\nService\u00a0\u00a0\u00a0 FATAL: Failed to fix up registration at service startup: 0x8024d007<\/pre>\n
My test DLL was not prepared correctly (missing exported ‘DllInstall’ – see below), but the DLL still loads.<\/p>\n
At least on Windows XP.<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/03\/ServiceStartup3-300x151.png\")
<\/a><\/p>\nOkay, what about newer versions of Windows?<\/p>\n
First, let’s fix my DLL.<\/p>\n
To do so, I actually add two exported functions:<\/p>\n
- \n
- DllInstall, and<\/li>\n
- DllRegisterServer.<\/li>\n<\/ul>\n
Why?<\/p>\n
Because the ‘RegistrationFlags’ parameter can be equal either to ‘1’ or ‘2’.<\/p>\n
If it is 1, the ‘DllInstall’ API will be called. Otherwise, it will be the ‘DllRegisterServer’ API.<\/p>\n
When these DLLs are loaded and respective functions are called the Windows Update service logs the appropriate information to the ‘WindowsUpdate.log’ file – let’s have a look at the two examples:<\/p>\n
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Setup\\ServiceStartup\\malware.dll\r\n\"RegistrationFlags\"=dword:00000001\r\n\"CacheFile\"=\"C:\\\\test\\\\malware.dll\"\r\n\"TargetFile\"=\"C:\\\\test\\\\malware.dll\"<\/pre>\n
and<\/p>\n
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Setup\\ServiceStartup\\malware.dll\r\n\"RegistrationFlags\"=dword:00000002\r\n\"CacheFile\"=\"C:\\\\test\\\\malware.dll\"\r\n\"TargetFile\"=\"C:\\\\test\\\\malware.dll\"<\/pre>\n
When Windows Update service is restarted, you will get the following log entries inside the WindowsUpdate.log:<\/p>\n
\"RegistrationFlags\"=dword:00000001\r\nMisc\u00a0\u00a0\u00a0 Registering binary: C:\\Windows\\system32\\regsvr32.exe\u00a0 \/s \"C:\\test\\malware.dll\"\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * WU client version 7.6.7600.256\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * Base directory: C:\\Windows\\SoftwareDistribution\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * Access type: No proxy\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * Network state: Connected\r\n\r\n\"RegistrationFlags\"=dword:00000002\r\nMisc\u00a0\u00a0\u00a0 Registering binary: C:\\Windows\\system32\\regsvr32.exe\u00a0 \/s \/n \/i \"c:\\test\\malware.dll\"\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * WU client version 7.6.7600.256\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * Base directory: C:\\Windows\\SoftwareDistribution\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * Access type: No proxy\r\nAgent\u00a0\u00a0\u00a0\u00a0\u00a0 * Network state: Connected\r\n<\/pre>\n
The trick works like a charm for Windows 7. I don’t see it working on Windows 10 though, but perhaps it has to be triggered some other way.<\/p>\n","protected":false},"excerpt":{"rendered":"
Today I’ll describe a little secret – a stealthy autostart key that is not very well-known and is very reliable since it is used by… well… the Windows Update. Yup, it’s a pretty handy one… This is the key: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Setup\\ServiceStartup … Continue reading
- c:\\WINDOWS\\WindowsUpdate.log<\/li>\n<\/ul>\n
- \n
- \n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/03\/ServiceStartup1.png\")
<\/a><\/p>\n