{"id":4691,"date":"2018-03-25T18:48:43","date_gmt":"2018-03-25T18:48:43","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4691"},"modified":"2018-03-25T18:56:08","modified_gmt":"2018-03-25T18:56:08","slug":"running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-6","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/03\/25\/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-6\/","title":{"rendered":"Running programs via Proxy &#038; jumping on a EDR-bypass trampoline, Part 6"},"content":{"rendered":"<p>In my recent <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/03\/15\/beyond-good-ol-run-key-part-73\/\">post<\/a> I documented how you can drop your own wmplayer.exe and force it to be loaded via dvdplay.exe. Here, I will show one of many DLLs that we can force to execute a specifically-named executable &#8211; mstran40.exe.<\/p>\n<p>The msrepl40.dll&#8217;s internal name is &#8216;Microsoft Replication Library&#8217; &#8211; as far as I can guess it is used by the Microsoft database engine &#8211; well, at least it exports a number of database-related functions so it must be somehow related. It doesn&#8217;t matter too much.<\/p>\n<p>We are going to use one of the exported functions (#2091) that is kind enough to run any executable that is named mstran40.exe &#8211; provided a specific registry key is set. The internal name of the aforementioned function #2091 is JetTrClientInit. The mstran40.exe doesn&#8217;t exist on Windows 7 and XP, so while attempting to execute it system will search the PATH directories and since it won&#8217;t find it it will run it from a current directory. The trick doesn&#8217;t work on Win 10 :(.<\/p>\n<p>The Registry key in question is this:<\/p>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Jet\\4.0\\Transporter\\TransporterId=GUID<\/li>\n<\/ul>\n<p>where GUID can be simply this:<\/p>\n<ul>\n<li>{00000000-0000-0000-0000-000000000000}<\/li>\n<\/ul>\n<p>It is required so that the function IIDFromString can succeed in converting it into a proper GUID. We are just providing the conditions for the JetTrClientInit function not to exit prematurely.<\/p>\n<p>See attached animation to see how it works in practice:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/03\/msrepl402091.gif\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4693\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/03\/msrepl402091.gif\" alt=\"\" width=\"500\" height=\"214\" \/><\/a><\/p>\n<p>Here&#8217;s a list of commands:<\/p>\n<pre>reg add HKLM\\SOFTWARE\\Microsoft\\Jet\\4.0\\Transporter \/v TransporterId \/t REG_SZ \/d {00000000-0000-0000-0000-000000000000}\r\n\r\nmd en-US\r\ncopy c:\\WINDOWS\\system32\\en-US\\calc.exe.mui c:\\test\\en-US\\mstran40.exe.mui\r\ncopy c:\\windows\\system32\\calc.exe c:\\test\\mstran40.exe\r\n\r\nrundll32.exe msrepl40.dll,#2091\r\n<\/pre>\n<p>And if you are wondering why am I copying the En-us directory and the MUI file; this is to ensure calc.exe (renamed to mstran40.exe) finds its resources which are stored in a separate file (if I chose a different .exe e.g. any console-based program this wouldn&#8217;t be necessary, but we all want to see that Calculator, don&#8217;t we&#8230;).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my recent post I documented how you can drop your own wmplayer.exe and force it to be loaded via dvdplay.exe. Here, I will show one of many DLLs that we can force to execute a specifically-named executable &#8211; mstran40.exe. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/03\/25\/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-6\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4691"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4691"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4691\/revisions"}],"predecessor-version":[{"id":4698,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4691\/revisions\/4698"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}