{"id":5329,"date":"2018-08-31T22:48:23","date_gmt":"2018-08-31T22:48:23","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5329"},"modified":"2018-08-31T22:48:23","modified_gmt":"2018-08-31T22:48:23","slug":"beyond-good-ol-run-key-part-85","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/08\/31\/beyond-good-ol-run-key-part-85\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 85"},"content":{"rendered":"<p>This is a LOLbinish 2-stage persistence trick. One where we add startup items to point to OS\u00a0 binaries, and &#8211; while they will be ignored by many users and security solutions (at least at first glance) &#8211; they will be launching the second stage of the persistence mechanism for us&#8230;<\/p>\n<p>Many people who use win7-win10 know that the Werfault.exe process is all over the place. It&#8217;s a process &#8216;repairer&#8217; or &#8216;fixer&#8217; that handles crashes or other unpleasant activities of other processes. It turns out you can launch werfault.exe with a number of specific command line arguments. One of these modes is called &#8216;reflective debugger&#8217; and is very interesting to us. To launch werfault in this mode we need to provide the following parameters:<\/p>\n<ul>\n<li>werfault.exe -pr &lt;somevalue&gt;<\/li>\n<\/ul>\n<p>And\u00a0 how does it load the debugger?<\/p>\n<p>By reading:<\/p>\n<ul>\n<li>HKLM\\Software\\Microsoft\\Windows\\<br \/>\nWindows Error Reporting\\Hangs\\ReflectDebugger=<br \/>\n&lt;path&gt;<\/li>\n<\/ul>\n<p>and&#8230; executing it.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5327\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger.png\" alt=\"\" width=\"500\" height=\"71\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger.png 1173w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger-300x42.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger-768x109.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger-1024x145.png 1024w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>That&#8217;s it.<\/p>\n<p>So if we add a Run key like this:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger0.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5328\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger0.png\" alt=\"\" width=\"500\" height=\"82\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger0.png 869w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger0-300x49.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/reflectdebugger0-768x126.png 768w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>&#8211; it will in the end launch our program of choice when the user logs on.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a LOLbinish 2-stage persistence trick. One where we add startup items to point to OS\u00a0 binaries, and &#8211; while they will be ignored by many users and security solutions (at least at first glance) &#8211; they will be &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/08\/31\/beyond-good-ol-run-key-part-85\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5329"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5329"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5329\/revisions"}],"predecessor-version":[{"id":5330,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5329\/revisions\/5330"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}