![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/cleanmgr1.png\")
<\/a><\/p>\nIt turns out that the list of the ‘Files to delete’ that we see on the GUI is not random. It is pulled from this Registry node:<\/p>\n
- \n
- HKLM\\SOFTWARE\\Microsoft\\Windows\\
\nCurrentVersion\\Explorer\\
\nVolumeCaches<\/li>\n<\/ul>\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/cleanmgr2.png\")
<\/a><\/p>\nSo, it would seem the list is dynamic and we can add entries to it.<\/p>\n
Indeed.<\/p>\n
The process is actually well-documented in this Microsoft’s article: Registering a Disk Cleanup Handler<\/a>.<\/p>\n
So, adding these entries:<\/p>\n
- \n
- HKLM\\SOFTWARE\\Microsoft\\Windows\\
\nCurrentVersion\\Explorer\\VolumeCaches\\
\nBadGuy=<BADCLSID><\/li>\n - HKCR\\CLSID\\<BADCLSID>\\
\nInProcServer32 = <BADDLL><\/li>\n<\/ul>\nwill launch the BADDLL anytime Clean Manager tool is launched. Notably, the GUI won’t show the BadGuy entry (unless additional required Registry entries are populated – refer to the information in the Microsoft article I provided the link to)!<\/p>\n
In my previous<\/a> post I speculated that in some cases it is possible to design LOLbinish persistence mechanisms. We can start by adding e.g. Run key pointing to a legitimate OS binary and then ensure that when it’s launched during logon process it will run the second stage of the persistence mechanism. The Werfault program was a good example, and the Disk Cleanup program falls into this category as well!<\/p>\n
The executable that launches the Disk Cleanup is called cleanmgr.exe. Adding it to run during the start-up may not be the best idea, because it has a GUI, but… there are always command line arguments of this program that we can use e.g.<\/p>\n
- \n
- \/autoclean<\/li>\n
- \/setup<\/li>\n<\/ul>\n
Indeed, adding ‘cleanmgr \/autoclean’ to ‘cleanmgr \/setup’\u00a0 to the ‘typical’ start-up place e.g. Run key will ensure that there is no GUI when the cleanmgr.exe is launched, and in a background, the plug-ins are loaded as well. Including the bad one.<\/p>\n
From a forensic perspective, cleanmgr.exe updates the files in the following location:<\/p>\n
- \n
- c:\\WINDOWS\\system32\\LogFiles\\setupcln\\setupact.log
\nc:\\WINDOWS\\system32\\LogFiles\\setupcln\\setuperr.log<\/li>\n<\/ul>\nI have not seen these files being updated with any references to the plug-ins loaded, but it could be a helpful artifact nevertheless…<\/p>\n
And… there is more…<\/p>\n
The Disk Cleanup has a few more tricks for us to exploit.<\/p>\n
Many entries that we see listed under the VolumeCache node point to {C0E13E61-0CC6-11d1-BBB6-0060978B2AE6}. This CLSID refers to c:\\Windows\\System32\\dataclen.dll file which is a generic folder and file deletion tool!<\/p>\n
The values it relies on are:<\/p>\n
- \n
- Folder – where to look for files to delete e.g. c:\\test (refer to Microsoft article for a syntax for multiple entries)<\/li>\n
- Files – what files to look for e.g. *.foo (refer to Microsoft article for a syntax for multiple entries)<\/li>\n
- StateFlags=1 – an internal flag<\/li>\n
- Flags = 1 – a documented flag, here means ‘run the plug-in’, but it can also tell the tool to do more things (refer to Microsoft article for details)<\/li>\n<\/ul>\n
Once these are set-up the program will search for the file(s) inside the folder(s) as per the Registry values. If any is found it will remove them as usual…<\/p>\n
BUT<\/p>\n
if any of these values exist:<\/p>\n
- \n
- PreCleanupString – a path to the program that will be executed prior to clean-up<\/li>\n
- CleanupString – a path to the program that will be executed after the clean-up<\/li>\n<\/ul>\n
it will also execute these programs prior and after the deletion!<\/p>\n
Sounds interesting?<\/p>\n
To trigger this one has to constantly drop c:\\test\\somefile.foo on the system. This will ensure the deletion library finds something to do and uses these two cleanup string entries and… these programs will be automatically executed.<\/p>\n
So…<\/p>\n
One can add their own entry, or modify the existing entries e.g.:<\/p>\n
- \n
- Diagnostic Data Viewer database files\n
- \n
- CleanupString = rundll32.exe utcutil.dll,DiskCleanupEnd<\/li>\n
- PreCleanupString = rundll32.exe utcutil.dll,DiskCleanupStart<\/li>\n<\/ul>\n<\/li>\n
- Windows Error Reporting Files\n
- \n
- PreCleanupString = wermgr.exe -purgestores<\/li>\n<\/ul>\n<\/li>\n
- etc.<\/li>\n<\/ul>\n
There is also a dangerous bit. One could use this mechanism to delete any folder\/file on the system…<\/p>\n
Lastly, if you want the PreCleanupString \/ CleanupString programs to be launched w\/o gui, i.e. while using e.g. \/autoclean command line switch, just need to a dword value Autorun=1 to the same branch in the Registry e.g.:<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/cleanmgr3.png\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"It is a well-known fact that Windows features are the best persistence mechanisms, and… the one I am going to talk about is yet another one of these… If you ever ran into a problem of having not enough space … Continue reading
- Diagnostic Data Viewer database files\n
- c:\\WINDOWS\\system32\\LogFiles\\setupcln\\setupact.log
- HKLM\\SOFTWARE\\Microsoft\\Windows\\