{"id":5766,"date":"2018-12-30T23:38:39","date_gmt":"2018-12-30T23:38:39","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5766"},"modified":"2018-12-30T23:38:41","modified_gmt":"2018-12-30T23:38:41","slug":"beyond-good-ol-run-key-part-99","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/12\/30\/beyond-good-ol-run-key-part-99\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 99"},"content":{"rendered":"\n<p>It&#8217;s probably not an understatement if I say that for every single DLL that Windows OS ships with, and one that functionality it provides I sort of understand (at least on a high level), there are probably hundreds, if no more, that I still have absolutely no clue about. This makes picking random code attractive, because there is always something new to discover.<\/p>\n\n\n\n<p>This is exactly what led me to discovering this possible persistence technique. I am saying &#8216;possible&#8217;, because I am almost certain it works, yet I have no way to test it in my hardware\/software set up.<\/p>\n\n\n\n<p>Have you ever heard of dafDockingProvider.dll?<\/p>\n\n\n\n<p>Hmm. Me neither.<\/p>\n\n\n\n<p>The &#8216;daf&#8217; bit stands for &#8216;Device Association Framework&#8217;. The Registry entries associated with this framework are themselves a very good persistence mechanism candidate &#8211; most of these libraries could be potentially trojanized:<\/p>\n\n\n\n<ul><li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Device Association Framework <\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/daf.png\" alt=\"\" class=\"wp-image-5768\" width=\"475\" height=\"313\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/daf.png 686w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/daf-300x199.png 300w\" sizes=\"(max-width: 475px) 100vw, 475px\" \/><\/figure><\/div>\n\n\n\n<p>The dafDockingProvider.dll library seems be responsible for support of <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/design\/device-experiences\/docking\">docking<\/a>. And its code includes an interesting routine &#8211; it loads a number of so-called Docking Providers. They are loaded from the following Registry entry:<\/p>\n\n\n\n<ul><li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WirelessDocking\\DockingProviderDLLs<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"700\" height=\"168\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/daf1.png\" alt=\"\" class=\"wp-image-5769\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/daf1.png 700w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/daf1-300x72.png 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/figure>\n\n\n\n<p>The values from this location are enumerated, and DLLs they point to &#8211; loaded. The only caveat is that the libraries are loaded with LoadLibraryExW that uses the LOAD_LIBRARY_SEARCH_SYSTEM32 flag, so the files need to be in a system directory. The DLLs are expected to export these two functions:<\/p>\n\n\n\n<ul><li>InitializeDockingProvider<\/li><li>ShutdownDockingProvider<\/li><\/ul>\n\n\n\n<p>The only homework left to do is to test it on a system with a wireless docking station&#8230; If you happen to make it work, please let me know. Thakns!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s probably not an understatement if I say that for every single DLL that Windows OS ships with, and one that functionality it provides I sort of understand (at least on a high level), there are probably hundreds, if no &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/12\/30\/beyond-good-ol-run-key-part-99\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5766"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5766"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5766\/revisions"}],"predecessor-version":[{"id":5770,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5766\/revisions\/5770"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}