{"id":6530,"date":"2019-07-12T20:52:22","date_gmt":"2019-07-12T20:52:22","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6530"},"modified":"2019-07-12T20:52:24","modified_gmt":"2019-07-12T20:52:24","slug":"beyond-good-ol-run-key-part-109","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/07\/12\/beyond-good-ol-run-key-part-109\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 109"},"content":{"rendered":"\n<p>This is probably the least practical persistence mechanism I came across. This is because as far as I know loading external DLLs into Metro apps requires <a href=\"https:\/\/blog.nektra.com\/main\/2013\/02\/25\/injecting-a-dll-in-modernui-metro-app-win8\/\">a lot effort<\/a> (file need to be signed, have special rights, be included in a manifest, etc. &#8212; see the linked post for more details). In other words, it is practically impossible, unless there is some newer research that I missed. And in any case, even if we managed to load that DLL it would end up inside a process space of a low privilege app.<\/p>\n\n\n\n<p>However&#8230; always good to document it. Especially that this is about a close  cousin of old <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/04\/16\/beyond-good-ol-run-key-part-10\/\">Office Test<\/a> key I covered in 2014 &amp; I think it&#8217;s my first Metro persistence trick.<\/p>\n\n\n\n<p>When you run the Mail program that is built-in windows 10 you are actually running a Metro app <em>HxOutlook.exe<\/em> that executes from the following location:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11425.20190.0_x64__8wekyb3d8bbwe\\HxOutlook.exe<\/p><\/blockquote>\n\n\n\n<p> If you look at the Process Monitor logs collected during this app start-up you will notice that the app tries to read the following key:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\\REGISTRY\\&#8230;\\LocalState\\HKEY_CURRENT_USER\\Software\\Microsoft\\Office Test\\Special\\PerfImm<\/p><\/blockquote>\n\n\n\n<p>Of course, when I saw it, I immediately thought of my old post, because the key name looks so similar. <\/p>\n\n\n\n<p>Now, the Registry entry shown above may be a bit confusing. It is HKCU location, but since this is a Metro app you won&#8217;t find these entries inside your user hive. Instead, you will need to look for a small, app-dedicated hive placed in the following location:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>c:\\Users\\&lt;user&gt;\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat<\/p><\/blockquote>\n\n\n\n<p>The rule of a thumb is that if you see LocalState in a Registry entry, it means it&#8217;s a app hive.<\/p>\n\n\n\n<p>In order to modify it, you need to:<\/p>\n\n\n\n<ul><li>kill all the processes that access this hive file first (e.g. HxOutlook.exe process); otherwise you will get <em>access denied<\/em> errors<\/li><li>use <em>reg load<\/em> command to attach it to HCU or HKLM hive<\/li><li>from there, you can navigate to the appropriate Office Test location via Regedit<\/li><li>modify the entry<\/li><li>run <em>reg unload<\/em> to save the changes to the <em>settings.dat<\/em> file<\/li><\/ul>\n\n\n\n<p>It&#8217;s actually a very straightforward process.<\/p>\n\n\n\n<p>Okay. Once I did it I re-run the program and discovered what value the program is actually looking for is this:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>EnableCodeMarkerCallback<\/p><\/blockquote>\n\n\n\n<p>If this value is set, the program will try to load the following library:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>appcodemarkerimm.dll<\/p><\/blockquote>\n\n\n\n<p>The library is loaded via <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/winbase\/nf-winbase-loadpackagedlibrary\">LoadPackagedLibrary<\/a> API, and then the program tries to resolve a bunch of functions exported by this library:<\/p>\n\n\n\n<ul><li>GetPerfhostHookVersion<\/li><li>InitPerf<\/li><li>PerfCodeMarker<\/li><li>InitPerf_v3<\/li><li>PerfCodeMarker_v3<\/li><li>UnInitPerf_v3<\/li><\/ul>\n\n\n\n<p>I have not implemented a PoC, because of the issues I mentioned earlier, and it doesn&#8217;t seem to be worth trying it at all, but it&#8217;s an interesting curiosity nevertheless&#8230; <\/p>\n\n\n\n<p>And there is a little bit more&#8230; <\/p>\n\n\n\n<p>By looking for instances of <em>appcodemarkerimm <\/em>inside all files in the <em>HxOutlook <\/em>directory, I came across a few more &#8216;potentials&#8217; e.g. <em>Spy.dll<\/em> and <em>XamlSpy.dll<\/em> referenced by a number of libraries. These two are not present so probably are also a part of a testing suite.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is probably the least practical persistence mechanism I came across. This is because as far as I know loading external DLLs into Metro apps requires a lot effort (file need to be signed, have special rights, be included in &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/07\/12\/beyond-good-ol-run-key-part-109\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6530"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6530"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6530\/revisions"}],"predecessor-version":[{"id":6534,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6530\/revisions\/6534"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}