{"id":6769,"date":"2019-09-19T23:55:12","date_gmt":"2019-09-19T23:55:12","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6769"},"modified":"2019-09-19T23:56:19","modified_gmt":"2019-09-19T23:56:19","slug":"silentprocessexit-quick-look-under-the-hood","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/09\/19\/silentprocessexit-quick-look-under-the-hood\/","title":{"rendered":"SilentProcessExit &#8211; quick look under the hood"},"content":{"rendered":"\n<p>There is a relatively old, but well-known debugging mechanism called <em>SilentProcessExit<\/em>. It is documented on Microsoft <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/debugger\/registry-entries-for-silent-process-exit\">site<\/a>, and there are many blogs talking about it (<a href=\"https:\/\/twitter.com\/Oddvarmoe\">@Oddvarmoe<\/a> has a very good into <a href=\"https:\/\/oddvar.moe\/2018\/04\/10\/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe\/\">post<\/a> about it and you should have a glance before you continue reading below). <\/p>\n\n\n\n<p>I was curious how it works under the hood, and this post is about it. What motivated me to look at it in a first place was the fact that I saw a potential to abuse it to spawn arbitrary processes via svchost.exe \/ werfault.exe combo &#8211; with them acting as ancestor\/parent processes to our program of choice e.g.:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"232\" height=\"56\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/09\/SilentProcessExit1.png\" alt=\"\" class=\"wp-image-6770\"\/><\/figure>\n\n\n\n<p>I was curious if I could do it _without_ setting up Registry Settings under HKLM. If it worked, we would have yet another evasion possibility.<\/p>\n\n\n\n<p>The function triggering this activity is called <em>RtlReportSilentProcessExit<\/em> and it is called from <em>ntdll.dll<\/em> before programs terminate.<\/p>\n\n\n\n<p>If <em>SilentProcessExit<\/em> Registry settings are set up properly for the exiting program (either via <em>gflags.exe<\/em> tool, or manually), the aforementioned API will &#8216;talk&#8217; to WER Service. As a result, the latter will launch a predefined <code>Monitoring program<\/code> as per the  <em>SilentProcessExit <\/em>Registry settings (if configured). <\/p>\n\n\n\n<p>I speculated, that if I can find out how the <em>RtlReportSilentProcessExit <\/em>API works, and in particular, how it talks to the WER service, I will be able to either force it to launch my program of choice, or at least rip its code to &#8216;talk&#8217; to the WER service myself, and most importantly (and hopefully) &#8211; w\/o the  <em>SilentProcessExit <\/em>Registry Settings in place.<\/p>\n\n\n\n<p>After a lot of spelunking, I realized a few things:<\/p>\n\n\n\n<ul><li><em>RtlReportSilentProcessExit <\/em>is talking to WER services via ALPC; Alex Ionescu (no surprises here) <a href=\"http:\/\/alex-ionescu.com\/Publications\/SyScan\/syscan2014.pdf\">covered<\/a> (PDF Warning) this mechanism on a high level a few years ago.<\/li><li>Th ALPC port is named <em>\\WindowsErrorReportingServicePort<\/em><\/li><li>The ALPC interaction that <em>RtlReportSilentProcessExit <\/em>initiates just tells WER to handle the <em>SilentProcessExit<\/em> and provided the Process ID; I was really expecting to have more influence over this bit \ud83d\ude41<\/li><li>The WER Service that the <em>RtlReportSilentProcessExit<\/em> API talks to is hosted by <em>svchost.exe<\/em>:  <ul><li>WerSvc = C:\\Windows\\System32\\svchost.exe -k WerSvcGroup<\/li><li>It loads the %SystemRoot%\\System32\\WerSvc.dll <\/li><\/ul><\/li><li>After looking at <em>WerSvc.dll<\/em> I confirmed that the HKLM Registry settings required for <em>SilentProcessExit<\/em> to work are mandatory \ud83d\ude41<\/li><li>The <em>WerSvc.dll<\/em> handler extracts a file name of an executable that is exiting, then checks an associated IFEO Registry key, and if <em>GlobalFlag<\/em> value name exists and has a flag <em>0x200<\/em> set, it will launch the <em>werfault.exe<\/em> &#8211; the latter will execute the predefined <em>Monitoring Process<\/em><\/li><\/ul>\n\n\n\n<p>So&#8230; the conclusion is this: we can trigger execution of this mechanism via <em>RtlReportSilentProcessExit <\/em>without exiting the program,  and the <em>svchost.exe\/werfault.exe<\/em> combo will launch the <em>Monitoring Program<\/em> of your choice, but you do need these Registry settings in place (<em>GlobalFlag<\/em> and <em>Monitoring<\/em> Program). <\/p>\n\n\n\n<p>At the moment I can&#8217;t think of any practical use for it, but I guess it&#8217;s good to know why the <em>Monitoring Program<\/em> process is spawn by the <em>werfault.exe<\/em>.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There is a relatively old, but well-known debugging mechanism called SilentProcessExit. It is documented on Microsoft site, and there are many blogs talking about it (@Oddvarmoe has a very good into post about it and you should have a glance &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/09\/19\/silentprocessexit-quick-look-under-the-hood\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,80,67],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6769"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6769"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6769\/revisions"}],"predecessor-version":[{"id":6774,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6769\/revisions\/6774"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}