{"id":7449,"date":"2020-09-18T22:58:25","date_gmt":"2020-09-18T22:58:25","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7449"},"modified":"2020-09-18T22:58:25","modified_gmt":"2020-09-18T22:58:25","slug":"beyond-good-ol-run-key-part-128","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/09\/18\/beyond-good-ol-run-key-part-128\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 128"},"content":{"rendered":"\n<p>It&#8217;s been a long time since I looked at phantom DLLs (non-existing DLLs that are expected to be present in predictable locations). So, a quick rundown what we can see on Win10 today folows:<\/p>\n\n\n\n<ul><li>C:\\Windows\\System32\\edgegdi.dll<ul><li>loaded by gdi.dll, but not present on the most up to date win10 pro installation; it must be signed<\/li><li>loaded by a number of processes backgroundTaskHost.exe, BackgroundTransferHost.exe, DllHost.exe, dmclient.exe, HxTsr.exe, LockApp.exe, LogonUI.exe, Microsoft.Photos.exe, mousocoreworker.exe and many others; existing work: found some EoP research on <a href=\"https:\/\/twitter.com\/_hugsy_\/status\/1304463436479262721?s=20\">Twitter<\/a> <\/li><\/ul><\/li><li>C:\\Windows\\SysWOW64\\rpcss.dll<ul><li><\/li><\/ul><\/li><li>C:\\Windows\\System32\\UsoSelfhost.dll<ul><li>loaded by mousocoreworker.exe &#8212; possible EoP?<\/li><\/ul><\/li><li>C:\\Windows\\System32\\Speech_OneCore\\common\\sapi_onecore.dll<ul><li>loaded by SearchApp.exe<\/li><\/ul><\/li><li>C:\\Windows\\System32\\windowscoredeviceinfo.dll<ul><li>loaded by taskhostw.exe<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>There are more, but I reserve them for a possible future post.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s been a long time since I looked at phantom DLLs (non-existing DLLs that are expected to be present in predictable locations). So, a quick rundown what we can see on Win10 today folows: C:\\Windows\\System32\\edgegdi.dll loaded by gdi.dll, but not &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/09\/18\/beyond-good-ol-run-key-part-128\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7449"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7449"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7449\/revisions"}],"predecessor-version":[{"id":7450,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7449\/revisions\/7450"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}