{"id":7607,"date":"2020-12-05T23:23:39","date_gmt":"2020-12-05T23:23:39","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7607"},"modified":"2020-12-05T23:23:39","modified_gmt":"2020-12-05T23:23:39","slug":"csrss-exe-and-its-manifests","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/12\/05\/csrss-exe-and-its-manifests\/","title":{"rendered":"csrss.exe and its manifests"},"content":{"rendered":"\n<p>This is yet another odd behavior I spotted using Procmon. I was curious what <em>.manifest<\/em> files may be missing on my test Windows 10 system. The idea was that if I could find &#8216;phantom manifests&#8217; I could use them as a persistence trick, or to escalate privileges.<\/p>\n\n\n\n<p>To my surprise, one of the first findings was <em>csrss.exe<\/em> constantly trying to access <em>Microsoft.Windows.Common-Controls.MANIFEST<\/em>. So intensive are these efforts that the process is looking for this file in a couple of locations:<\/p>\n\n\n\n<ul><li>C:\\WINDOWS\\SysWOW64\\en-US\\Microsoft.Windows.Common-Controls.mui\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\WINDOWS\\SysWOW64\\en-US\\Microsoft.Windows.Common-Controls\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\WINDOWS\\SysWOW64\\en\\Microsoft.Windows.Common-Controls.mui\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\WINDOWS\\SysWOW64\\en\\Microsoft.Windows.Common-Controls\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\WINDOWS\\en-US\\Microsoft.Windows.Common-Controls.mui\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\WINDOWS\\en-US\\Microsoft.Windows.Common-Controls\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\WINDOWS\\system32\\en-US\\Microsoft.Windows.Common-Controls.mui\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\WINDOWS\\system32\\en-US\\Microsoft.Windows.Common-Controls\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\WINDOWS\\system32\\en\\Microsoft.Windows.Common-Controls.mui\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\WINDOWS\\system32\\en\\Microsoft.Windows.Common-Controls\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\Windows\\SysWOW64\\en-US\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\Windows\\SysWOW64\\en-US\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\Windows\\SysWOW64\\en\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\Windows\\SysWOW64\\en\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\Windows\\System32\\en-US\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\Windows\\System32\\en-US\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\Windows\\System32\\en\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\Windows\\System32\\en\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><li>C:\\Windows\\en-US\\Microsoft.Windows.Common-Controls.MANIFEST<\/li><li>C:\\Windows\\en-US\\Microsoft.Windows.Common-Controls.mui.MANIFEST<\/li><\/ul>\n\n\n\n<p>Note the unusual<em> .mui.MANIFEST<\/em> file extension as well as the directories: <em>Microsoft.Windows.Common-Controls.mui<\/em> and <em>Microsoft.Windows.Common-Controls<\/em> that are being accessed as well. <\/p>\n\n\n\n<p>After poking around I discovered that the actual code that does all these searches resides inside <em>sxs.dll<\/em> &#8211; it all happens when <em>SxsGenerateActivationContext<\/em> API is called. One of the functions this API calls is <em>SxspExpandProbingCandidate<\/em> and this one probes various system locations for a manifest file. Interestingly, some of the SXS code seems to be probing <em>.dll<\/em> and <em>.mui<\/em> files found during these searches and checks their resources as well (to see if any matching manifest resource can be found). I guess some more finding to be expected from this portion of code in the future.<\/p>\n\n\n\n<p>Of course, once I discovered that a specific manifest file <em>csrss.exe<\/em> is looking for is not present on a system, I immediately created a dummy one. I then restarted the system and it simply hang. That was a good sign :-). <\/p>\n\n\n\n<p>I then tried to test the whole thing one more time but this time w\/o immediate restart and with Procmon running. The manifest file I introduced was using the <em>file<\/em> tag with a <em>name <\/em>attribute pointing to my test DLL that was placed in the same directory as manifest file and inside the <em>c:\\windows\\system32\\<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;file name=\"test.dll\">&lt;\/file><\/pre>\n\n\n\n<p>Once I created <em>C:\\Windows\\en-US\\Microsoft.Windows.Common-Controls.MANIFEST,<\/em> the <em>csrss.exe<\/em> process could access it and&#8230; it did read it. On a surface nothing changed, however, next time I tried running a GUI application i.e. <em>calc.exe<\/em>, I got this message:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs1.png\" alt=\"\" class=\"wp-image-7608\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs1.png 558w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs1-300x96.png 300w\" sizes=\"(max-width: 558px) 100vw, 558px\" \/><\/a><\/figure>\n\n\n\n<p>Hmm. This is a nice proof that my manifest file is being taken into account, and it apparently broke something. As expected, removing the <em>.manifest <\/em>file I introduced removes the issue, plus confirms that this manifest file could be modified during run-time as <em>csrss.exe<\/em> does not seem to be caching its content. <\/p>\n\n\n\n<p>As a side note, <em>csrss.exe<\/em> seems to be accessing <em>C:\\Windows\\WindowsShell.Manifest<\/em> as well, so since this one exists on the system by default it could be modified.<\/p>\n\n\n\n<p>Now, the question is what is the manifest content that could make <em>csrss.exe<\/em> &#8216;like&#8217; it.<\/p>\n\n\n\n<p>Ideas?<\/p>\n\n\n\n<p>After poking around a bit more I discovered that <em>csrss.exe<\/em> &#8216;likes&#8217; manifest files a lot. I let the VM run with the Procmon on. After a while I got a few good hits.  Example paths include:<\/p>\n\n\n\n<ul><li>C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Common7\\IDE\\coloader80.dll.manifest<\/li><li>C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Common7\\IDE\\DebuggerProxy.dll.manifest<\/li><li>C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Common7\\IDE\\Microsoft.VisualStudio.CompilerHostObjectsProxy.dll.manifest<\/li><\/ul>\n\n\n\n<p>A-ha.<\/p>\n\n\n\n<p>They actually exist on my test system so I can have a peep.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n&lt;!-- Copyright (C) 1981-2007 Microsoft Corporation -->\n&lt;assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\n&lt;noInheritable\/>\n&lt;assemblyIdentity type=\"win32\" processorArchitecture=\"x86\" name=\"debuggerproxy.dll\" version=\"1.0.0.0\" \/>\n&lt;file name=\"debuggerproxy.dll\">\n&lt;comClass clsid=\"{C5621364-87CC-4731-8947-929CAE75323E}\" threadingModel=\"Both\"\/>\n&lt;\/file>\n&lt;comInterfaceExternalProxyStub name=\"CausalityInternal_IAD7ALCausalityEventBridge\" iid=\"{F6A124D7-5BB7-47B2-A9AF-AAB0EEAB60E3}\" numMethods=\"5\" proxyStubClsid32=\"{C5621364-87CC-4731-8947-929CAE75323E}\"\/><\/pre>\n\n\n\n<p>OR<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?&gt;<br>&lt;assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\" copyright=\"Copyright (c) Microsoft Corporation. All Rights Reserved.\" xmlns:cmiv2=\"urn:schemas-microsoft-com:asm.v3\" cmiv2:copyright=\"Copyright (c) Microsoft Corporation. All Rights Reserved.\"&gt;<br>&lt;noInheritable \/&gt;<br>&lt;assemblyIdentity name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.18362.1016\" processorArchitecture=\"x86\" publicKeyToken=\"6595b64144ccf1df\" type=\"win32\" \/&gt;<br>&lt;file name=\"comctl32.dll\" cmiv2:importPath=\"$(build.nttree)\\asms\\60\\msft\\windows\\common\\controls\" cmiv2:sourceName=\"\"&gt;<br>&lt;windowClass&gt;ToolbarWindow32&lt;\/windowClass&gt;<br>&lt;windowClass&gt;ComboBoxEx32&lt;\/windowClass&gt;<\/pre>\n\n\n\n<p>So, hmm both <em>file<\/em> and COM stuff seem to be supported well.<\/p>\n\n\n\n<p>I guess the file must be signed or something?<\/p>\n\n\n\n<p>Ideas?<\/p>\n\n\n\n<p>I followed with the simplest example ever &#8211; I put the <em>comctl32.dll<\/em> as a value of a <em>name<\/em> attribute inside the manifest file, then placed copy of <em>comctl32.dll<\/em> inside the same directory. Then I restarted the computer.<\/p>\n\n\n\n<p>Hello nothingness.<\/p>\n\n\n\n<p>After restart no Explorer in sight. Task Manager shows as below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs2.png\"><img decoding=\"async\" loading=\"lazy\" width=\"368\" height=\"366\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs2.png\" alt=\"\" class=\"wp-image-7611\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs2.png 368w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs2-300x298.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs2-150x150.png 150w\" sizes=\"(max-width: 368px) 100vw, 368px\" \/><\/a><\/figure>\n\n\n\n<p>A-ha. Let&#8217;s try to run explorer.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs3.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs3.png\" alt=\"\" class=\"wp-image-7612\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs3.png 560w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/sxs3-300x99.png 300w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/><\/a><\/figure>\n\n\n\n<p>Okay, so everything is broken as before. A good sign, I guess.<\/p>\n\n\n\n<p>Ideas?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is yet another odd behavior I spotted using Procmon. I was curious what .manifest files may be missing on my test Windows 10 system. The idea was that if I could find &#8216;phantom manifests&#8217; I could use them as &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/12\/05\/csrss-exe-and-its-manifests\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,67,45],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7607"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7607"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7607\/revisions"}],"predecessor-version":[{"id":7613,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7607\/revisions\/7613"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}