{"id":7728,"date":"2021-03-05T23:18:20","date_gmt":"2021-03-05T23:18:20","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7728"},"modified":"2021-03-05T23:18:20","modified_gmt":"2021-03-05T23:18:20","slug":"beyond-good-ol-run-key-part-133","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2021\/03\/05\/beyond-good-ol-run-key-part-133\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 133"},"content":{"rendered":"\n<p>Java programs compiled into executable form using <a href=\"http:\/\/launch4j.sourceforge.net\/\">launch4j<\/a> have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities.<\/p>\n\n\n\n<p>When the executable starts it checks the environment for a presence of Java Runtime Environment (JRE) and while doing so it is checking a number of locations:<\/p>\n\n\n\n<ul><li>64-bit search: HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment<\/li><li>32-bit search: HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment<\/li><li>64-bit search: HKLM\\SOFTWARE\\JavaSoft\\Java Development Kit<\/li><li>32-bit search: HKLM\\SOFTWARE\\JavaSoft\\Java Development Kit<\/li><li>64-bit search: HKLM\\SOFTWARE\\JavaSoft\\JRE<\/li><li>32-bit search: HKLM\\SOFTWARE\\JavaSoft\\JRE<\/li><li>64-bit search: HKLM\\SOFTWARE\\JavaSoft\\JDK<\/li><li>32-bit search: HKLM\\SOFTWARE\\JavaSoft\\JDK<\/li><li>64-bit search: HKLM\\SOFTWARE\\IBM\\Java Runtime Environment<\/li><li>32-bit search: HKLM\\SOFTWARE\\IBM\\Java Runtime Environment<\/li><li>64-bit search: HKLM\\SOFTWARE\\IBM\\Java2 Runtime Environment<\/li><li>32-bit search: HKLM\\SOFTWARE\\IBM\\Java2 Runtime Environment<\/li><li>64-bit search: HKLM\\SOFTWARE\\IBM\\Java Development Kit<\/li><li>32-bit search: HKLM\\SOFTWARE\\IBM\\Java Development Kit<\/li><\/ul>\n\n\n\n<p>The JAVA_HOME environment variable is not being used.<\/p>\n\n\n\n<p>Placing malicious entry under any of these branches e.g.:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[HKEY_LOCAL_MACHINE\\SOFTWARE\\JavaSoft\\Java Development Kit\\1.8]\n\"JavaHome\"=\"c:\\test\"<\/pre>\n\n\n\n<p>and then dropping malicious <em>c:\\test\\jre\\bin\\javaw.exe<\/em> will cause the original program compiled with launch4j 9when launched) to spawn that malicious <em>javaw.exe<\/em>.<\/p>\n\n\n\n<p>And as a little bonus, the stub of launch4j accepts these debug command line arguments (or uses equivalent values of environment variables shown in parenthesis):<\/p>\n\n\n\n<ul><li><em>&#8211;l4j-debug<\/em> (or <em>Launch4j=*debug*<\/em>)<\/li><li><em>&#8211;l4j-debug-all<\/em> (or <em>Launch4j=*debug-all*<\/em>)<\/li><\/ul>\n\n\n\n<p>When any of these two are present a <em>launch4j.log<\/em> log file will be created with all the information needed for troubleshooting (the second option generating more verbose version of the log file).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities. When the executable starts it checks the environment for a presence of Java Runtime Environment &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2021\/03\/05\/beyond-good-ol-run-key-part-133\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7728"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7728"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7728\/revisions"}],"predecessor-version":[{"id":7729,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7728\/revisions\/7729"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}