{"id":7804,"date":"2021-05-20T21:33:59","date_gmt":"2021-05-20T21:33:59","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7804"},"modified":"2023-11-15T22:26:30","modified_gmt":"2023-11-15T22:26:30","slug":"byot-bring-your-own-telemetry","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2021\/05\/20\/byot-bring-your-own-telemetry\/","title":{"rendered":"BYOT &#8211; Bring Your Own Telemetry"},"content":{"rendered":"\n<p><strong>Update 2023-11-15<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/twitter.com\/Laughing_Mantis\">Greg<\/a> posted this <a href=\"https:\/\/x.com\/Laughing_Mantis\/status\/1724864762536948168?s=20\">finding<\/a> on Twitter\/X today and I have updated the below list accordingly. Thanks!<\/p>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>Research is a funny business. You look at some stuff, you conclude it&#8217;s impossible, and then&#8230; you forget about it. So you think. It gets stuck in your head&#8230; somewhere&#8230; so that you can come back to it one day.<\/p>\n\n\n\n<p>For CompatTelRunner.exe this day is today. <\/p>\n\n\n\n<p>When I looked at this program a few years ago I saw it has a great LOLBIN potential. It takes two arguments -m for module, and -f for exported API function name. Nothing could be better than that, right? <\/p>\n\n\n\n<p>You just invoke:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">CompatTelRunner.exe -m:foo.dll -f:bar<\/pre>\n\n\n\n<p>and it will load <em>foo.dll<\/em> and call the <em>bar<\/em> api!<\/p>\n\n\n\n<p>The problem is that programmers of this tool anticipated this sort of abuse and built-in some code to block it, and:<\/p>\n\n\n\n<ul>\n<li>made sure the DLLs are loaded from the system directory, and <\/li>\n\n\n\n<li>path to the system directory is retrieved via GetSystemDirectory API, and<\/li>\n\n\n\n<li>they also check the -m argument is one of:\n<ul>\n<li>aemarebackup.dll<\/li>\n\n\n\n<li>appraiser.dll<\/li>\n\n\n\n<li>generaltel.dll<\/li>\n\n\n\n<li>invagent.dll<\/li>\n\n\n\n<li>devinv.dll<\/li>\n\n\n\n<li>aeinv.dll<\/li>\n\n\n\n<li>aepic.dll<\/li>\n\n\n\n<li>pcasvc.dll, and<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>finally they also check the -f argument is one of:\n<ul>\n<li>BackupMareData<\/li>\n\n\n\n<li>DoScheduledTelemetryRun<\/li>\n\n\n\n<li>UpdateAvStatus<\/li>\n\n\n\n<li>RunGeneralTelemetry<\/li>\n\n\n\n<li>DoCensusRun<\/li>\n\n\n\n<li>RunInUserCxtW<\/li>\n\n\n\n<li>RunUpdate<\/li>\n\n\n\n<li>GetFileSigningInfo<\/li>\n\n\n\n<li>CreateDeviceInventory<\/li>\n\n\n\n<li>UpdateSoftwareInventoryW<\/li>\n\n\n\n<li>UpdateSoftwareInventory<\/li>\n\n\n\n<li>GetCITData<\/li>\n\n\n\n<li>QueryEncapsulationSettings<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Bummer.<\/p>\n\n\n\n<p>Today it crossed my mind that I never checked if we can find these DLLs in both System32 and SysWOW64 directories. I hypothesized that maybe one of the 32-bit ones is missing and we could place our own there. I quickly checked and found out far more than I anticipated &#8211; from the list of all .exe and .dll listed above I could only find the following:<\/p>\n\n\n\n<ul>\n<li>\\Windows\\System32\\CompatTelRunner.exe<\/li>\n\n\n\n<li>\\Windows\\System32\\appraiser.dll<\/li>\n\n\n\n<li>\\Windows\\System32\\generaltel.dll<\/li>\n\n\n\n<li>\\Windows\\System32\\invagent.dll<\/li>\n\n\n\n<li>\\Windows\\System32\\devinv.dll<\/li>\n\n\n\n<li>\\Windows\\System32\\aeinv.dll<\/li>\n\n\n\n<li>\\Windows\\System32\\aepic.dll<\/li>\n\n\n\n<li>\\Windows\\System32\\pcasvc.dll<\/li>\n\n\n\n<li>\\Windows\\SysWOW64\\aepic.dll<\/li>\n<\/ul>\n\n\n\n<p>As you can see, almost none of these allowed DLLs are present in the SysWow64 directory. And, there is no sign of 32-bit CompatTelRunner.exe either.<\/p>\n\n\n\n<p>Since&#8230;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel2.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel2.png\" alt=\"\" class=\"wp-image-7806\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel2.png 1000w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel2-300x150.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel2-768x384.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/figure><\/div>\n\n\n<p>I decided to borrow one from 32-bit version of Windows 10 and placed it in c:\\test. I then created my test c:\\WINDOWS\\SysWOW64\\appraiser.dll and ran:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun<\/pre>\n\n\n\n<p>Once my test 32-DLL got loaded, I could see its debug message in Debug View:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel1.png\" alt=\"\" class=\"wp-image-7805\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel1.png 543w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/compattel1-300x203.png 300w\" sizes=\"(max-width: 543px) 100vw, 543px\" \/><\/a><\/figure><\/div>\n\n\n<p>It&#8217;s nothing groundbreaking and I abused subtle differences between Syswow64 and System32 many times before it&#8217;s still fun to discover more of them over and over again.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2023-11-15 Greg posted this finding on Twitter\/X today and I have updated the below list accordingly. Thanks! Old Post Research is a funny business. You look at some stuff, you conclude it&#8217;s impossible, and then&#8230; you forget about it. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2021\/05\/20\/byot-bring-your-own-telemetry\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7804"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7804"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7804\/revisions"}],"predecessor-version":[{"id":8862,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7804\/revisions\/8862"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}