{"id":9551,"date":"2024-10-19T22:17:28","date_gmt":"2024-10-19T22:17:28","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9551"},"modified":"2024-10-19T23:57:22","modified_gmt":"2024-10-19T23:57:22","slug":"beyond-good-ol-run-key-part-143","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/10\/19\/beyond-good-ol-run-key-part-143\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 143"},"content":{"rendered":"\n<p>This entry is a bit convoluted, but it&#8217;s still quite interesting. I have discovered it today only to google around and find out someone posted the info about it <a href=\"https:\/\/forum.esetnod32.ru\/forum6\/topic2836\/?PAGEN_1=109\">back in 2013<\/a>. So, I will describe what they did in 2013 + will add one extra bit.<\/p>\n\n\n\n<p>The trick relies on the way the <em>UserInstStubWrapper <\/em>API exported by <em>advpack.dl<\/em>l \/ <em>IEAdvpack.dll<\/em> works. <\/p>\n\n\n\n<p>When you execute a command like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rundll32.exe advpack.dll, UserInstStubWrapper <strong>test<\/strong><\/pre>\n\n\n\n<p>the <em>UserInstStubWrapper <\/em>function will read the value from <em>RealStubPath<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\<strong>test<\/strong>\nRealStubPath=&lt;PATH&gt; (f.ex. c:\\windows\\notepad.exe)<\/pre>\n\n\n\n<p>and execute the program referenced by it (in this case Notepad).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_1.png\" alt=\"\" class=\"wp-image-9552\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_1.png 537w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_1-300x46.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_1-500x77.png 500w\" sizes=\"(max-width: 537px) 100vw, 537px\" \/><\/a><\/figure>\n\n\n\n<p>As for the extra, there is a twin function called <em>UserUnInstStubWrapper<\/em>. This one requires admin privileges to run, but it behaves in a similar manner &#8211; f.ex. for the command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rundll32.exe advpack.dll, UserUnInstStubWrapper <strong>test<\/strong><\/pre>\n\n\n\n<p>it will reach out to Registry and fetch the value of <em>RealStubPath <\/em>as well, but this time the key it accesses will be the name passed via the command line, but slightly modified by adding a suffix <em>.Restore<\/em> to it:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\<strong>test<\/strong><em>.Restore<\/em> \nRealStubPath=&lt;PATH&gt; (f.ex. c:\\windows\\system32\\calc.exe)<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_2.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_2.png\" alt=\"\" class=\"wp-image-9553\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_2.png 580w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_2-300x43.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/10\/advpack_2-500x72.png 500w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/a><\/figure>\n\n\n\n<p>So, a persistence opportunity relies on populating these Registry entries first, and then ensuring one of the following commands is executed during autostart by leveraging any of the existing persistence locations (f.ex. Run key):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rundll32.exe advpack.dll, UserInstStubWrapper <strong>test<\/strong>\nrundll32.exe advpack.dll, UserInstStubWrapper <strong>test<\/strong>\nrundll32.exe ieadvpack.dll, UserUnInstStubWrapper <strong>test<\/strong>\nrundll32.exe ieadvpack.dll, UserUnInstStubWrapper <strong>test<\/strong><\/pre>\n\n\n\n<p>If we enable the <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/10\/19\/advpack-dll-and-ieadvpack-dll-logging-capability\/\" data-type=\"post\" data-id=\"9547\">advpack logging<\/a> we can see these test log entries:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">-------------------- advpack.dll is loaded or Attached ------------------------------\nDate: 10\/19\/2024 (mm\/dd\/yyyy)\tTime: 15:11:52 (hh:mm:ss)\nUserInstStubWrapper:\nLaunchAndWait: Cmd=c:\\windows\\notepad.exe\n-------------------- advpack.dll is loaded or Attached ------------------------------\nDate: 10\/19\/2024 (mm\/dd\/yyyy)\tTime: 15:11:58 (hh:mm:ss)\nUserUnInstStubWrapper:\nLaunchAndWait: Cmd=c:\\windows\\system32\\calc.exe\nLaunchAndWait: End hr=0x0, c:\\windows\\system32\\calc.exe\nUserUnInstStubWrapper: End hr=0x0\n-------------------- advpack.dll is unloaded or Detached ----------------------------<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This entry is a bit convoluted, but it&#8217;s still quite interesting. I have discovered it today only to google around and find out someone posted the info about it back in 2013. So, I will describe what they did in &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/10\/19\/beyond-good-ol-run-key-part-143\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9551"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9551"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9551\/revisions"}],"predecessor-version":[{"id":9555,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9551\/revisions\/9555"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}