{"id":9594,"date":"2024-11-05T22:55:09","date_gmt":"2024-11-05T22:55:09","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9594"},"modified":"2024-11-05T22:55:09","modified_gmt":"2024-11-05T22:55:09","slug":"procmonning-the-win11_24h2-build","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/11\/05\/procmonning-the-win11_24h2-build\/","title":{"rendered":"Procmonning the Win11_24H2 build"},"content":{"rendered":"\n<p>This is a bunch of random notes from running Procmon on Win11_24H2 build.<\/p>\n\n\n\n<p>We all know about <em>autorun.inf<\/em> that OS is checking when we attach a new device to the system, but on new devices the system is actually looking for more files &#8212; here&#8217;s the list:<\/p>\n\n\n\n<ul>\n<li>\\Device\\HarddiskVolumeN\\audio_ts\\audio_ts.ifo<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\autorun.inf<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\AVCHD<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\BDAV<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\BDMV<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\bootex.log<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\DCIM<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\desktop.ini<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\dvd_rtav\\vr_mangr.ifo<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\EFI\\Microsoft\\Boot\\BCD<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\EFI\\Microsoft\\Boot\\BCD.LOG<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\EFI\\Microsoft\\Boot\\Policies\\UnlockToken.pol<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\PRIVATE\\AVCHD<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\Recovery.txt<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\SVCD\\entries.svd<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\SVCD\\entries.vcd<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\System Volume Information<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\System Volume Information\\AadRecoveryPasswordDelete<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\System Volume Information\\ClientRecoveryPasswordRotation<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\System Volume Information\\FveDecryptedVolumeFolder<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\VCD\\entries.vcd<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\video_ts\\video_ts.ifo<\/li>\n\n\n\n<li>\\Device\\HarddiskVolumeN\\WinReOfflineScanningResult.dat<\/li>\n<\/ul>\n\n\n\n<p>Some of them are obviously media-related, some are Windows Backup-related, and some &#8230; I have no clue.<\/p>\n\n\n\n<p>The other interesting bit is that when executed, <em>lsass.exe<\/em> is trying to load a phantom DLL named <em>&#8220;&#8221;.dll<\/em>:<\/p>\n\n\n\n<ul>\n<li>C:\\Windows\\&#8221;&#8221;.DLL<\/li>\n\n\n\n<li>C:\\Windows\\System\\&#8221;&#8221;.DLL<\/li>\n\n\n\n<li>C:\\Windows\\System32\\&#8221;&#8221;.DLL<\/li>\n<\/ul>\n\n\n\n<p>While it looks like an attractive proposition, I am not sure if there is a way to exploit it \ud83d\ude41 Still, need to come back to it to understand why the process is doing so. Perhaps there is a new data dumping opportunity here, somewhere&#8230;<\/p>\n\n\n\n<p>There are a lot of new phantom DLLs, but they are tricky to play with. While writing this post I messed up this build&#8217;s booting so many times that I no longer understand which of these test phantom DLLs I added to the system contributed to the damage \ud83d\ude42 I have added a list of potentials at the bottom of this post.<\/p>\n\n\n\n<p>Then there is <em>smss.exe<\/em> trying to find these:<\/p>\n\n\n\n<ul>\n<li>C:\\Windows\\apppatch\\drvpatch.sdb<\/li>\n\n\n\n<li>C:\\Windows\\System32\\wowarmhw.dll<\/li>\n\n\n\n<li>C:\\Windows\\System32\\xtajit.dll<\/li>\n\n\n\n<li>C:\\Windows\\System32\\xtajit64.dll<\/li>\n\n\n\n<li>C:\\Windows\\System32\\xtajit64se.dll<\/li>\n\n\n\n<li>C:\\Windows\\SysWOW64\\wow64.dll<\/li>\n\n\n\n<li>C:\\Windows\\SysWOW64\\wow64base.dll<\/li>\n\n\n\n<li>C:\\Windows\\SysWOW64\\wow64con.dll<\/li>\n\n\n\n<li>C:\\Windows\\SysWOW64\\wow64win.dll<\/li>\n\n\n\n<li>C:\\Windows\\SysWOW64\\xtajit64.dll<\/li>\n\n\n\n<li>C:\\Windows\\SysWOW64\\xtajit64se.dll<\/li>\n<\/ul>\n\n\n\n<p>Then <em>spoolsv.exe<\/em> trying to access these:<\/p>\n\n\n\n<ul>\n<li>C:\\Windows\\System32<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\ARM64<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\ARM64\\3\\New\\<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\ARM64\\3\\Old\\<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\ARM64\\4\\New\\<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\ARM64\\4\\Old\\<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\IA64<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\IA64\\3\\New\\<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\IA64\\3\\Old\\<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\W32X86<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\W32X86\\3\\New<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\W32X86\\3\\Old<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\x64<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Old<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\x64\\4\\New\\<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\spool\\drivers\\x64\\4\\Old\\<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\PRINTERS<\/li>\n\n\n\n<li>C:\\Windows\\System32\\spool\\SERVERS<\/li>\n\n\n\n<li>C:\\Windows\\System32\\ualapi.dll<\/li>\n\n\n\n<li>C:\\Windows\\System32\\vfprint.dll<\/li>\n<\/ul>\n\n\n\n<p>There seems to be a lot of cross-architectural code logic present here that needs further exploration. <\/p>\n\n\n\n<p>There also seem to be more phantom DLL loading opportunities that are only available under specific conditions:<\/p>\n\n\n\n<ul>\n<li>C:\\Windows\\System32\\Unknown.DLL (loaded by svchost.exe when AFAICT there is no network connectivity)<\/li>\n\n\n\n<li>C:\\WINDOWS\\SYSTEM32\\windowsdefender:\\.DLL &#8211; a potential phantom DLL but impossible due to file\/ADS naming limitations<\/li>\n<\/ul>\n\n\n\n<p>And finally, there is really a lot of paths the OS is trying to access in the procmon log that suggests some incoherent environment variable parsing:<\/p>\n\n\n\n<ul>\n<li>C:\\Windows\\System32\\%ProgramFiles(arm)%<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\%systemroot%\\system32\\wbem\\cimwin32.dll<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\%systemroot%\\system32\\wbem\\wmipcima.dll<\/li>\n\n\n\n<li>C:\\WINDOWS\\%WINDIR%\\System32\\SPP\\Migration\\sppgenmig.dat<\/li>\n\n\n\n<li>C:\\WINDOWS\\%WINDIR%\\System32\\SPP\\Migration\\sppmig.dat<\/li>\n\n\n\n<li>C:\\Windows\\System32\\%SystemRoot%\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\MicrosoftWindows.Client.AIX_1000.26100.29.0_x64__cw5n1h2txyewy\\ActivationStore.dat<\/li>\n\n\n\n<li>C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\%SystemRoot%\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\MicrosoftWindows.Client.AIX_1000.26100.29.0_x64__cw5n1h2txyewy\\ActivationStore.dat<\/li>\n\n\n\n<li>C:\\WINDOWS\\%WINDIR%\\System32\\SPP\\Migration\\sppgenmig.dat<\/li>\n\n\n\n<li>C:\\WINDOWS\\system32\\%systemroot%\\system32\\wbem\\wmiprov.dll<\/li>\n\n\n\n<li>C:\\Users\\&lt;USER>\\Desktop\\%1 <\/li>\n\n\n\n<li>C:\\Users\\Public\\Desktop\\%1<\/li>\n<\/ul>\n\n\n\n<p>That&#8217;s a lot of sideloading and potential LPE vulns to explore&#8230;<\/p>\n\n\n\n<p>The full list of possible phantom DLLs can be found here (<a href=\"https:\/\/hexacorn.com\/d\/win11_24H2_phantom_dlls.txt\">win11_24H2_phantom_dlls.txt<\/a>). Some of them are obvious path problems, but many are real phantom DLLs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a bunch of random notes from running Procmon on Win11_24H2 build. We all know about autorun.inf that OS is checking when we attach a new device to the system, but on new devices the system is actually looking &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/11\/05\/procmonning-the-win11_24h2-build\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,99],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9594"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9594"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9594\/revisions"}],"predecessor-version":[{"id":9599,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9594\/revisions\/9599"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}