Beyond good ol’ Run key, Part 151

Posted on by

Yes, they keep coming.

There are still many Windows persistence mechanisms that are not described properly and my mission is to cover it all.

Some of these mechanisms may be seen as archaic, unusual, or ‘there is no way it affects me’, but the reality is that with the gazillions of Windows installs worldwide, with the gazillion of random software installs on top of the main OS, we better do a good job in describing persistence mechanisms that are kinda niche, yet may still affect lots of people.

The old Xerox libraries include an interesting export function: XRTLLoadDebugger.

When it’s executed, it tries to load a DLL from one of these locations:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Xerox\CentreWare\Infrastructure\XDebug\ReleaseDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Xerox\CentreWare\Infrastructure\XDebug\DebugDll

and

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Xerox\CentreWare\Infrastructure\XDebug\Enabled must be a REG_DWORD equal to 1.

One can use this mechanism for persistence, other may try to use it as a lolbin.

Example samples:

  • 189D385DEAC14F3FFDCE54BB492846A0D7E44B52617AFABDDC5BED023699E741_9EAF1FF74ADDB00474E05E062DA3194BDAD92D17_3F61204C6AF09F52BBEB52DBDA9A0CC3

DLL ForwardSideloading, Part 2

Posted on by

The 2nd part following my first take on this subject was kinda inevitable.

Why?

Sixtyvividtails is one of my fav researchers, because a) he reads my posts, breaks them apart, and usually comes up with some amazing/creative comments/additional thoughts that often lead us to some new, cool discoveries (see f.ex. this) b) he also made a social media bet that I (obviously) couldn’t leave unchallenged. Thank you Sixtyvividtails, you are an inspiration and I love your research and creative ideas a lot!

So, to business…

My first find was this unsigned Realtek DLL (RealWoWDLL.dll – VT Link) that exported the intriguing forward:

testker -> kerberos.Spinitialize

Then… I went for holidays 🙂

I did go there with an idea though that after coming back I will do a more structured follow-up research…

So when I came back, I immediately got to work.

The first target was an obvious one – run the very same forwarder-extractor script over the Windows 2025 server files. The results are here. Many of these combos can be used for DLL ForwardSideloading.

The second target was bigger. I checked my repo of ‘good’ files only to discover that I am sitting on around 700K ‘clean’ DLLs, both 32- and 64-bit. Sadly, I don know which ones of them are truly signed or not, unless the actual PE file of the DLL is physically signed (aka not via a catalogue). Still, 700K files is a lot, and there is a hope that it’s worth analyzing them all to see how many of them are non-Microsoft, and actually use/leverage the forwarded exports…

So, I ran my script over the last weekend and after few days it spat out its results.

And here’s the catch:

  • yes, some vendors do appear to be using forwarded functions same as Microsoft and Realtek
  • many functions that have their names exported by DLLs (mapping present in the export table) are not necessarily meant to be used by any other program, but since some do include a “.” character in their name, they could actually be used to facilitate DLL ForwardSideloading !

See the (filtered) results here.