Index > Malware > 2021-02-02: Persistence

Persistence

What does this registry key do?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It runs things at startup! If malware authors can create a value in this subkey, they can start their malware when the computer starts.

AppInit_DLLs

The ApppInit_DLLs are loaded into every program that uses User32.dll. This is another persistence method, but authors need to be careful - to avoid running multiple copies of the malware, they need to check the name of the process, commonly in DllMain.

32 means 64 bits - they wanted to keep the same names. 64 means 32 bits, running in the windows for windows subsystem :facepalm:

WinLogon Notify

This is a registry key that is checked when certain events happen:

• logon
• logoff
• startup
• shutdown

It’s another persistence method.

SvcHost DLLs

Your friendly neighborhood malware might install itself as a service.

On Linux, it’s called a Daemon. Linux Services generally start services

Services live here:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<Service Name Goes Here>

There are a bunch of keys under that service name that define what it is and how to run it.

There are a lot of services - to make group management easier, windows puts a lot of services under a single process: SvcHost. Creating a new group under SvcHost wouldn’t be very covert (Each group runs under its own process) - but malware can easily add more DLLs to an existing group.

“Trojanize” a system binary

1. At the start of the dll, immediately jump to the evil code
2. Use pusha to save the state of the registers
3. No-good sneaky shenanigans
4. Use popa to put the registers back together
5. Hand off to the original, non-malicious code

We’re looking at an example in class:

• Jump to evil code
• Save the registers
• call itself, 2 addresses away
• Remove the return address, and replace it with the address of more evil code
• Call loadLibrary, which loads the more evil code? (Why make it the return address then?)
• popa to restore the registers
• run the instructions that were overwritten to add the jmp instruction
• jump back to the start, normal code resumes

My best guess is that it doesn’t know the address of the more evil code - but it can take it’s own address (via the call) and then add an offset to it.

DLL Load Order Hijacking

Windows searches for DLLs in a specific order. If a malicious copy is placed in a directory that is searched before the directory with the original, then the malicious one is used.

IAT: Import Address Table Hooking

I missed this section :(

Trampoline?

1. A hooking engine or evil DLL is loaded
2. The hooking engine overwrites the start of a target function
3. When the target function is called, it jumps to the malware
4. Mr. Malware has complete control of the function now, importantly the arguments and return values
5. Mr. Malware remembers to run the overwritten code before returning

The “trampoline” refers to how control execution falls into the malware, then bounces back.

Control, intended for a function, instead goes to the malware, which then jumps back to the function when its done.

---

Index > Malware > 2021-02-02: Persistence