[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] A novel persistent injection to Windows machines
From: 0x3d5157636b525761 iddqd <0x3d5157636b525761 () gmail ! com>
Date: 2016-03-20 14:44:19
Message-ID: CANJpe10JigHmgpRoW8Mk5JJtO0EqTKd93PvtMYmRDZdNjLRAFA () mail ! gmail ! com
[Download RAW message or body]
A novel persistent injection to Windows machines:
- By abusing "Dos Devices" registry key, a user could redefine the "C:"
symlink to an arbitrary value.
- smss.exe, which is responsible for mapping Dos devices, later maps "known
DLLs" as sections. These DLLs are typically loaded from
"C:\Windows\System32" (e.g. kernel32.dll) and will henceforth be loaded to
any usermode process by the Windows loader.
- This means that a malicious kernel32 could be created and injected
automatically to any process, after boot.
- In order to not screw things up, the malicious kernel32 must remap "C:"
as the original symlink.
Blog post: http://securitygodmode.blogspot.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic