Thursday, June 30, 2016

What you probably didn't know about regsvr32.exe

Ever have one of those 3am realizations... "THATS what they are up to!!!"

What you probably didn't realize, or maybe you did, but haven't told anyone ;-)...

Or maybe I'm just slow.

Is that regsvr32.exe can load and execute an arbitrary dll pretty easily.

No exploit required... Just a command line and pass it a dll.

The regsvr32.exe utility DllUnregisterServer is well defined here:

DllUnregisterServer entry point

Actually DllRegisterServer works too.

So... All you really need to do to trigger execution is create an exported method that matches that pattern.  HRESULT __stdcall DllRegisterServer(void);

Recently I came across this library.

Unmanaged Exports (DllExport for .Net)

So I decided to experiment this morning.  Yes, 3:10am...  Deal with it.




This is actually pretty easy and it showcases a fun way to use .NET in an unmanaged process...hint, hint.  The CLR is loaded automatically.

Sooo.  What does this mean.  Well. Probably for defenders it means taking a look at your telemetry and if you see any regsvr32 [Some DLL]...  Probably worth understanding.

Perhaps I'm just slow, and maybe you knew this already.  If not, I hope this helps you find some evil.

And of course this bypasses AppLocker...  Cause well. AppLocker has trouble with secondary execution. This is well known.

Security Considerations for AppLocker




Ok, thats all I got.

Cheers,

Casey
@subTee


1 comment: