A novel persistent injection to Windows machines

[0x3d5157636b525761 iddqd <0x3d5157636b525761 () gmail com>]

A novel persistent injection to Windows machines:
- By abusing "Dos Devices" registry key, a user could redefine the "C:"
symlink to an arbitrary value.
- smss.exe, which is responsible for mapping Dos devices, later maps "known
DLLs" as sections. These DLLs are typically loaded from
"C:\Windows\System32" (e.g. kernel32.dll) and will henceforth be loaded to
any usermode process by the Windows loader.
- This means that a malicious kernel32 could be created and injected
automatically to any process, after boot.
- In order to not screw things up, the malicious kernel32 must remap "C:"
as the original symlink.

Blog post: http://securitygodmode.blogspot.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/