Full Disclosure mailing list archives
A novel persistent injection to Windows machines
From: 0x3d5157636b525761 iddqd <0x3d5157636b525761 () gmail com>
Date: Sun, 20 Mar 2016 16:44:19 +0200
A novel persistent injection to Windows machines: - By abusing "Dos Devices" registry key, a user could redefine the "C:" symlink to an arbitrary value. - smss.exe, which is responsible for mapping Dos devices, later maps "known DLLs" as sections. These DLLs are typically loaded from "C:\Windows\System32" (e.g. kernel32.dll) and will henceforth be loaded to any usermode process by the Windows loader. - This means that a malicious kernel32 could be created and injected automatically to any process, after boot. - In order to not screw things up, the malicious kernel32 must remap "C:" as the original symlink. Blog post: http://securitygodmode.blogspot.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- A novel persistent injection to Windows machines 0x3d5157636b525761 iddqd (Mar 20)