[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] A novel persistent injection to Windows machines

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] A novel persistent injection to Windows machines
From: 0x3d5157636b525761 iddqd <0x3d5157636b525761@xxxxxxxxx>
Date: Sun, 20 Mar 2016 16:44:19 +0200

A novel persistent injection to Windows machines:
- By abusing "Dos Devices" registry key, a user could redefine the "C:"
symlink to an arbitrary value.
- smss.exe, which is responsible for mapping Dos devices, later maps "known
DLLs" as sections. These DLLs are typically loaded from
"C:\Windows\System32" (e.g. kernel32.dll) and will henceforth be loaded to
any usermode process by the Windows loader.
- This means that a malicious kernel32 could be created and injected
automatically to any process, after boot.
- In order to not screw things up, the malicious kernel32 must remap "C:"
as the original symlink.

Blog post: http://securitygodmode.blogspot.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] DORG - Disc Organization System SQL Injection And Cross Site Scripting
Next by Date: [FD] Achievo Cross Site Scripting vulnerability
Previous by thread: [FD] DORG - Disc Organization System SQL Injection And Cross Site Scripting
Next by thread: [FD] Achievo Cross Site Scripting vulnerability
Index(es):
- Date
- Thread