Skip to main content

Persistence

  • Various ways malware can get on a system
  • Needs to ensure it stays on a system for a long time
  • Otherwise rebooting the system would be enough to clear it
  • Various mechanisms are available for the malware to hook in

Via registry

  • In the window registry that can be used to install malware permanently
  • Most popular is to register yourself in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Tools available that can show all the programs that will automatically run on your system

Image File Execution Options

  • This ^ settings in the registry
  • Aimed at letting you debug a program
  • Set at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  • Can set a key called Debugger which contains the full path to the debugger, or the malware
  • Set this on a program that is likely to be run and the malware will be launched when the program is run

APPINIT_DLLs

  • AppInit_Dlls were loaded into every process that loads User32.dll
  • Malware would therefore need to check what it was loaded into if it was targeting a specific process
  • DLLs registered by adding the path to the AppInit_DLLs registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  • Key contains a space-delimited list of DLL paths to load
  • Not available when windows is booted using secure boot

Winlogon Notify

  • Could also register a DLL to receive notifications when logon events happen
  • DLL registered in registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  • Under the key Notify
  • DLL must be placed in the system32 directory

SVCHOST DLLs

  • Malware often installed as a Windows service
  • Typically requires implementing as a .exe
  • svchost lets you implement a service as a DLL
  • Many windows services are implemented as a DLL using svchost.exe
  • Malware is able to blend in with the services and registry
  • Each instance of svchost.exe contains a group of services
  • Groups are defined in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
  • Services are defined in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceName
  • Malware authors will register with details that help in blend into the background.

Trojanized System Binaries

  • Another mechanism for persistence is to modify an existing binary
  • Adding the malware code to the binary
  • Also modifies the existing code so that the malware code is executed
  • Result is that when the binary is next run, malware is also run
  • Easy to spot when disassembling

DLL Load-Order

Windows has defined search order

  • Directory where the application is loaded
  • System directory (\Windows\System32\)
  • 16-bit system directory (\Windows\System)
  • Windows directory (\Windows)
  • Current directory
  • Directories listed in the PATH environment variable Also the KnownDLLs registry key is used to preload a specific list of DLLs

Hijacking

  • Possible to cause a different DLL to be loaded by hijacking the load-order
  • Just need to place the malicious DLL in a directory higher up the load-order
  • Windows will then load this one before the real DLL
  • Malicious DLL can then load the real DLL to ensure the system continues to function