Persistence
- Various ways malware can get on a system
- Needs to ensure it stays on a system for a long time
- Otherwise rebooting the system would be enough to clear it
- Various mechanisms are available for the malware to hook in
Via registry
- In the window registry that can be used to install malware permanently
- Most popular is to register yourself in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
andHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Tools available that can show all the programs that will automatically run on your system
Image File Execution Options
- This ^ settings in the registry
- Aimed at letting you debug a program
- Set at
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
- Can set a key called
Debugger
which contains the full path to the debugger, or the malware - Set this on a program that is likely to be run and the malware will be launched when the program is run
APPINIT_DLLs
AppInit_Dlls
were loaded into every process that loads User32.dll- Malware would therefore need to check what it was loaded into if it was targeting a specific process
- DLLs registered by adding the path to the
AppInit_DLL
s registry key underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
- Key contains a space-delimited list of DLL paths to load
- Not available when windows is booted using secure boot
Winlogon Notify
- Could also register a DLL to receive notifications when logon events happen
- DLL registered in registry at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
- Under the key
Notify
- DLL must be placed in the
system32
directory
SVCHOST DLLs
- Malware often installed as a Windows service
- Typically requires implementing as a .exe
- svchost lets you implement a service as a DLL
- Many windows services are implemented as a DLL using svchost.exe
- Malware is able to blend in with the services and registry
- Each instance of svchost.exe contains a group of services
- Groups are defined in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
- Services are defined in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceName
- Malware authors will register with details that help in blend into the background.
Trojanized System Binaries
- Another mechanism for persistence is to modify an existing binary
- Adding the malware code to the binary
- Also modifies the existing code so that the malware code is executed
- Result is that when the binary is next run, malware is also run
- Easy to spot when disassembling
DLL Load-Order
Windows has defined search order
- Directory where the application is loaded
- System directory (
\Windows\System32\
) - 16-bit system directory (
\Windows\System
) - Windows directory (
\Windows
) - Current directory
- Directories listed in the PATH environment variable
Also the
KnownDLLs
registry key is used to preload a specific list of DLLs
Hijacking
- Possible to cause a different DLL to be loaded by hijacking the load-order
- Just need to place the malicious DLL in a directory higher up the load-order
- Windows will then load this one before the real DLL
- Malicious DLL can then load the real DLL to ensure the system continues to function