A novel persistent injection to Windows machines: - By abusing "Dos Devices" registry key, a user could redefine the "C:" symlink to an arbitrary value. - smss.exe, which is responsible for mapping Dos devices, later maps "known DLLs" as sections. These DLLs are typically loaded from "C:\Windows\System32" (e.g. kernel32.dll) and will henceforth be loaded to any usermode process by the Windows loader. - This means that a malicious kernel32 could be created and injected automatically to any process, after boot. - In order to not screw things up, the malicious kernel32 must remap "C:" as the original symlink. Blog post: http://ift.tt/1UtMJxi
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment