The developers of Windows 10 have implemented protection against ransomware viruses. It can be bypassed using a DLL injection

What is the problem r3r357.
3r33939. Soya Aoyama managed to inject a malicious DLL into the Windows Explorer — and explorer.exe is in the trusted list of Controlled Folder Access programs. To realize his intention, the researcher used the fact that when launching explorer.exe loads the DLLs found in the registry key HKEY_CLASSES_ROOT * shellexContextMenuHandlers:
3r33939.
3r33939.
3r33939.
3r33939. The HKEY_CLASSES_ROOT tree is the "merge" of the register information found in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. When implementing this "merge", Windows assigns information from HKCU priority. This means that if a key exists in HKCU, then it will take precedence over the same key in HKLM, and this data will flow into the HKEY_CLASSES_ROOT tree.
3r33939.
3r33939. When starting explorer.exe, Shell32.dll is loaded by default, which is in the key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID {90AA3A4E-1CBA-4233-B8BB-535773D48449} InProcServer32. To load a malicious DLL into Explorer, Aoyama simply created the HKCUSoftwareClassesCLSID key {90AA3A4E-1CBA-4233-B8BB-535773D48449} InProcServer32 and set the desired library in its value.
3r33939.
3r33939. After that, after completing and restarting the explorer.exe process, instead of the Shell32.dll, the program started the DLL created by the hacker.
3r33939.
3r33939. Aoyama shared his research results at DerbyCon conference:
3r33939.
3r33939.
3r350. 3r388. 3r388. 3r388. 3r33939. How to protect yourself </h2> 3r33939. The researcher also found out that many antiviruses, including Windows Defender, Avast, ESET, Malwarebytes Premium and McAfee, do not recognize the attack scheme found by him. 3r33939. 3r33939. At the same time, according to Aoyama, Microsoft representatives do not believe that he discovered a vulnerability. The researcher sent information about his findings to the company, but there they were told that he was not entitled to any rewards, and they would not release a patch, because an attacker needs access to the victim’s computer to carry out the attack and does not exceed access rights. 3r33939. 3r33939. However, in combination with other vulnerabilities, the attack vector found by Aoyama may be interesting for attackers. Basically, the infrastructure of large companies is built on Windows. Knowing this, attackers are developing special tools for attacks under this operating system. 3r33939. 3r33939. Tomorrow, October 1? at 14:00 , experts experts from PT Expert Security Center will analyze three hacking tools that allow you to quickly develop an attack in the Windows infrastructure: impacket, CrackMapExec and Koadic. Students will learn how they work, what activity they create in network traffic, and most importantly, how to detect their use in time. The webinar will be of interest to employees of the SOC, blue teams and IT departments. 3r33939. 3r33939. is required for participation. register </a> . 3r388. 3r33939. 3r33939. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r3386. 3r33939. 3r388. 3r33939. 3r33939. 3r33939. 3r33939.

It may be interesting

This publication has no comments.

Author

Publication Date

Category

Comments

social media content tips

Yesterday, 21:53

taxiseo2

Yesterday, 21:47

taxiseo2

Yesterday, 14:53

raymond weber

Yesterday, 20:26

warisak