Technical debt of C:\Windows\System path
2024-9-6 05:9:13 Author: www.hexacorn.com(查看原文) 阅读量:12 收藏

Thanks to @sixtyvividtails who corrected a mistake I made in the earlier version of the post

Updated post

Today we are all familiar with the meaning of the PATH environment variable, and the dynamic-link search order, but there is one more order out there. The one that is used during the resolution of static imports. It turns out that the internal list of ‘system’ directories that ntdll.dll maintains is enriched with an obsolete C:\Windows\System path.

One of a less known paths that is being searched when the libraries are loaded is C:\Windows\System.

Anytime the search for a library kicks off, the following system directories are being searched:

  • C:\Windows\System32\
  • C:\Windows\System\

We can clearly see this in Procmon when we try to test the POC from my post about UpdateAPI.dll:

So, that old 16-bit legacy path is still there, even if practically no one is using it today. As such, we can use this path to drop at least some of the payloads there.


文章来源: https://www.hexacorn.com/blog/2024/09/05/technical-debt-of-cwindowssystem-path/
如有侵权请联系:admin#unsafe.sh