Posted by 0x3d5157636b525761 iddqd on Mar 20
A novel persistent injection to Windows machines:
– By abusing “Dos Devices” registry key, a user could redefine the “C:”
symlink to an arbitrary value.
– smss.exe, which is responsible for mapping Dos devices, later maps “known
DLLs” as sections. These DLLs are typically loaded from
“C:WindowsSystem32” (e.g. kernel32.dll) and will henceforth be loaded to
any usermode process by the Windows loader.
– This…