It’s been a long time since I looked at phantom DLLs (non-existing DLLs that are expected to be present in predictable locations). So, a quick rundown what we can see on Win10 today folows:
- C:WindowsSystem32edgegdi.dll
- loaded by gdi.dll, but not present on the most up to date win10 pro installation; it must be signed
- loaded by a number of processes backgroundTaskHost.exe, BackgroundTransferHost.exe, DllHost.exe, dmclient.exe, HxTsr.exe, LockApp.exe, LogonUI.exe, Microsoft.Photos.exe, mousocoreworker.exe and many others; existing work: found some EoP research on Twitter
- C:WindowsSysWOW64rpcss.dll
- C:WindowsSystem32UsoSelfhost.dll
- loaded by mousocoreworker.exe — possible EoP?
- C:WindowsSystem32Speech_OneCorecommonsapi_onecore.dll
- loaded by SearchApp.exe
- C:WindowsSystem32windowscoredeviceinfo.dll
- loaded by taskhostw.exe
There are more, but I reserve them for a possible future post.
The post Beyond good ol’ Run key, Part 128 appeared first on Malware Devil.
https://malwaredevil.com/2020/09/18/beyond-good-ol-run-key-part-128/?utm_source=rss&utm_medium=rss&utm_campaign=beyond-good-ol-run-key-part-128
No comments:
Post a Comment