Malware Devil

Loading...

Saturday, October 17, 2020

Beyond good ol’ Run key, Part 129

Browsing through windows libraries I came across a few that had an intriguingly named function being resolved during run-time: DllBidEntryPoint.

The libraries referencing this API are:

  • msado15.dll
  • msadomd.dll
  • msadox.dll
  • msadrh15.dll
  • msadce.dll
  • msadco.dll
  • msadds.dll
  • msdaprst.dll
  • msdarem.dll
  • msdaora.dll
  • msdasql.dll
  • msdatl3.dll
  • oledb32.dll
  • sqloledb.dll

As usual, the first thing was to go to Google and soon I discovered that it’s a part of a documented tracing interface used by SQL Server called Built-in Diagnostics (BID).

One can use one of these keys:

  • HKLMSoftwareMicrosoftBidInterfaceLoader
  • HKEY_LOCAL_MACHINEsoftwareWow6432NodeMicrosoftBidInterfaceLoader

and add ‘:Path ‘ value name pointing to a DLL that will act as a tracing DLL.

As usual, the linked document contains all the gore details.

Read More

The post Beyond good ol’ Run key, Part 129 appeared first on Malware Devil.



https://malwaredevil.com/2020/10/17/beyond-good-ol-run-key-part-129/?utm_source=rss&utm_medium=rss&utm_campaign=beyond-good-ol-run-key-part-129
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...