In this series I describe a lot of Windows persistence mechanisms. Most of them are ‘native’ to the OS, but I sometimes cover opportunities offered by popular software too. Today’s case is one of these.

Ghostscript is a superpopular:

suite of software based on an interpreter for Adobe Systems’ PostScript and Portable Document Format (PDF) page description languages

that can be found installed on many Windows endpoints today. It is often being installed as a dependent component supporting a lot of various applications, including PDF software, games, etc.

What we can find as particularly interesting from a persistence standpoint, is this Registry entry:

(HKCU|HKLM)\Software\GPL Ghostscript\<version>\GS_DLL=<DLL library>

Any software relying on Ghostscript will eventually refer to it, and load the DLL this entry points to. As such, it can be leveraged for persistence (proxy DLL).

This mechanism is described in detail here.

If you read the linked article, you will notice that there is an alternative way to set the value of GS_DLL by using the environmental variable. This feature can be abused for both persistence and lolbin activities.