Links to post series

July 2, 2015 in Hexacorn

ximad pinged me asking if I can make some of the content more readable – I will think of it and perhaps convert some of this stuff into a PDF, but in the mean time providing a series of links for the ‘longer’ series on the blog

Da Li’L World of DLL Exports and Entry Points

Da Li’L World of DLL Exports and Entry Points, Part 1
http://www.hexacorn.com/blog/2013/08/08/da-lil-world-of-dll-exports-and-entry-points-part-1/

Da Li’L World of DLL Exports and Entry Points, Part 2
http://www.hexacorn.com/blog/2013/08/11/da-lil-world-of-dll-exports-and-entry-points-part-2/

Da Li’L World of DLL Exports and Entry Points, Part 3
http://www.hexacorn.com/blog/2013/08/21/da-lil-world-of-dll-exports-and-entry-points-part-3/

Anti-forensics

The shortest anti-forensics code in the world
http://www.hexacorn.com/blog/2012/01/21/the-shortest-anti-forensics-code-in-the-world/

The shortest anti-forensics code in the world – take #2
http://www.hexacorn.com/blog/2012/03/16/the-shortest-anti-forensics-code-in-the-world-take-2/

Purple Haze – Anti-forensics and anti-detection
http://www.hexacorn.com/blog/2012/02/13/purple-haze-anti-forensics-and-andi-detection/

Anti-forensics – live examples
http://www.hexacorn.com/blog/2012/02/18/anti-forensics-live-examples/

Anti-forensics – live examples, Part 2
http://www.hexacorn.com/blog/2014/06/27/anti-forensics-live-examples-part-2/

Anti-forensics – live examples, Part 3
http://www.hexacorn.com/blog/2014/08/29/anti-forensics-live-examples-part-3/

Enter Sandbox Series

Enter Sandbox – part 1: All APIs are equal, but some APIs are more equal than others
http://www.hexacorn.com/blog/2015/05/29/enter-sandbox-part-1-all-api-are-equal-but-some-apis-are-more-equal-than-others/

Enter Sandbox – part 2: COM, babe COM
http://www.hexacorn.com/blog/2015/06/09/enter-sandbox-part-2-com-babe-com/

Enter Sandbox – part 3: If you see Native code is creative
http://www.hexacorn.com/blog/2015/06/10/enter-sandbox-part-3-if-you-see-native-code-is-creative/

Enter Sandbox – part 4: In search for Deus Ex Machina
http://www.hexacorn.com/blog/2015/06/12/enter-sandbox-part-4-in-search-for-deus-ex-machina/

Enter Sandbox – part 5: In search for Deus Ex Machina II
http://www.hexacorn.com/blog/2015/06/17/enter-sandbox-part-5-in-search-for-deus-ex-machina-ii/

Enter Sandbox – part 6: The Nullsoft hypothesis and other installers' conundrums
http://www.hexacorn.com/blog/2015/06/26/enter-sandbox-part-6-the-nullsoft-hypothesis-and-other-installers-conundrums/

Enter Sandbox – part 7: Hello, مرحبا, 您好, здравствуйте, γεια σας
http://www.hexacorn.com/blog/2015/06/27/enter-sandbox-part-7-hello-%d9%85%d8%b1%d8%ad%d8%a8%d8%a7-%e6%82%a8%e5%a5%bd-%d0%b7%d0%b4%d1%80%d0%b0%d0%b2%d1%81%d1%82%d0%b2%d1%83%d0%b9%d1%82%d0%b5-%ce%b3%ce%b5%ce%b9%ce%b1-%cf%83/

Beyond good ol’ Run key

Beyond good ol’ Run key
http://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/

Beyond good ol’ Run key, Part 2
http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/

Beyond good ol’ Run key, Part 3
http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/

Beyond good ol’ Run key, Part 4
http://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/

Beyond good ol’ Run key, Part 5
http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

Beyond good ol’ Run key, Part 6
http://www.hexacorn.com/blog/2014/01/10/beyond-good-ol-run-key-part-6-2/

Beyond good ol’ Run key, Part 7
http://www.hexacorn.com/blog/2014/02/09/beyond-good-ol-run-key-part-7/

Beyond good ol’ Run key, Part 8
http://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/

Beyond good ol’ Run key, Part 9
http://www.hexacorn.com/blog/2014/03/02/beyond-good-ol-run-key-part-9/

Beyond good ol’ Run key, Part 10
http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/

Beyond good ol’ Run key, Part 11
http://www.hexacorn.com/blog/2014/04/27/beyond-good-ol-run-key-part-11/

Beyond good ol’ Run key, Part 12
http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/

Beyond good ol’ Run key, Part 13
http://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/

Beyond good ol’ Run key, Part 14
http://www.hexacorn.com/blog/2014/07/08/beyond-good-ol-run-key-part-14/

Beyond good ol’ Run key, Part 15
http://www.hexacorn.com/blog/2014/08/04/beyond-good-ol-run-key-part-15/

Beyond good ol’ Run key, Part 16
http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/

Beyond good ol’ Run key, Part 17
http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/

Beyond good ol’ Run key, Part 18
http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/

Beyond good ol’ Run key, Part 19
http://www.hexacorn.com/blog/2014/12/04/beyond-good-ol-run-key-part-19/

Beyond good ol’ Run key, Part 20
http://www.hexacorn.com/blog/2015/01/01/beyond-good-ol-run-key-part-20/

Beyond good ol’ Run key, Part 21
http://www.hexacorn.com/blog/2015/01/03/beyond-good-ol-run-key-part-21/

Beyond good ol’ Run key, Part 22
http://www.hexacorn.com/blog/2015/01/06/beyond-good-ol-run-key-part-22/

Beyond good ol’ Run key, Part 23
http://www.hexacorn.com/blog/2015/01/09/beyond-good-ol-run-key-part-23/

Beyond good ol’ Run key, Part 24
http://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/

Beyond good ol’ Run key, Part 25
http://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-25/

Beyond good ol’ Run key, Part 26
http://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-26/

Beyond good ol’ Run key, Part 27
http://www.hexacorn.com/blog/2015/02/19/beyond-good-ol-run-key-part-27/

Beyond good ol’ Run key, Part 28
http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/

Beyond good ol’ Run key, Part 29
http://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/

Beyond good ol’ Run key, Part 30
http://www.hexacorn.com/blog/2015/04/26/beyond-good-ol-run-key-part-30/

Beyond good ol’ Run key, Part 31
http://www.hexacorn.com/blog/2015/05/29/beyond-good-ol-run-key-part-31/

Enter Sandbox – part 7: Hello, مرحبا, 您好, здравствуйте, γεια σας

June 27, 2015 in Batch Analysis, Malware Analysis, Sandboxing

Most of modern applications use Windows APIs that rely on Unicode (or, at least its subset) and as such they rely on ‘W’ versions of the APIs as opposed to older apps that used ANSI ‘A’ versions (f.ex. CreateFileW vs. CreateFileA). Of course, the native APIs rely on Unicode for a long time. Unicode makes it easy and avoids ambiguities associated with the ANSI encodings which can always be mapped to many character sets – depending on the OS/application version. This is why running old localized applications on English OS leads to some unrecognizable garbage characters shown on the UI.

The number of old apps that rely on ANSI functions is still very huge and not taking them into account makes it harder to cherry-pick some interesting clues from the samples. Some of these clues can make it to the final report as well and actually enrich it a lot.

Let’s look at an example.

An application does something, and then displays a message box with a caption ‘Îøèáêà’ saying ‘Çàïðàøèâàåìûé ôàéë íå íàéäåí’.

msgbox1
Obviously, it doesn’t tell us much.

What if we attempted to translate it blindly into Unicode using the most popular ANSI encodings?

We would get sth like this:

1250 (Central Europe)           = Îřčáęŕ
1251 (Cyrillic)                 = Ошибка
1252 (Latin I)                  = Îøèáêà
1253 (Greek)                    = Ξψθακΰ
1254 (Turkish)                  = Îøèáêà
1255 (Hebrew)                   = ־רטבךא
1256 (Arabic)                   = خّèلêà
1257 (Baltic)                   = Īųčįźą
1258 (Vietnam)                  = Îøèáêà
 874 (Thai)                     = ฮ๘่แ๊เ
 932 (Japanese Shift-JIS)       = ホ碎
 936 (Simplified Chinese GBK)   = 硒栳赅
 949 (Korean)                   = 丘矮魏
 950 (Traditional Chinese Big5) = 昮魨罻

for the caption, and for the message:

1250 (Central Europe)           = Çŕďđŕřčâŕĺěűé ôŕéë íĺ íŕéäĺí
1251 (Cyrillic)                 = Запрашиваемый файл не найден
1252 (Latin I)                  = Çàïðàøèâàåìûé ôàéë íå íàéäåí
1253 (Greek)                    = Ηΰοπΰψθβΰεμϋι τΰιλ νε νΰιδεν
1254 (Turkish)                  = Çàïğàøèâàåìûé ôàéë íå íàéäåí
1255 (Hebrew)                   = ַאןנארטגאולי פאיכ םו םאיהום
1256 (Arabic)                   = اàïًàّèâàهىûé ôàéë يه يàéنهي
1257 (Baltic)                   = Ēąļšąųčāąåģūé ōąéė ķå ķąéäåķ
1258 (Vietnam)                  = Çàïđàøèâàǻûé ôàéë íå íàéäåí
 874 (Thai)                     = วเ๏๐เ๘่โเๅ์๛้ ๔เ้๋ ํๅ ํเ้ไๅํ
 932 (Japanese Shift-JIS)       = ヌ瑜籵褌隆 鴉 淲 浯鱠褊
 936 (Simplified Chinese GBK)   = 青镳帏桠噱禧?羿殡 礤 磬殇屙
 949 (Korean)                   = 행穽星外齧荏?牒雨 張 壯藕孼
 950 (Traditional Chinese Big5) = 瀔僤魤馲檞?邍澣 翴 縺毈樇

Even without the knowledge of the specific languages it’s easy to pick up the correct mapping which is ‘Ошибка’ (meaning ‘Error’) for the caption, and ‘Запрашиваемый файл не найден’ (meaning ‘File not found’) in Russian.

We can confirm it by running it on the Russian OS:

msgbox2

The exercise above my friend is an attempt to make a sandbox polyglottic. Add some modules to recognize the most common languages and who knows, maybe it will be able to recognize that these calls to FindWindow know no linguistical boundaries and are… not too friendly:

  • Скрытый процесс запрашивает сетевой доступ
  • Hidden Process Requests Network Access
  • Ein versteckter Prozess verlangt Netzwerkzugriff.
  • Un proceso oculto solicita acceso a la red
  • Un processus cache requiert une connexion reseau.
  • Внимание: некоторые компоненты изменились
  • Warning: Components Have Changed
  • Warnung: Einige Komponenten wurden verandert.
  • Advertencia: Los componentes han cambiado
  • Avertissement : Les composants ont change
  • Menedżer Zadań Windows
  • Создать правило для
  • Create rule for
  • Regel fur
  • Crear regla para
  • Creer une regle pour
  • 瑞星杀毒软件
  • 登录信息
  • 文件保护
  • 월드 오브 워크래프트
  • 삼국지
  • 하이로우2