Beyond good ol’ Run key, Part 38

May 27, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response

It’s been a while since my last post about persistence tricks. Today I decided to fix this and write about yet another trick – kinda old, yet still cool – that works even today despite being as old as Windows NT.

The userinit.exe process was featured in a number of persistence posts before (here , here and here). Turns out, we have not given it all the attention it needs yet.

When you add a new user to the system, you have an option to change some properties of the user account as shown on the below screenshot. One of these properties is responsible for loading the user logon script (I named it foobar123.bat on the test system).

pic0

The alternative to GUI is using the following command:

  • net user /scriptpath:<Relative Path>

Once added to the user properties, the script will be executed anytime user logs on:

pic3

You may be wondering where on the system it has to be placed to ensure it is executed.

There are two places:

  • You can place it on Netlogon share:
    • either the real one from the domain controller (where all user scripts reside),
      or
    • you can create a fake, local one by using the trick shown below:

pic1

In such case the script will be loaded like this:

pic4

  • You can place it inside the %systemroot%\System32\Repl\Import\Scripts directory

In such case it will be executed like this:

pic2If you use net user command, the relative path is relative to %systemroot%\System32\Repl\Import\Scripts.

This trick is not my idea and is described in various places on the internet – I shamelessly ‘borrowed’ most of the bits and ideas from here.

Creating IDT/IDS files for IDA from MS libraries with symbols

April 22, 2016 in Malware Analysis, Reversing, Software Releases

In a reversing world it is a regular experience to come across samples that are linked to OS APIs that are imported from well-known libraries. However, on occasion we can come across files that use importing in a slightly different way – they import not via names but via ordinals. A good example are samples linking to MFC libraries.

When loaded into IDA, such samples contain lots of autogenerated function names f.ex. mfc_1234. This is pretty annoying. Of course (and luckily) there exists a lot descriptions and solutions to it – we need an IDT or an IDS file. An IDT (or its compressed version IDS) file is a ‘translator’ between ordinal numbers and actual API names – many of these exist in a default installation package of IDA, but not all… One can generate these by hand – using existing scripts – and in case the MS symbols exist for a given library – one can try to generate these automagically using a simple script I am attaching to this post.

This is the recipe:

  • Ensure your IDA is set up to use symbols from Microsoft
  • Open the MS library you analyze
  • Load its symbols from the MS web site (you are either asked, or they are loaded automatically – depends on your config)
  • When the database is fully loaded and autoanalysis is completed, launch the following script:
import idaapi
import idc
import types
import os

idt = GetIdbPath()

print "Original IDB: %s" % idt

idt = idt.replace('.idb','.idt')
idt = idt.replace('.i64','.idt')

dll = GetInputFile()

print "Saving to %s" % idt

f = open(idt, 'wb')
f.write("0 Name=%s\n" % (dll))
for i in xrange(idaapi.get_entry_qty()):
    fn = idaapi.getn_func(i)
    a = fn.startEA
    if a != BADADDR:
       eo = GetEntryOrdinal(i)
       nm = GetFunctionName(GetEntryPoint(eo))
       #cm = GetFunctionCmt(a,0)
       #print "%x: %0d, %s, %s" %  (a,eo,nm,cm)
       if nm!='':
          f.write("%d Name=%s\n" % (eo,nm))
f.close()
print "done!"
  • Now you should have the IDT file autogenerated in the same directory where the library is f.ex.
    • mfcXYZ.idb
    • mfcXYZ.idt  — this is the IDT file
  • You can now
    • Open sample linking to the MS library via ordinals
    • Load newly created IDT file
    • All mfc_1234 function names should be automatically converted to respective function/method names
  • You can also use zipids.exe to convert IDT file to IDS, but it’s not necessary