compact.exe (WofCompressed streams) as an anti-sandbox trick

November 11, 2018 in Anti-*, Sandboxing

Looking at the compact.exe program today I noticed that it had a few extra command line arguments (I never heard of) available, including /exe, xpress4k, xpress8k, xpress16k and lzx. Quick google research led me to this excellent post by Yogesh Khatri and this informative discussion on the Microsoft page.

After testing it on win10, I confirmed some forensics tools struggle with processing of such compressed files. It immediately occurred to me that the very same problem will apply to any sandbox, or other security solution that tries to bypass the native NTFS driver of OS and read the files directly from the logical or physical drive (this also includes solutions that read file systems from the guest VM images from the host level: some sandboxes do).

As such, if these solutions don’t process such compressed files properly, a malware could simply use compression to make it harder for anyone to extract samples from the system, in a similar fashion like the other NTFS feature I discussed previously. Of course, bypassing it is easy as one has to use built-in OS APIs to copy files to other locations, but this may affect the workflow of the sandbox process (especially these that try to be non-intrusive and only observe what’s happening inside the sandbox).

To test run:

compact /c /f /exe:<compression> <filename>

where compression is one of these:

  • xpress4k
  • xpress8k
  • xpress16k
  • lzx

Last, but not least. The compact.exe is using DeviceIoControl API to set the compression of the files. Some coders already duplicated the compact.exe functionality in AutoIt.

Share this :)

Comments are closed.