You are browsing the archive for Anti-*.

Anti- techniques refresh A.D. 2019

August 3, 2019 in Anti-*

The old-school malware used to detects Reverse Engineering tools by looking for artifacts created by this type of software. The most common artifacts include Process Names, DLL Names, mutexes, files, Registry Entries, Window Classes / Titles. It’s actually really trivial to catch sysinternals tools, Wireshark, OllyDbg, IDA, etc. by using simple Windows API calls that find Window with a specific class/title…

Long, and always growing lists of ‘interesting’ window classes/titles used by these tools have been circulating within a cracking / malware community for many years & are kinda a standard now. So standard, sometimes they include artifacts as old as these created on Windows 9x (e.g. Softice references that are obsolete today).


I’ve been recently thinking of all these well-known tricks and it suddenly hit me that we don’t really hear much about software targeting newer tools on our scene:

It is handy to review these tools from an attacker perspective – we may be able to collect additional data points that can be easily converted into yara sigs, etc.. And of course, this is a new class of old-is-new-again tricks that may be out there and we are just not focusing on finding yet – a.k.a. potentially missing them.

IDA’s QT windows seem to be hard to spot using your standard window enumerations APIs — the drawing routines are all internal to QT and there are no native Window primitives used by the class other than a generic window belonging to class Qt5QWindowIcon. Still, we can query its window text though and if it contains .idb, or _i64 strings (that refer to IDA database file extensions) chances are high that IDA is running.

GHIDRA is Java-based so windows’ classes are related to it e.g. SunAwtDialog or SunAwtFrame. The Window titles will of course reveal references to the program name e.g. Ghidra: <project name>.

PE-Sieve is a command line tool, so there are no windows created, but it can still be spotted by looking at a process list. Any process with a pe-sieve in name should be a red flag.

Detect It Easy (DiE) is written in QT, and same as IDA doesn’t use native window hierarchy (just one class QWidget). Still, its window titles are revealing the name of a program e.g. Detect It Easy 1.01 or Die.

WinDbg with Time Traveling relies heavily on a bunch of DLLs that will be loaded into a target process:

  • ttdloader.dll
  • ttdplm.dll
  • ttdrecord.dll
  • ttdrecordcpu.dll
  • ttdwriter.dll

Detecting presence of any of these should work as a neat anti-debug trick. (note: I have not explored it enough yet, but it would seem that ttdrecordcpu.dll and ttdwriter.dll are always loaded into a debugged process; others are helper libraries & may not be present in a debuggee’s address space; need to run more tests).

XDBG is a great debugger and gaining more and more users as it breaks Olly’s hegemony when it comes to user mode code analysis – it offers a debugger for both 32- and 64-bit programs. And since it was written in QT as well, it kinda suffers from the same detection limitations as other programs I described above. Still, the window class Qt5QWindowIcon and the Window Title x32dbg or 642dbg give it away. Same goes for process names.

Fakenet-NG is a nice local network redirector. When it’s running, a service called WinDivert xxx is in operation, so it’s one way of to detect it. Others may include spotting boilerplate file content that is delivered on monitored ports — if an analyst forgot to edit these, the content returned by a local server is predictable and can be identified as a default FakeNet reply e.g.:

With regards to WireShark, there are tones of ways to detect it. The filenames in default install directory, the Registry entries, NPCAP/WinPCAP driver/service, Window class/title, the file extensions it takes over, etc. Notably, newer versions of Wireshark also use QT, so you can look for a Qt5QWindowIcon class with a title The Wireshark Network Analyzer.

Sysmon and EDRs is a completely different category. If you see them running — need to rely more on Lolbins, and/or other trickery (e.g. common whitelisting points i.e. directories whitelisted by EDRs/analysts often relying on ‘standard’ configs like e.g. SwiftOnSecurity). There is a growing body of knowledge that focuses on bypassing EDRs and it’s just a matter of time that it will become a de facto part of attackers’ toolkit. Bugs, clever bypasses, code patching etc. are on a rise. It’s also a time we create a curated list of artifacts that EDR tools give away: program locations, processes running, Registry keys, services, etc.

For obvious reasons, I am not listing all artifacts, to make it a little bit harder for the bad guys, but these are potential detections capabilities out there and it’s good to keep them in mind. Not only they can help malware to detect defenders tools, but may also be useful for sandbox vendors / SOC analysts to identify sample behavioral traits as well.

I guess, the Cat and Mouse game continues?

‘Plata o plomo’ code injections/execution tricks

May 26, 2019 in Anti-*, Anti-Forensics, Archaeology, Code Injection, EDR, Living off the land, Malware Analysis, Reusigned Binaries

This post is not about a single injection. It is about a class on its own.

At the moment I know of only two instances of code injection/execution that fit this category perfectly, and I am going to describe them below, but I bet there is more…

First of all, why ‘plata o plomo’? It’s obvious. In today’s world every security research needs a cheezy name ;), right?. Secondly, the ‘plata o plomo’ fits the cases perfectly – it’s ‘either silver, or lead’. And when it comes to code injection/execution – it’s definitely a lead. Or Ulead.

Okay. What about the actual ‘code injection/execution’ bit?

This Endgame post presents a very comprehensive overview of what was out there back when it was written in 2017. It’s a great starter for anyone interested in this topic. However, many things have changed since it was posted + the article omitted a number of interesting techniques anyway.

The below is a summary of all existing code injection tricks that I know/could think of (ping me if I missed anything):

Notably, the last few links on the list above are leading to blog. After reading it for a while, and talking to author on a couple of occasions, and finally eyeballing the github repo associated with posts and older work of the author, I can only bow to this programmer’s coding, and manual code crafting skills! This blog is really high on my list and I highly recommend it!

Anyway… back to the topic of this post:

  • What if I told you… that there are developers our there that make the whole game of code injection extremely easy? No trickery, no code trampolines, no obscure undocumented structures, not even forgotten, legacy code paths, windows shattering, let alone ROP, gadgets to be relied upon. None whatsoever needed.
  • What if I told you that you can just provide an address of the code you want to execute in a nice, user-friendly way ?
  • What if this code actually executed according to your wishes ? In User or Kernel mode.
  • What if I told you the programs facilitating this are signed as well?

In other words: what if code execution/injection was there ‘by design’?

Yes… it’s a mind blowing idea. And yes, as I stated before in my Law Of A Threat Hunter (LOATH):

For every two distant technologies there exist a developer that will bring them together.

So… if you can find such program / driver you get a clean shot at a golden opportunity – a signed process or DLL offering a controlled code execution, and then most likely an AV/EDR bypass. And as I mentioned earlier – there exist at least 2 such applications/kernel drivers that I am aware of that fit this description perfectly, and I bet there are more.

Cuz… if it is signed, then it’s good. Right?

I first heard of Capcom driver from the zerosum0x0 blog (yet another great blog to follow!). The post I linked to introduces a tool called puppetstrings that tries to exploit the vulnerability in a aforementioned capcom driver. The vulnerability is actually supersilly – when you send a special IOCTL request to the capcom driver, it will temporarily disable Supervisor Mode Execution Protection Enable (SNEP) mode, call a callback procedure controlled by the user (in a user address space), then return and restore SNEP state…

How crazy is that? I mean: HOW CRAZY IS THAT ?

When I read about it and the whole concept of ‘Bring Your Own Vulnerability’ (BYOV) for the first time I actually really liked the idea and thought it could be expanded to Bring Your Own Functionality (BYOF). I speculated that there are other applications/drivers that are written in a sloppy way, all for good reasons though – and they may not even need any vulnerability at all! And I finally found my first.

In fairness, I have been actually toying around with the concept of reusigned binaries for a while. Lolbins are easy wins, low-hanging fruits, but there is tones of other legitimate software out there that gives clever users more than the developers meant to. We can re-use signed binaries to give us keylogging capability, kill a process, wipe a drive, spawn a new process if we need it, and modify Registry, install Services, and so on and so forth. Not only it is an interesting area for research – I actually believe that this is an inevitable future of many pentesting or red team engagements, let alone nation attacks. And some of the existing attacks already show that a possession of signed drivers/software that can be used for BYOV/BYOF can be leveraged to bring a lot of havoc – e.g. signed EldoS RawDisk drivers were used by Shamoon to wipe out the orgs’ media.

Welcome the ‘Plata o plomo’ contestant number 2.

Ulead Burn.Now 4.5 is an old app from year 2007 that was used to burn ISOs on CDs/DVDs. Nowadays this feature is not really needed – the whole cloud buzz makes cloud so popular and offers far more space & flexibility that the old (and dying) media burning industry can’t really compare. As far as I can tell this Ulead app is no longer updated, but the beauty of good old is that it is out there.

Now, for the juicy part. Apart from doing what it was meant to, the application (or at least this particular version) includes a very interesting feature (most likely for testing purposes):

  • If you set a specific environment variable to a certain decimal value the app would retrieve it during run-time, convert it into an address, and finally…. make a code jump to that address!

Yes. You hear that right. OMGWTFBBQ. You can literally tell the app to execute your shellcode from a specific location in memory!

Let’s start with a name of that Environment variable:


In the below demo I set it to 195936478 (0xBADC0DE). and then run the application under Olly to demonstrate when the main program jumps to the 0xBADC0DE location:

You may be concerned about required UI interaction. This is actually not an obstacle. If one was about to use it maliciously, one could engage basic GUI automation techniques to ‘click’ that OK button. It’s actually pretty trivial with available APIs (e.g. FindWindow, or enumeration via EnumChildWindows to find the required window, then sending WM_COMMAND/BN_CLICKED, WM_LBUTTONDOWN, etc messages to the button window).

Also, the name of the environment variable is present in a number of components of this application, including a number of DLLs. As such, there is a high possibility that one could simply instrument these DLLs to execute the shellcode e.g. via a customized DLL loader (provided we injected a shellcode beforehand).

A quick grep for GLOBAL_HOOK_ENVIRONMENT_STRING inside the installation directory (c:\Program Files\Ulead Systems\Ulead Burn.Now 4.5 SE) shows the following list of files that include a reference to it:

  • SH_PEShareComm.dll
  • SH_ObjComm.dll
  • SH_BaseDV.dll
  • PS_UndoManager.dll
  • PS_TextMedia.dll
  • PS_RTObjMgr.dll
  • PS_Register.dll
  • PS_PSShareComm.dll
  • PS_PSPhotoAction.dll
  • PS_PS2SlideShow.dll
  • PS_PS2Base.dll
  • PS_PrintCDCoverCtrl.dll
  • PS_PEShareComm.dll
  • PS_PaperTemplDB.dll
  • PS_PaperTemplCtrl.dll
  • PS_ObjComm.dll
  • PS_MenuTool.dll
  • PS_MediaBase.dll
  • PS_IPEDLL.dll
  • PS_GUIBase.dll
  • PS_CommonControl.dll
  • PS_CDLabelBase.dll
  • PS_AddTextCtrl.dll
  • HDRf.dll
  • Fourier.dll
  • CDLabel.dll

All of them are signed. So it’s almost certain that _some_ of these could be loaded outside of the main program, and then instructed to execute the shellcode.

Coming back to where this post started – when it comes to ‘Plata o plomo’ and code injection – it’s always the lead. Developers make and will make stupid mistakes, they write and will write code that is often meant to be only used internally, but sometimes it will make it out to the releases available to general public, and into signed packages.

The lesson learned is that what is green on VirusTotal is never green from a blue teamer’s perspective. We need a better process (and a long way) to declare things ‘truly green’ for that matter. For a long time now we know that the authenticode signatures are just an ersatz of security and while always useful (better to have them than not to), we should no longer rely on them blindly.

Future attacks will engage signed binaries more. There is no doubt. We need a dedicated team of analysts in every security companies to start looking at vulnerabilities present in these, and also ‘built-in’ features that make the ‘green’ VT stuff vulnerable to abuse. Again, I am more than certain there is a lot of this stuff out there. Only a few weeks ago @Oddvarmoe published his findings about the 7z binary he found that is signed by Nvidia. Any such ‘signed popular tool’ instance is interesting from at last two angles:

  • It is signed+ ‘perceived as good in general’, so may (and most likely will) sneak in through EDR/AV filters
  • if it is old version enough, it may include many interesting vulnerabilities – – some may allow to execute shellcode or do some other funny stuff

As such… the era of Lolbins, BYOV, BYOF will catch many companies off-guard.