You are browsing the archive for Archaeology.

Re-sauce, Part 2

November 18, 2020 in Archaeology, Clustering, File Formats ZOO, Forensic Analysis

In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name the resources and use them instead of numerical IDs. Many of these are prefixed with the ‘IDD_’, so it makes for an easy target.

Grepping through a large collections of exported resources one can find the following ‘custom-named’ resource names (see file).

Browsing through the content one can find a number of IDDs that are clearly very old e.g.

  • IDD_WIZ97SHEET
  • IDD_DISKETTE
  • IDD_INSERT_DISK

but also lots of very boring names e.g.

  • IDD_DIALOG1
  • IDD_DIALOG2
  • IDD_DIALOG3
  • IDD_DIALOG4
  • IDD_ABOUTBOX
  • IDD_DIALOG_FONT
  • IDD_FONT
  • IDD_UNUSED1
  • etc.

— most likely names auto-created by RAD resource editors. There are some funny typos e.g. IDD_SPLAHSCREEN. Finally, there same some more enigmatic and interesting names like

  • IDD_DEBUG*
  • IDD_NTOPEN
  • IDD_NTCLOSE
  • IDD_CREDITCARD

but these are not really research-worthy.

How can you use this list?

Apart from being an archaeological curiosity this may actually be quite helpful to know which IDD_ resources are at least known in a ‘good sampleset’ space. With that you could create yara rules, and perhaps more advanced ‘good file’ detections. And if you write a PE Viewer/editor/parser, you could always highlight these as ‘known good resources’.

Overall, curiosity more than anything useful, but that’s one of the reasons why we are digging it… out.

manifest comclass curiosity

October 22, 2020 in Archaeology

At the time I looked at certutil I spotted one interesting bit – its manifest included a reference to ‘certadm.dll’ and ‘comClass’.

<file name = "certadm.dll">
    <comClass description = "ICertAdmin2"
        clsid = "{f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39}"
        threadingModel = "Both"/>
    <comClass description = "CCertAdmin"
        clsid = "{37eabaf0-7fb6-11d0-8817-00a0c903b83c}"
        threadingModel = "Both"/>
    <comClass description = "ICertView2"
        clsid = "{d594b282-8851-4b61-9c66-3edadf848863}"
        threadingModel = "Both"/>
    <comClass description = "CCertView"
        clsid = "{a12d0f7a-1e84-11d1-9bd6-00c04fb683fa}"
        threadingModel = "Both"/>
</file>

Once I spotted it I immediately jumped hoping that this is yet another rare persistence/side-loading opportunity. Not only ‘certadm.dll’ is not present on new OS versions (phantom DLL!), the `comClass` suggests we could be able to load some COM DLLs when some events happen related to a given application that leverages this loading mechanism which in COM documentation is referenced as a Side by Side registrationless COM.

Another interesting bit is that certutil.exe is an orphan when it comes to manifests with comclass. Yes, this is the only native OS executable I could find that has a manifest actually referencing ComClass!

Sadly, in the end I was not able to side-load anything or instantiate anything, but the idea sticks. Perhaps people more accustomed with COM can shed some light how to use it?