You are browsing the archive for Forensic Analysis.

← Previous Entries

Beyond good ol’ Run key, Part 73

March 15, 2018 in Anti-Forensics, Autostart (Persistence), Compromise Detection, EDR, Forensic Analysis, Incident Response, Living off the land

If you have a dvdplay.exe program on your system you can quickly do two things with it:

  • use it to disturb the process tree
  • leveraging the fact it is a signed binary – add it to any common startup place and achieve a nice, invisible persistence mechanism, possibly bypassing some security  solutions (they will just detect entries pointing to a signed binary and nothing else)

How?

The dvdplay.exe program is a simple wrapper that actually calls wmplayer.exe. But not the one you would expect.

In order to find a path to the wmplayer, it reads the following Registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
"Path"="c:\\malware\\"

So… changing that path to any path in your control, you can drop your wmplayer.exe there and voila!

Comments Off on Beyond good ol’ Run key, Part 73

Certain Windows… stay classy… part 2

March 11, 2018 in Forensic Analysis

In one of the older posts I listed a number of very recognizable windows classes that can be found hard-coded as strings inside various programs (including malware). The intention there was to help with a recognition of a compiler/protector/installer that was used to create/build/protect the file.

I thought it would be good to expand this list with a whitelist of common classes created by various legitimate Windows applications. Such list may help to determine which windows classes are potentially anomalous (e.g. if you run ‘windows’ or ‘wintree’ command in volatility).

Here’s a short list I came up so far – if you see any class missing, please let me know and I will add it:

  • $$$UI0Background
  • _SearchEditBoxFakeWindow
  • {37E561C9-40E3-44de-AF62-CECD75524364}
  • ActionsMenuOwner
  • Address Band Root
  • AMNotificationDialog
  • AppResizeAcc
  • AudioDevStubWindow32
  • AutoplayHandlerChooser
  • AVIWnd32
  • Breadcrumb Parent
  • Button
  • CabinetWClass
  • CDDEServer
  • CDVDMsgWindowClass
  • CicLoaderWndClass
  • CM Monitor Window
  • ComboBox
  • ComboBoxEx32
  • COMPDESK_DISPALYCHANGE_CLASS
  • Compose_CvPgPreview
  • ConnectionManagerMsgProc
  • ConsoleWindowClass
  • CtlFrameWork_Parking
  • CtrlAccWindow
  • CtrlNotifySink
  • CustomEventWindowClass
  • DDE Channel
  • DDE Server Window
  • DDE ViewObj
  • DeviceUpdateClass
  • DIEmWin
  • DocWndClass
  • DragWindow
  • DsPropNotifyWindow
  • DummyDWMListenerWindow
  • Dwm
  • EalMessageWindow
  • Edit
  • elevationdummy
  • EnhancedStorageAuthentication
  • ERCUITHREADMARSHALLER
  • Event Viewer Snapin Synch
  • EVRFullscreenVideo
  • EVRPowerMsgWindowClass
  • EVRVideoHandler
  • EvtQProcWndClass
  • FaxME_DocHost
  • FaxTiffView_Host
  • FDBthProviderClass
  • FloatNotifySink
  • Fn Notify Window
  • FocusMonitorWindowClass
  • GDI+ Window
  • GestureArbitrationEngineWindowClass
  • Ghost
  • GhostDivider
  • GRIDWNDCLASS
  • HH CustomNavPane
  • HH Parent
  • HH SizeBar
  • HH_API
  • HidServClass
  • HighlightCursorClass
  • HitTestWorker
  • HostCtrlAccWindow
  • IEFrame
  • InkEditReflectClass
  • invisible bmp window
  • Isolation Thread Message Window
  • ItemWndClass
  • JobPropWnd
  • JointDivider
  • JointResizeAcc
  • KBEMWndClass
  • L21DecMsgWnd
  • listbox
  • LOCATIONNOTIFICATION
  • Magnifier
  • MCI command handling window
  • mdiclient
  • MDRESNOTIFYCLASS
  • MESSAGE
  • MGMTAPI Notification Class
  • MNC_TaskmanWindow
  • MobilityCenterHelpButton
  • MobilityCenterIcon
  • MobilityCenterStatusText
  • MobilityCenterTileName
  • MouseMonitorWindowClass
  • MRT
  • MS:SyncNotificationWindow
  • MS:WPDStatusProviderNotificationWindow
  • MSAA_DA_Class
  • MSCTFIME Composition
  • msctls_progress32
  • msctls_statusbar32
  • msctls_trackbar32
  • msctls_updown32
  • MstscRemoteSessionsMgrWndClass
  • MTVDragInputHandler
  • NarratorTIEWIndowClass
  • NarratorTouchWindow
  • Notepad
  • NotificationsMenuOwner
  • OCHost
  • OE_Envelope
  • OleDocWndClass
  • OleSrvrWndClass
  • Palette Watcher
  • PCALUA
  • PowerCPL Message Window
  • PPCHiddenWindow
  • proquota
  • PRSEVENTRECEIVER
  • RadioButtonList
  • RdpClipRdrWindowClass
  • RdpSaInvitationManagerHiddenWindowClass
  • RDPSoundDVCWnd
  • RDPSoundInputWnd
  • RdvSessionMonitorClass
  • ReBarWindow32
  • RectWndClass
  • REListBox20W
  • RelMonGraphWindow
  • RICHEDIT
  • RICHEDIT50W
  • RunDLL
  • RunLegacyCPL
  • Scroll
  • SCROLLBAR
  • Search Box
  • SearchEditBoxWrapperClass
  • SeparatorBand
  • Shell Preview Extension Temporary Parent
  • Shell_Dim
  • Shell_SecondaryTrayWnd
  • Shell_TrayWnd
  • SI WMP sync hidden window
  • SJE_FULLSCREEN
  • SlideshowCache
  • SlideshowManager
  • SoftKBDClsC1
  • SoftKBDClsT1
  • SoftkbdIMXOwnerWndClass
  • SPACEAGENT!PNP!MESSAGEWND
  • SrvrWndClass
  • SSDemoParent
  • Static
  • StubNtPrintWindow
  • StubPrintWindow
  • StubWindow32
  • sync hidden window
  • SysHeader32
  • SysLink
  • SysListView32
  • SysMonthCal32
  • SysPager
  • SysTabControl32
  • SystemMonitorWindowClass
  • SystemTray_Main
  • SysTreeView32
  • TabCal_WndClass
  • TabletModeCoverWindow
  • TabletModeInputHandler
  • Tapi32WndClass
  • Task Host Window
  • TaskListOverlayWnd
  • TaskListThumbnailWnd
  • TextRendererMsgProc
  • TiBusUpdate
  • ToolbarWindow32
  • tooltips_class32
  • TravelBand
  • TrayDummySearchControl
  • TrayInputIndicatorWClass
  • TrayNotifyWnd
  • TrayShowDesktopButtonWClass
  • TSC_POPUP_PARENT_WNDCLASS
  • TSMF Geometry
  • UIAInvokeHelperWndClass
  • UIManager Message Window
  • UniversalSearchBand
  • UpBand
  • URL Moniker Notification Window
  • UserAdapterWindowClass
  • VBBubbleRT6
  • VBFocusRT6
  • VisualViewportMessageWindow
  • VolNotifySink
  • WdcGraphWindow
  • WebInstanceCoreInputWindow
  • Webview Window
  • WiaPreviewControl
  • WMPMessenger
  • WMPSimpleMessageWindow
  • WMPTransition
  • WorkerA
  • WorkerMessageWindow
  • WorkerW
  • WusaHidden
  • XAMLMessageWindowClass
  • XAMLWebViewHostWindowClass
  • XCPDeferredClass
  • XCPTimerClass
  • XMLMimeWnd
  • YO
  • ZIP Folder STUB window

Comments Off on Certain Windows… stay classy… part 2

← Previous Entries