You are browsing the archive for Random ideas.

Beyond good ol’ Run key, Part 78

April 29, 2018 in Autostart (Persistence), Random ideas

This is an idea I had for a very long time, and I partially described it in the past except this time the mechanism I am thinking of is slightly different; I hesitated to come back to it because unlike SysLink example I still have not found a good candidate to demonstrate it. I do have one or two examples that should potentially work except it’s a functionality that is probably discontinued (as far as I can tell); and even if it is not it’s still one that is used so rarely that it doesn’t really matter from a practical point of view; I will refer to these candidates below.

In any case I think it’s good to add 5 cents to the old idea itself as it shows yet another potential way of achieving stealthy persistence w/o modifying Registry and .exe files.

The concept is as I described previously and based on the fact some programmers are trying to squeeze in all the data into program resources. In the past many of these resources would reside directly inside the program’s .exe file, nowadays a lot of them are stored inside the .mui files. If you don’t know what .mui file are – they are Multilingual User Interface resource files.

To get quickly familiar with their importance try to copy c:\windows\notepad.exe to a different folder and launch it from there. You won’t see Notepad starting, because it requires these .mui program resources. And these are stored under the OS directory inside a dedicated language folder e.g. on American English Windows it’s c:\windows\system32\en-US. In order to run Notepad from a different folder you need to copy not only notepad.exe to the new folder, but also its resources en-US\notepad.exe.mui (and you have to preserve this language symbol-based directory structure).

The modification of the .mui file is handy from a localization perspective, but not only. Imagine a piece of code that reaches out to .mui resources, fetches a string and then passes it directly to ShellExecute function (or one of its variants). Something along these lines:

If you can modify the string inside the resources you will control what is being passed to ShellExecute API. As such, you may achieve a very stealthy persistence, or perhaps LOLBIN-like functionality.

Now… the problem is finding such candidate program.

This is incredibly difficult, but not impossible. The above snippet of code comes from shwebsvc.dll. From a bit of a research and guesswork I did it seems to be executed when users of the Order Print function decide to print photos using the online services (these are provided by various retailers in their area). This blog post shows how it looks like in practice. As far as I can tell the string 2505 from my example is used when the user clicks ‘please read our privacy statement’ link:

(Copyright notice: the screenshot copied from the https://www.askdavetaylor.com/how_to_use_online_photo_printing_service_windows/ post).

So, it is very similar to the SysLink example except here there is a direct handling of the click inside the DLL.The second candidate is inside the comsnap.dll that is a COM+ Explorer MMC Snapin. Again, its usefulness for this sort of trick is a subject for a debate.

I doubt further research will discover lots more of such candidate files, not only inside the native OS libraries, but also in popular software, but who knows…

NTFS Sparse files – another possible quick anti- trick

April 25, 2018 in Anti-*, Anti-Forensics, Malware Analysis, Random ideas, Sandboxing

A number of tricks that cause trouble to sandboxes, as well as malware analysts leverage less known features of NTFS (note: less known to programmers and perhaps reversers than to forensic experts). NTFS is rich in features and malware successfully abused these in the past, and… still does nowadays e.g. storing the code and data inside the Alternate Data Streams, Extended Attributes, toying around with Unicode character set by using RTLO (Right To Left Override) or homographic attacks to hide or obfuscate file names.

What about Sparse files?

The way it works is that one can create a normal file using e.g. CreateFile API then use the FSCTL_SET_SPARSE control code to make this file grow in a perceived size very quickly. The change is instant as the system allocates a chain of clusters for such file inside the $MFT and does so in a smart way without actually using physical clusters that it would normally fill in with data (zeroes). So large these files can become that copying them outside of lab/sandbox will cause a lot of trouble, and who knows, in some cases may even DoS the whole lab device or network.

There is also one more trick that can be done here (while it doesn’t require using sparse files per se it is certainly easier to deliver it with this specific feature being enabled): a slightly more complex malware could artificially generate a new payload – a large PE file (and creating it in a sparse mode would be the fastest way to do so).  It would then fill it in with a modified PE header/sections data and sections placed in the vast space of a new file yet in a way that the file can be still executed. There are some constraints against maximum size and available memory of course. Again, it will be impossible to copy such file outside the lab/sandbox w/o either compressing it or shrinking it somehow. It may also be harder to dump its memory and post-process/analyze it efficiently (note that if these artificially created PE sections are large enough malware could fill it in memory with a lot of random data so the memory dump would contain some ‘data’ – imagine how long would it take to generate strings from it).

And last but not least – such trickery may affect forensic evidence processing – such files would be certainly harder to extract. I don’t know what techniques forensics software can use to ensure extraction of sparse files is done efficiently (and how forensic software deals with it today), but well… using sparse files for the output could be probably a good idea? Also, how to browse such files efficiently? Some special mode that removes zeroes from the output and shows ‘islands’ of data? Some food for thought.

No PoCs as it is just a random thought.