You are browsing the archive for Reversing.

Hunting for additional PE timestamps

January 4, 2019 in Batch Analysis, Clustering, File Formats ZOO, Malware Analysis, Reversing

Over the years I published a number of posts about file timestamps. Not the file system timestamps, but timestamps hidden inside the actual file content.

I wrote that there is a way to ‘heuristically’ carve timestamps from binary files. I have also provided some compilation timestamps stats for PE files, and discussed less-known Java folder timestamps. And when we talk about the PE files specifically, there is an PE compilation timestamp discussion in a context of timestomping. There is also a bit of rambling about the infamous Borland/Delphi resource timestamp.

Anyone who ever looked at the PE file specification or various PE Dump reports knows there are possibly more timestamps hidden inside these executable files.

For starters, we can look for timestamps sometimes present in additional PE file areas e.g. hidden inside a debug section, or even file’s signature – if they exist. There is an information about a compiler / linker version, Rich Header, .NET version, imported and exported APIs, imported DLLs, etc. All of them may help to narrow down the timeframe when the file was created. The DiE tool does a good job in helping with extraction of some of this information.

We can do a lot of guesswork based on the information available inside the metadata as well, for example by simply looking at file’s Version information block, or manifest. Then there are good old strings: if we are lucky the unencrypted strings embedded in a main file/configuration/update can get us an immediate answer. We may also rely on indirect references to time e.g. by looking at versions of statically compiled libraries (sometimes you can see actual version strings), sometimes bugs in code, and debug / verbosity logs that have not been stripped off from the release version; sometimes dates are included in the PDB string itself, and then sometimes there is a never-shown usage info, or even dead code that may include a dated ‘copyright’ note from the malicious author. These may be also included as comments inside the scripts, in case the binary file is a host to an interpreted code (this happens pretty often with older malware based on AHK, VBE, etc.). Advanced malware analysts can often deduce the version / rough time period of protector layers by just looking at the code (they can, because they write decrypters for this mess and often adjust code, even on daily basis).

Now, all of these can be modified, or fixed because they are very well-known. But there are more timestamps we can look at.

When we read the PE file documentation we can notice that it is rich in descriptions of all these additional timetstamp fields available.

The problem is… most of the time they are always zeroed.

But…

It is actually not always the case!

I was reading the description of the VS_FIXEDFILEINFO structure, and I realized that I never seriously looked at the two timestamp fields it includes:

dwFileDateMS Type: DWORD

The most significant 32 bits of the file’s 64-bit binary creation date and time stamp.

dwFileDateLS Type: DWORD

The least significant 32 bits of the file’s 64-bit binary creation date and time stamp.

So, I wrote a quick parser to search my PE metadata logs for samples where the values of these fields are not zero. And if not zero, must be within a certain, reasonable timestamp range (compiled between year 2000, Jan 1st, and today).

To my surprise, the script started spitting out names of samples that had these fields populated. Very often the values would be identical with a PE Compilation timestamp, but in some cases would be off by a few minutes, sometimes days and months. Since such cases provide a range between the version info compilation and actual PE file compilation it could provide an additional information about the timeframe of active development of the sample.

An example of such file can be found here.

An obvious question appears: which compilers/linkers produce these correctly compiled executables?

I don’t know at this stage. Also, despite some good results I need to emphasize that most of samples do not include a valid timestamp. Still… when it’s available… why shouldn’t we be extracting it?

How to find new persistence tricks?

October 14, 2018 in Autostart (Persistence), Personal, Preaching, Reversing

Every once in a while people ask me how do I find all this stuff.

The TL;DR; answer is simple: curiosity + reading Microsoft documentation + other peoples’ research + applying some automation.

At first, it was really just some curiosities that I could not explain when I was less experienced in reversing e.g. the Visual Basic VBA Monitors. When you use Procmon a lot, some of the stuff you see in the logs eventually gets stuck in your head and becomes really familiar. Such was the case with the HKLM\SOFTWARE\Microsoft\VBA\Monitors key that I saw anytime I was analysing a VB application with Procmon. I could not explain it and was curious what it is for…. googling around didn’t bring any answers. Eventually I started analysing the actual code that triggers that behavior and that’s how Beyond good ol’ Run key, Part 6 was born…

Then there is obviously a number of them that was a result of manual, often annoyingly time-consuming code analysis. There were times where I couldn’t find anything new for a few months. Perhaps assumptions were wrong; perhaps we have already discovered it all… at least so I thought every once in a while…. But… then… they keep coming… not only from me, but also from others… And it’s hard to explain how it is even possible… For instance, the recent one is a perfect example of a situation where the random luck played a role a lot. While looking at some unrelated stuff inside the kernel32.dll I happened to spot the bit that was loading the callback DLLs. With so many people looking at kernel32.dll over the years I still find it amazing we find new stuff there all the time.

Many other cases were a result of a more deliberate research; for instance, many persistence mechanisms I described rely on the fact that some programs or components load a number of DLLs that are executed one by one after they are listed under a certain location in the Registry. Such activity needs to rely on Registry enumeration APIs. If you can find programs or DLLs that use these functions you will most likely find possible persistence mechanisms!

And then there are keywords e.g. ‘providers’, a very popular way to name a place in the Registry where a lot of plug-ins are loaded from. Example of possible enumerations for some keys that include the keyword ‘providers’ is shown below:

  • SYSTEM\CurrentControlSet\Control\Cryptography\Providers
  • System\CurrentControlSet\Control\SecurityProviders\SSI\Providers
  • SYSTEM\CurrentControlSet\Services\LanmanServer\ShareProviders
  • System\CurrentControlSet\Services\RemoteAccess\Accounting\Providers
  • System\CurrentControlSet\Services\RemoteAccess\Authentication\Providers
  • SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders
  • SYSTEM\CurrentControlSet\Services\WbioSrvc\Service Providers
  • SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
  • System\CurrentControlSet\Services\WinTrust\TrustProviders
  • System\CurrentControlSet\Services\WlanSvc\Parameters\ComInterfaceProviders
  • System\CurrentControlSet\Services\WlanSvc\Parameters\VendorSpecificIEProviders

I also mentioned Microsoft Documentation; it’s like a RFC for Windows programming. I have read a lot of it over the years, and every once in a while some of that old knowledge comes back to me. Ideas for tricks around DDE, WM_HTML_GETOBJECT  as well as the Propagate trick (SetProp) are result of my experience actually coding for Windows for more than 10 years. These (especially old, legacy) things stay with you and sometimes bring some really refreshing ideas. Not only for persistence tricks.

Then there are ‘magic’ APIs… if you read code and see references to ShellExecute, WinExec, CreateProcess, LoadLibrary, CoCreateInstance and their numerous variations and wrappers you will soon discover that the Windows ecosystem hardly re-uses code; or, more precisely, it does re-use a lot of it, but it also relies on lots of custom paths that are added to it. Lots of code snippets you come across look like a custom programming endeavor of the coder who wrote that part of the program just to test an idea. It’s actually a normal, even expected behavior in such a sea of code. But… quite frankly…. we really have to thank Microsoft Programmers for all the testing & debugging code and error messages/strings that are shipped with the OS. This helps a lot!

All of these unexpected and probably meant-private/for lab-only code paths provide a lot of interesting opportunities… both for persistence, and LOLBINs; anyone who just dares to look for it will eventually find something.

I am fascinated by it; the actual persistence bit is less important, even if on occasion the ‘novelty’ of some of these techniques may have the ‘wow’ factor ; the real pleasure for me is derived from these three things:

a) an opportunity to read lots of other peoples’ code and sharpen my reverse engineering skills

b) learn how the system works under the hood

c) being ahead of a curve with regards to forensic analysis

Actually, the a) and b) are equivalent… the c) is an obvious bit.

If you think of the books like Windows Internals, or The Art of Memory Forensics, the majority of the information that the authors rely on is a result of direct or indirect contact with the actual system internals (and these guys did it a lot). There is no magic wand. Yes, there are source leaks, there are ex-MS programmers becoming researchers who had an access to the source at some stage and for some time can leverage their privileged position, but I’d say that majority of the discoveries presented at conferences over last 30 years, as well in books and written on the blogs is relying on the work of all these poor reversing souls sitting and digging in the OS code all the time. Some of them even become famous and get hired by Microsoft :).

Many developers curse unpredictable behavior of some APIs, complain about the way things work, yet often are unable to pinpoint the exact reason for a certain behavior so that the root case can be analyzed. In my eyes, an ability to dig into code of others, whether the source is available or not, is the core skill of any programmer, and… perhaps even information security professional. None of the reversing, forensic, vulnerability research tools would exist w/o this ‘poke around in other people’s code’ infosec branch.

So… if you want to find new persistence tricks… pick up any code you think has a potential, start digging, and actually discover how things work under the hood. Or at least 0,000001% of it. And no, whatever you find, you don’t need to blog about these new persistence discoveries at all – get out of my lawn! 😉