You are browsing the archive for Reversing.

ShimBad the Sailor, Part 2

March 20, 2020 in Anti-Forensics, Reversing, Sandboxing

This part is more about archaeology than anything else.

The built-in SHIM database includes a number of test shims, which I will cover below.

On Windows XP, you will find these two:

So, if you happen to name your executable one of these:

  • WindowsXPAppsHelpMechanismBlockedTestApp.exe
  • WindowsXPAppsHelpMechanismTestApp.exe

you can immediately see their effect after you try to run them on XP:

WindowsXPAppsHelpMechanismBlockedTestApp.exe

WindowsXPAppsHelpMechanismTestApp.exe

On Win7 we got a few more:

  • AppsHelpMechanismTestAppBadMsg.exe
  • AppsHelpMechanismTestAppBadMsgBlocked.exe
  • WindowsXPAppsHelpMechanismBlockedTestApp.exe
  • WindowsXPAppsHelpMechanismTestApp.exe

The first one runs with no issues.

The second one is blocked without any indication.

The visible messages are as follows:

WindowsXPAppsHelpMechanismBlockedTestApp.exe

WindowsXPAppsHelpMechanismTestApp.exe

Finally, on Win10 it goes as follows:

  • AppsHelpMechanismTestAppBadMsg.exe
  • AppsHelpMechanismTestAppBadMsgBlocked.exe
  • BlockedTestApp_AMD64.exe
  • BlockedTestApp_AMD64_ANY.exe
  • BlockedTestApp_WOW64.exe
  • BlockedTestApp_X86_AMD64.exe
  • BlockedTestApp_X86_ANY.exe
  • BlockedTestApp_X86_WOW.exe
  • WindowsXPAppsHelpMechanismBlockedTestApp.exe
  • WindowsXPAppsHelpMechanismBlockedTestApp2.exe
  • WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe

and visible outputs are:

AppsHelpMechanismTestAppBadMsgBlocked.exe /
BlockedTestApp_WOW64.exe /
BlockedTestApp_X86_AMD64.exe /
BlockedTestApp_X86_ANY.exe /
BlockedTestApp_X86_WOW.exe /
WindowsXPAppsHelpMechanismBlockedTestApp.exe /
WindowsXPAppsHelpMechanismBlockedTestApp2.exe /
WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe

Okay. That’s it.

Hmm not really… digging through internals of SDB on Windows 10 one more time I gathered the following (and hopefully complete) list of all the the test suite items:

  • AppsHelpMechanismTestAppBadMsg.exe
  • AppsHelpMechanismTestAppBadMsgBlocked.exe
  • BlockedTestApp_AMD64.exe
  • BlockedTestApp_AMD64_ANY.exe
  • BlockedTestApp_WOW64.exe
  • BlockedTestApp_X86_AMD64.exe
  • BlockedTestApp_X86_ANY.exe
  • BlockedTestApp_X86_WOW.exe
  • WICAMockAppReinstallUpgrade.exe
  • WICAMockAppReinstallUpgrade2.exe
  • WICAMockAppReinstallUpgrade3.exe
  • WICAMockAppReinstallUpgradeInfo.exe
  • WICAMockAppReinstallUpgradeWarn.exe
  • WICAMockAppReinstallUpgradeWarnBackup.exe
  • WindowsTH_BlockedSetupTestApp.exe
  • WindowsTH_TestApp_HardBlock_FWLink.exe
  • WindowsTH_TestApp_HardBlock_KBArticle.exe
  • WindowsTH_TestApp_HardBlock_NoInfo.exe
  • WindowsTH_TestApp_HardBlock_StoreId.exe
  • WindowsTH_TestApp_HardBlock_Wildcard1.exe
  • WindowsTH_TestApp_HardBlock_Wildcard2.exe
  • WindowsTH_TestApp_SoftBlock_FWLink.exe
  • WindowsTH_TestApp_SoftBlock_KBArticle.exe
  • WindowsTH_TestApp_SoftBlock_NoInfo.exe
  • WindowsTH_TestApp_SoftBlock_StoreId.exe
  • WindowsXPAppsHelpMechanismBlockedTestApp.exe
  • WindowsXPAppsHelpMechanismBlockedTestApp2.exe
  • WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe
  • WindowsXPAppsHelpMechanismTestApp.exe
  • WindowsXPAppsHelpMechanismTestApp2.exe
  • WindowsXPAppsHelpMechanismTestAppSpecific.exe

So, how could you use it for malicious purposes? I dunno… One thought I have is about emulators. If you created a child process using one of these names (creation of such process should fail by SHIM design), could you use the successful exitcode from that process to detect an emulator?

Windows Symbols A.D. 2020

March 20, 2020 in How to..., Reversing

I may be in minority, but I do use Windows Firewall on most of my boxes. I deny all the connections by default, including some of the predefined ones, and only selectively enable some, just enough to get by with some required functionality. And anytime I need to deal with a more internet access-hungry app, I just run it from VM.

It’s hard to run some apps from VM though. Probably the most annoying bit when you have your Windows Firewall set to deny everything by default is Office 365. Its main functionality is not word or spreadsheet editing, but confirming your Office version is legitimate. To do so, and it does it all the time, it obviously needs to connect out. However, the rules one would need to set up for this to work properly are absolutely and kinda obviously, crazy. This page gives you details. Thanks Microsoft!

With Windows Firewall on, you will come across one more problem:

– access to symbols server.

It’s often great to have access to it, and yet, I don’t feel like enabling a carte blanche access to the port 80 or 443 for any reversing tools that I happen to run. So I go with IP-specific enabling rules.

And here’s the catch:

– in the past, one would need to check the IP that msdl.microsoft.com resolves to, and enable connectivity to that IP only.

Times changed though, and we live in a world of CDNs, and redirectors. As such, enabling access to msdl.microsoft.com mapping is no longer enough. This is because the latter redirects all the requests to a bunch of servers.

How do we find them?

I don’t have a generic answer, but we can cheat a bit.

You can try to use curl or wget and download the following PDB from the server (the flags I use print out a lot of debug/verbose logs which is handy):

wget -v -d https://msdl.microsoft.com/download/symbols/regedit.pdb/85B6C521417160A68521696D68568CB41/regedit.pdb

If you look at the logs your downloading tool outputs you will notice that the request is being redirected to a different Symbol Server e.g.:

https://vsblobprodscussu5shard76.blob.core.windows.net/….

So, yes, you need to find out what the IP of this server is, and voila… now your rules should work.

If you are wondering how I found this out… I checked from VM with firewall disabled. Literally, this is a regular activity for anyone who wants to keep their host OS in err… firewall denial.

Googling around for vsblobprodscussu5shard76 I came across 2 posts only, and this one is a winner in a contest of value-and-madness-adding content…; the list of possible servers goes as follows:

StorageAccount
vsblobprodscussu5shard90
vsblobprodscussu5shard9
vsblobprodscussu5shard89
vsblobprodscussu5shard88
vsblobprodscussu5shard87
vsblobprodscussu5shard86
vsblobprodscussu5shard85
vsblobprodscussu5shard84
vsblobprodscussu5shard83
vsblobprodscussu5shard82
vsblobprodscussu5shard81
vsblobprodscussu5shard80
vsblobprodscussu5shard8
vsblobprodscussu5shard79
vsblobprodscussu5shard78
vsblobprodscussu5shard77
vsblobprodscussu5shard76
vsblobprodscussu5shard75
vsblobprodscussu5shard74
vsblobprodscussu5shard73
vsblobprodscussu5shard72
vsblobprodscussu5shard71
vsblobprodscussu5shard70
vsblobprodscussu5shard7
vsblobprodscussu5shard69
vsblobprodscussu5shard68
vsblobprodscussu5shard67
vsblobprodscussu5shard66
vsblobprodscussu5shard65
vsblobprodscussu5shard64
vsblobprodscussu5shard63
vsblobprodscussu5shard62
vsblobprodscussu5shard61
vsblobprodscussu5shard60
vsblobprodscussu5shard6
vsblobprodscussu5shard59
vsblobprodscussu5shard58
vsblobprodscussu5shard57
vsblobprodscussu5shard56
vsblobprodscussu5shard55
vsblobprodscussu5shard54
vsblobprodscussu5shard53
vsblobprodscussu5shard52
vsblobprodscussu5shard51
vsblobprodscussu5shard50
vsblobprodscussu5shard5
vsblobprodscussu5shard49
vsblobprodscussu5shard48
vsblobprodscussu5shard47
vsblobprodscussu5shard46
vsblobprodscussu5shard45
vsblobprodscussu5shard44
vsblobprodscussu5shard43
vsblobprodscussu5shard42
vsblobprodscussu5shard41
vsblobprodscussu5shard40
vsblobprodscussu5shard4
vsblobprodscussu5shard39
vsblobprodscussu5shard38
vsblobprodscussu5shard37
vsblobprodscussu5shard36
vsblobprodscussu5shard35
vsblobprodscussu5shard34
vsblobprodscussu5shard33
vsblobprodscussu5shard32
vsblobprodscussu5shard31
vsblobprodscussu5shard30
vsblobprodscussu5shard3
vsblobprodscussu5shard29
vsblobprodscussu5shard28
vsblobprodscussu5shard27
vsblobprodscussu5shard26
vsblobprodscussu5shard25
vsblobprodscussu5shard24
vsblobprodscussu5shard23
vsblobprodscussu5shard22
vsblobprodscussu5shard21
vsblobprodscussu5shard20
vsblobprodscussu5shard2
vsblobprodscussu5shard19
vsblobprodscussu5shard18
vsblobprodscussu5shard17
vsblobprodscussu5shard16
vsblobprodscussu5shard15
vsblobprodscussu5shard14
vsblobprodscussu5shard13
vsblobprodscussu5shard12
vsblobprodscussu5shard11
vsblobprodscussu5shard10
vsblobprodscussu5shard1

These account names could have either of these suffixes:

{storageaccountname}.vsblob.vsassets.io
{storageaccountname}.blob.core.windows.net

Good luck…