You are browsing the archive for Sandboxing.

Enter Sandbox: Special edition

August 3, 2017 in Sandboxing, Silly

I recently wrote Cyber version of Orgasmatron. Writing one for Metallica’s Enter Sandman was on my mind for much longer since it’s almost impossible not to think of it when you read the title of this series… So… here it is:

Enter Sandbox

QEMU, VMWare
Don’t forget the Xen
And Sandboxie’s there

Virtual Box, Cuckoo rocks
Parallels’s in stock
Till the Sandbox he comes

Sleep is nopped and faster
Cursor is moving too

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

Something’s wrong, freeze the guest
Heavy loaded host
And it’s not doing its best

Mining coins, WannaCry
Virus spreads like fire
And the Pafish will bite

Sleep is nopped and faster
Cursor is moving too

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

Now I call the function Sleep
Time Stamp Counter I will keep
If I delta some of it
Numbers bad? It’s time to quit

Hash the file, and check the strings
And never mind that noise you see
It’s just the fake I, O and C
In your report, for VP

Exit: Threads
Enter: Creds
Calling rand()

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

Using RegisterApplicationRestart as a (lame) sandbox evasion

May 20, 2017 in Anti-Forensics, Forensic Analysis, Sandboxing

The RegisterApplicationRestart function allows the OS to relaunch the application in case it crashes, or fails for other reasons (or when an installer needs to restart the system and then launch again).

To avoid cyclical restarts the program needs to run for at least 60 seconds though.

So, imagine a program that does the following:

  • Check if a specific command line argument is provided
    • If yes
      • Run malware
    • If no
      • Register itself via RegisterApplicationRestart and provide a command line f.ex. /nosandbox
      • Sleep for 60 seconds using Sleep
      • Cause a crash (f.ex. divide by 0)

If the application is ran w/o a sandbox, it will be relaunched by the OS after the crash and with a /nosandbox argument – it will execute the malware.

If the application is ran under sandbox, the sandbox engine will most likely affect the running of the Sleep function. This in turn will disable the functionality of the RegisterApplicationRestart function. The program will run less than 60 seconds, hence won’t be restarted after the crash. The sandbox report will be pretty much empty.

Note, with its default settings, Windows 10 will simply restart the application:

For earlier versions, the user may be asked to choose whether they want to restart the application (depending on Windows Error Reporting settings). Notably, if such dialogĀ  popped up while the sample was running inside the sandbox, there is a chance the sandbox would autoclick the ‘restart’ option for us. But then… well.. it would have to wait these 60 seconds first, wouldn’t it?

Bonus forensic information:

The less used option of RegisterApplicationRestart API is in conjunction with installers. If combined with ExitWindowsEx,EWX_RESTARTAPPS,… it will register the app to be executed by the systems with the next logon. The mechanism of this temporary persistence mechanism is quite interesting.

Right before the user is logged off the csrss.exe process registers a RunOnce entry located in the following location:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #<NUMBER>

– it is simply pointing to the restarted application.

So, if you ever see entries like these:

  • HKCU\Software\Microsoft\Windows\
    CurrentVersion\RunOnce\Application Restart #0
  • HKCU\Software\Microsoft\Windows\
    CurrentVersion\RunOnce\Application Restart #1

etc.

– then it’s most likely a result of an unfinished installer business…

Could it become a persistence mechanism and become a part of the Beyond Good Ol’ Run key series? Perhaps, but I have not found a practical way to do it w/o restarting the system (perhaps aborting the restart could help, but from what I can tell the csrss.exe registers the RunOnce persistence mechanism pretty late).