You are browsing the archive for Silly.

Yet another way to hide from Sysinternals’ tools, part 1.5

January 19, 2018 in Anti-*, Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Silly

This little trick can be used to prank your friend more than using it as a real nation-state pwning technique, but it’s worth documenting, as usual, so here it goes…

I mentioned previously the Autoruns program registers the file type HKCR\Autoruns.Logfile.1  / HKCR\.ARN. The file stores the information autoruns grabbed from the system. You can save the autoruns log, and you can load them.

The last bit is the interesting part – if we can force the system to redirect all autoruns instances to one we can control, and also one that will always load the preserved data from the .arn file (instead of loading the fresh data set directly from the system), we will be able to fool the user that the state of the system has not changed.

So… the recipe goes like this:

  • Remove HKCR\Autoruns.Logfile.1 and HKCR\.ARN registry entries
  • Save autoruns.exe as e.g. c:\test\AutoNOruns.exe
  • Run c:\test\AutoNOruns.exe
    • This will create new association for .ARN file in Registry (ones that point to c:\test\AutoNOruns.exe)
    • This will also enumerate all autoruns entries on the system
      • Save these results to e.g. c:\test\AutoNOruns.arn
  • Modify registry key
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
    App Paths\autoruns.exe
    to point to
    c:\test\AutoNOruns.arn
  • Add some ‘bad’ entry to e.g. HKCU\Run
  • Run autoruns from the terminal, or via Windows+R
  • The new ‘bad’ entry won’t be shown.

Caveats:

  • It takes observable time to load c:\test\AutoNOruns.arn
  • Refreshing the view (F5) will unhide all the ‘hidden’ entries as Autoruns will refresh the view directly from the system
  • Double-clicking autoruns.exe is not routed via App Paths key so autoruns.exe will run properly

So, there you have it. The first Autoruns Rootkit ;)))

It’s superlame and has so many caveats that it’s impossible to treat it seriously, but maybe you will be able to fool someone 🙂

Enter Sandbox: Special edition

August 3, 2017 in Sandboxing, Silly

I recently wrote Cyber version of Orgasmatron. Writing one for Metallica’s Enter Sandman was on my mind for much longer since it’s almost impossible not to think of it when you read the title of this series… So… here it is:

Enter Sandbox

QEMU, VMWare
Don’t forget the Xen
And Sandboxie’s there

Virtual Box, Cuckoo rocks
Parallels’s in stock
Till the Sandbox he comes

Sleep is nopped and faster
Cursor is moving too

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

Something’s wrong, freeze the guest
Heavy loaded host
And it’s not doing its best

Mining coins, WannaCry
Virus spreads like fire
And the Pafish will bite

Sleep is nopped and faster
Cursor is moving too

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

Now I call the function Sleep
Time Stamp Counter I will keep
If I delta some of it
Numbers bad? It’s time to quit

Hash the file, and check the strings
And never mind that noise you see
It’s just the fake I, O and C
In your report, for VP

Exit: Threads
Enter: Creds
Calling rand()

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops