You are browsing the archive for Silly.

Trivial AppID Impersonation

February 20, 2014 in Others, Silly

I was wondering what would happen if one tried to impersonate the AppID of the common applications i.e. run my own application and change its AppID to that of a well-known application during run-time. Kinda lame, I know.

To test it, I wrote a quick PoC that uses SetCurrentProcessExplicitAppUserModelID API to pretend it is Internet Explorer, Remote Desktop and Sticky Notes using their respective AppIDs. I also added the AppID for Notepad – while it doesn’t have a standard AppID like the 3 other applications I just wanted to show that we can still enforce the AppID association using Notepad’s normalized path {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe (for details see my older post about AppIDs).

Here’s a list of AppIDs used:

  • Internet Explorer – Microsoft.InternetExplorer.Default
  • Remote Desktop – Microsoft.Windows.RemoteDesktop
  • Sticky Notes – Microsoft.Windows.StickyNotes
  • Notepad – {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe

I pinned all these 4 applications to the Taskbar on Windows 8.1. and then ran my test application, pausing it each time I changed the AppID to take a screenshot I got the result combined on the below picture. Not surprisingly anytime I changed the AppID a different pinned taskbar icon got highlighted (the test application needs to do some GUI operation for it to work; it can simply show a message box).

appid_rotation

This is quite a tiny level of impersonation – hard to really come up with some really useful scenarios here – perhaps one could use it to enforce social engineering attempts (e.g. escalation of privileges triggered by malware while pretending to be from some legitimate Windows application, or perhaps AV) ? But aren’t existing GUI manipulation tricks better than that? Oh well, trivial is trivial.

Extracting camels out of APIs and putting them in the Cloud

September 27, 2013 in Silly

Most of API function names are created in a form of a CamelCased word. Using a large collection of API names one can “Extract camels out of APIs and put them in the Cloud ©” - the result is probably the most ugliest tag cloud ever (Comic Sans MS comes as a bonus :)).

Here it is:

camel_apis