Windows Symbols A.D. 2020

March 20, 2020 in How to..., Reversing

I may be in minority, but I do use Windows Firewall on most of my boxes. I deny all the connections by default, including some of the predefined ones, and only selectively enable some, just enough to get by with some required functionality. And anytime I need to deal with a more internet access-hungry app, I just run it from VM.

It’s hard to run some apps from VM though. Probably the most annoying bit when you have your Windows Firewall set to deny everything by default is Office 365. Its main functionality is not word or spreadsheet editing, but confirming your Office version is legitimate. To do so, and it does it all the time, it obviously needs to connect out. However, the rules one would need to set up for this to work properly are absolutely and kinda obviously, crazy. This page gives you details. Thanks Microsoft!

With Windows Firewall on, you will come across one more problem:

– access to symbols server.

It’s often great to have access to it, and yet, I don’t feel like enabling a carte blanche access to the port 80 or 443 for any reversing tools that I happen to run. So I go with IP-specific enabling rules.

And here’s the catch:

– in the past, one would need to check the IP that msdl.microsoft.com resolves to, and enable connectivity to that IP only.

Times changed though, and we live in a world of CDNs, and redirectors. As such, enabling access to msdl.microsoft.com mapping is no longer enough. This is because the latter redirects all the requests to a bunch of servers.

How do we find them?

I don’t have a generic answer, but we can cheat a bit.

You can try to use curl or wget and download the following PDB from the server (the flags I use print out a lot of debug/verbose logs which is handy):

wget -v -d https://msdl.microsoft.com/download/symbols/regedit.pdb/85B6C521417160A68521696D68568CB41/regedit.pdb

If you look at the logs your downloading tool outputs you will notice that the request is being redirected to a different Symbol Server e.g.:

https://vsblobprodscussu5shard76.blob.core.windows.net/….

So, yes, you need to find out what the IP of this server is, and voila… now your rules should work.

If you are wondering how I found this out… I checked from VM with firewall disabled. Literally, this is a regular activity for anyone who wants to keep their host OS in err… firewall denial.

Googling around for vsblobprodscussu5shard76 I came across 2 posts only, and this one is a winner in a contest of value-and-madness-adding content…; the list of possible servers goes as follows:

StorageAccount
vsblobprodscussu5shard90
vsblobprodscussu5shard9
vsblobprodscussu5shard89
vsblobprodscussu5shard88
vsblobprodscussu5shard87
vsblobprodscussu5shard86
vsblobprodscussu5shard85
vsblobprodscussu5shard84
vsblobprodscussu5shard83
vsblobprodscussu5shard82
vsblobprodscussu5shard81
vsblobprodscussu5shard80
vsblobprodscussu5shard8
vsblobprodscussu5shard79
vsblobprodscussu5shard78
vsblobprodscussu5shard77
vsblobprodscussu5shard76
vsblobprodscussu5shard75
vsblobprodscussu5shard74
vsblobprodscussu5shard73
vsblobprodscussu5shard72
vsblobprodscussu5shard71
vsblobprodscussu5shard70
vsblobprodscussu5shard7
vsblobprodscussu5shard69
vsblobprodscussu5shard68
vsblobprodscussu5shard67
vsblobprodscussu5shard66
vsblobprodscussu5shard65
vsblobprodscussu5shard64
vsblobprodscussu5shard63
vsblobprodscussu5shard62
vsblobprodscussu5shard61
vsblobprodscussu5shard60
vsblobprodscussu5shard6
vsblobprodscussu5shard59
vsblobprodscussu5shard58
vsblobprodscussu5shard57
vsblobprodscussu5shard56
vsblobprodscussu5shard55
vsblobprodscussu5shard54
vsblobprodscussu5shard53
vsblobprodscussu5shard52
vsblobprodscussu5shard51
vsblobprodscussu5shard50
vsblobprodscussu5shard5
vsblobprodscussu5shard49
vsblobprodscussu5shard48
vsblobprodscussu5shard47
vsblobprodscussu5shard46
vsblobprodscussu5shard45
vsblobprodscussu5shard44
vsblobprodscussu5shard43
vsblobprodscussu5shard42
vsblobprodscussu5shard41
vsblobprodscussu5shard40
vsblobprodscussu5shard4
vsblobprodscussu5shard39
vsblobprodscussu5shard38
vsblobprodscussu5shard37
vsblobprodscussu5shard36
vsblobprodscussu5shard35
vsblobprodscussu5shard34
vsblobprodscussu5shard33
vsblobprodscussu5shard32
vsblobprodscussu5shard31
vsblobprodscussu5shard30
vsblobprodscussu5shard3
vsblobprodscussu5shard29
vsblobprodscussu5shard28
vsblobprodscussu5shard27
vsblobprodscussu5shard26
vsblobprodscussu5shard25
vsblobprodscussu5shard24
vsblobprodscussu5shard23
vsblobprodscussu5shard22
vsblobprodscussu5shard21
vsblobprodscussu5shard20
vsblobprodscussu5shard2
vsblobprodscussu5shard19
vsblobprodscussu5shard18
vsblobprodscussu5shard17
vsblobprodscussu5shard16
vsblobprodscussu5shard15
vsblobprodscussu5shard14
vsblobprodscussu5shard13
vsblobprodscussu5shard12
vsblobprodscussu5shard11
vsblobprodscussu5shard10
vsblobprodscussu5shard1

These account names could have either of these suffixes:

{storageaccountname}.vsblob.vsassets.io
{storageaccountname}.blob.core.windows.net

Good luck…

ShimBad the Sailor

March 18, 2020 in Anti-Forensics, Autostart (Persistence), Code Injection, Living off the land, LOLBins

Application Shims have been extensively covered by security researchers – a very comprehensive overview of the available techniques was presented at BH2015 (PDF warning) by Sean Pierce (@secure_sean who also happens to host a page dedicated to the subject at https://sdb.tools/).

I wondered if we could look at shims from a slightly different perspective, and this post is about it.

What if…

…we didn’t change anything, didn’t add any new entries, no custom databases etc.

What if…

We analyzed the existing shims and identified some that could do some interesting things for us? We would then need to fulfill the conditions required for shim to be triggered, and voila… we could now do things via a covert channel – that is, shim engine could be doing the dirty deed and a casual observer would be none the wiser.

Demo time.

On Windows 7, AOL Instant Messenger can be loaded via aim.exe with following versioninfo properties:

  • CompanyName = America Online, Inc.
  • ProductName = AOL Instant Messenger

When system detects such program it applies a SHIM:

The shim loads a library rtvideo.dll.

I took a basic example from masm32 package and changed the properties of the file accordingly:

and then compiled, renamed to aim.exe and the phantom DLL was added to the program by the shim engine.

This is just a basic example of what is possible/available.

Some of the shims create files, rename them, modify stack, fake reading files, etc. etc. . This offers a gamut of possibilities that are worth considering from various perspectives:

  • anti-sandbox, anti-analysis tricks
  • capture the flag tricks
  • after building a repo of shim gadgets one could potentially deliver a lot of functionality by using dummy, non-malicious files ran in a proper sequence
    • copy files
    • patch bytes (<win10)
    • load DLLs
    • run executables
  • the example with aim.exe is truly fascinating as it represents a possibly novelty type of code injection: phantom sideloading
    • we sideload that DLL with a predetermined name w/o calling any obvious function inside the .exe
    • in the example I am using a custom aim.exe that is just quick & dirty piece of test code; one could potentially find that legitimate, original aim.exe and play with that
    • the latter could be potentially signed
    • and even better, could be not even directly referring to rtvideo.dll
    • as such, it could be a signed .exe phantom sideloading a DLL with a predetermined name — and in some cases becoming a potential phantom lolbin as well
  • persistence is there too to consider

Now, this might have sounded a bit rosy, but reality is that analysing shims is a bit of a pain & options they offer are still pretty limited. Yes, the number of really useful shims is pretty low, let alone these that could be meeting all the cool requirements I listed above… As such, defenders shouldn’t worry about this trick too much… Until this topic is explored a bit more 🙂