aMus(ing)Notification

January 3, 2021 in Archaeology, LOLBins, Undocumented Windows Internals

Update

Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the way 🙂

Old Post

Have you ever got annoyed by this popup?

I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of MusNotification.exe and MusNotificationUx.exe.

This one in particular is a lunch of:

MusNotificationUx.exe Dialog_EngagedFourthReminder 0

The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the UserProcess:: GetNotificationCommandLineArguments routine inside the MusNotification.exe:

  • Dialog_AllowSchedulingFirstReminder
  • Dialog_AllowSchedulingForcedReminder
  • Dialog_AllowSchedulingPerAUPolicy
  • Dialog_AllowSchedulingRebootFailed
  • Dialog_AllowSchedulingSecondReminder
  • Dialog_AllowSchedulingThirdReminder
  • Dialog_AllowSchedulingWarning
  • Dialog_CantDownloadUpdate
  • Dialog_CantInstallUpdate
  • Dialog_DataMigrationFailed
  • Dialog_DownloadAvailable
  • Dialog_DownloadNeedUserAgreementPerCTA
  • Dialog_EngagedFourthReminder
  • Dialog_EnhancedEngagedAcceptAuto
  • Dialog_EnhancedEngagedForcedPrecursor
  • Dialog_EnhancedEngagedForcedWarning
  • Dialog_EnhancedEngagedRebootFailed
  • Dialog_EnhancedEngagedRebootImminent
  • Dialog_EnhancedEngagedRebootReminder
  • Dialog_EnhancedEngagedSecondRebootReminder
  • Dialog_ExpeditedReboot
  • Dialog_InstallNeedEula
  • Dialog_InstallNeedUserAgreement
  • Dialog_LowUptime
  • Dialog_PolicyDeadlineApproaching
  • Dialog_PolicyDeadlineEngagement
  • Dialog_PolicyDeadlineRebootFailed
  • Dialog_PolicyDeadlineRebootImminent
  • Dialog_PolicyDeadlineUserScheduled
  • Dialog_RebootActiveHoursForcedReminder
  • Dialog_RebootActiveHoursForcedWarning
  • Dialog_RebootActiveHoursImminent
  • Dialog_RebootActiveHoursUserSelected
  • Dialog_RebootDTU
  • Dialog_RebootForcedDTU
  • Dialog_RebootImminent
  • Dialog_RebootPolicyEnabledForcedWarning
  • Dialog_RebootPostponeMgmt
  • Dialog_RebootWarning
  • Dialog_ScheduleUpdate
  • Dialog_ScheduleUpdateFailed
  • Dialog_SuggestedActiveHours

You can pick up any of them and run via a similar invocation using MusNotificationUx.exe e.g.

MusNotificationUx.exe Dialog_CantDownloadUpdate 0

and others:

Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day.

There also seem to be a possibility of a Lolbin as the invocations of MusNotificationUx.exe via MusNotification.exe refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory — still a questionable programmer’s choice prevalent in many native OS binaries.

Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:

  • Toast_CompatIssue
  • Toast_DesktopKeepOnReminder
  • Toast_DownloadNeedMoreSpace
  • Toast_DownloadNeedUserAgreement
  • Toast_DownloadNeedUserAgreementPerCTA
  • Toast_DownloadNeedWifi
  • Toast_DownloadViaCellularNeedUserAgreement
  • Toast_EngagedFirstReminder
  • Toast_EngagedRebootFailed
  • Toast_EngagedRebootWarning
  • Toast_EngagedSecondReminder
  • Toast_EngagedThirdReminder
  • Toast_EnhancedEngagedRebootReminder
  • Toast_FailedDiskSpaceCheck
  • Toast_FairWarningDesktop
  • Toast_FairWarningLaptop
  • Toast_FairWarningPolicyNotifyDeadline
  • Toast_InstallBlocked
  • Toast_InstallNeedEula
  • Toast_InstallNeedMoreSpace
  • Toast_InstallNeedUserAgreementPerAUPolicy
  • Toast_KeepAliveOnBatteryWarning
  • Toast_LaptopPlugInReminder
  • Toast_LowUptime
  • Toast_MeteredConnection
  • Toast_NotifyToDownload
  • Toast_NotifyToInstall
  • Toast_OOBEDownloadInProgress
  • Toast_PersistentReadyToReboot
  • Toast_PolicyDeadlineEngagement
  • Toast_RebootActiveHoursForcedReminder
  • Toast_RebootActiveHoursImminent
  • Toast_RebootNeedUserAgreementPerAUPolicy
  • Toast_RebootOtherUsers
  • Toast_RebootReminder
  • Toast_SuggestedActiveHours
  • Toast_UpdateFailed

Last, but not least, there are some additional options the tool accepts, in particular:

  • RebootWithUXForceOthers
  • RebootWithUX
  • ClearActiveNotifications
  • QueryNotificationState
  • -Embedding
  • /CV – correlation vector
  • /MusUxStateString
  • /ToastAction, where the action can be one of these:
    • AlwaysAllowAutoUpdates
    • DeferRestartInHour
    • DeferRestartNow
    • ForcedRemRestartNow
    • ImmAnotherTime
    • ImmRestartNow
    • NotifyRestartNow
    • OthersPickTime
    • OthersRestartAnyway
    • RemPickTime
    • RemRestartNow
    • RemSnooze
    • RestartFailedRetry
    • RestartTonight
    • RestartWarningOption
    • Settings
    • Setup
    • SnoozeUx
    • SuggestedAHConfirm
    • SuggestedAHDontChange
    • WarnPickTime
    • WarnRestartNow
    • dismiss
  • eDTERestartTonight
  • /ToastLaunchTimestamp

handle..ing SHAllocShared

December 25, 2020 in Code Injection

There couldn’t be a less misleading post title than the one I chose for this entry. The function SHAllocShared is documented, may not be very well known, but we may see it more in the future. It is exported by shlwapi.dll and its description has a nice vibe to it:

Allocates a handle in a specified process to a copy of a specified memory block in the calling process.

Hmm… I remember that 15+ years ago or so I was looking at the AppBar functionality. At that time many applications were taking advantage of this desktop feature, so I was really curious how it works. Eventually I created a simple POC that relied on SHAppBarMessage function to add my own app bar, but then got bored and forgot about it.

A few months back I suddenly remembered that POC. I realized that I have never looked at the internals of the SHAppBarMessage function, and with my experiments around code injection via GUI primitives this of course triggered my interest.

Under the hood, the SHAppBarMessage relies on SHAllocShared/SHLockShared and SHUnlockShared/SHFreeShared APIs to create&lock/unlock&free block of memory allocated within program’s address space, and then WM_COPYDATA message is used to send info about the appbar message to ‘Shell_TrayWnd’ window (tray window). Internally, SHAllocShared relies on CreateFileMapping/MapViewOfFile/DuplicateHandle API set to duplicate a handle to existing memory block inside a target process.

This is it. It’s not a lot, but having a set of atomic functions residing inside the shlwapi.dll is probably not a bad thing. This is not as robust as accessibility functions that do a lot of reading and writing of memory blocks between different processes, but it’s always good to have some extra feature at hand.