Enter Sandbox – part 2: COM, babe COM

June 9, 2015 in Batch Analysis, Clustering, Malware Analysis

API hooking, or interception described in part 1 is great for many analysis and works very well for many older generic samples, but to be able to handle modern samples sandbox needs to handle Component Object Model (COM) as well. COM is a bitch when it comes to analysis and hooking, because it’s omnipresent, not everything is properly documented, there are lots of ways to do the same thing and funnily enough – developers using COM make lots of mistakes and often incorrectly reference pointers. While their apps crash internally and exceptions are handled by the respective frameworks any intrusive sandbox will typically crash the application if it is not prepared to handle programmers’ mistakes.

When I say that the same thing can be done in many ways it’s for a simple reason. While COM objects are typically instantiated using e.g. CoCreateInstance, CoCreateInstanceEx, CoGetClassObject, or by actually calling some COM methods there is also a myriad of ‘regular’ APIs that can also instantiate COM objects – a simple example is PStoreCreateInstance.

COM is quite a mess and the deeper you dig the more weird stuff you will find (f.ex. interfaces changing names over time messing up your collection of CLSIDs).

Good luck handling it all…

Hooking COM objects requires either manipulating original virtual tables that are hidden inside the code/data of the COM object provider or dynamically – only inside the buffers allocated for instantiated objects. Whatever way, it sometimes is not welcome by the hooked applications which may have a code implemented to prevent COM hooking (I have seen this). Non-invasive interception is possible as well, but requires good tracking mechanism – some samples can call COM many times during the analysis session.

If you read that far you may be wondering, what COM objects we could hook and why it really matters?

Nowadays many malicious apps use various evasions, and lots of them are implemented using COM. A simple example is IBackgroundCopyJob used by FinFisher and attempting to copy files under the noses of sandboxes/AV. COM is also used to create/modify shortcuts, download stuff in a background using Background Intelligent Transfer Service (BITS) and other interfaces – and you may _not_ get to see URLs/domains contacted if you only rely on API hooking. Last, but not least – popular evasions rely on enumerating various properties using WMI and these are also handled via COM.

Not hooking this stuff leaves a lot of unanswered questions and limits the actionable data that can be extracted from the session.

This is an example of COM hooking in action:

  • Using ShellLink to create a shortcut file
    • CoCreateInstanceEx (ShellLink, IShellLinkA)
    • IShellLinkA::SetPath (%SYSTEM%\malware.exe)
    • IPersistFile::Save (C:\Documents and Settings\user\Start Menu\Programs\malware.lnk)
  • Using web browser object to download stuff
    • IWebBrowser2::Navigate (URL=http://xx.xx.xx.xx/media/1,Flags=,TargetFrameName=,PostData=,Headers=)
  • Using WMI to enumerate processes
    • IWbemLocator::ConnectServer (strNetworkResource=root\cimv2, user=, password=, locale=)
    • IWbemServices::ExecQuery (strQueryLanguage=WQL, Query=SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process)

Comments are closed.