Monthly Archives: June 2016

Certain Windows… stay classy…

Posted on by

Update 2016-07-08

Added Thinstall applications

Old post

An ability to determine the compiler used to compile a binary is quite important. It determines the way we approach the reversing session and automatically tells us what tools to use. There are many static analysis tools available that help with the determination of the compiler/linker/protector used to build a specific binary.

Sometimes it may not be enough though.

In this post I will list a number of windows-related artifacts created by various programming frameworks that may help us to determine what is the payload compiled with. While there are many of such frameworks many of them rely on a very fixed number of more-or-less hidden windows, or window classes that stay persistent across many versions of the framework, or are created at some point in time.

This is by no means an exhaustive list – if you have anything to add, or find a mistake, I will appreciate the feedback.

Note: such list may be used for many purposes:

  • compiler/protector determination
  • data reduction (from strings, or f.ex. strings recognition in IDA, if it itself failed to do so well)
  • classification (whitelisting/blacklisting) of the sandboxes samples
  • installer discovery in sandbox analysis (may trigger a different handling routine f.ex. if Auto It is detected, or any installer, low-level logging may be disabled until the actual autoir / installer script starts execution, etc.)

Here’s the list I gathered:

Visual Basic

  • ThunderRT6Main
  • VBMsoStdCompMgr
  • VBFocusRT6 (this is from Visual Basic 6.0)
  • VBBubbleRT6 (this is from Visual Basic 6.0)
  • VBFocusRT5 (this is from Visual Basic 5.0)
  • VBBubbleRT5 (this is from Visual Basic 5.0)

Visual Basic .NET

  • VBNetStudio

MFC (Microsoft Foundation Classes/Application Framework Extensions)

  • Afx:<hexadecimal number>:<hexadecimal number> f.ex. ‘Afx:400000:0’ or ‘Afx:10000000:0’
  • Afx:StatusBar:<hexadecimal number> f.ex. ‘Afx:StatusBar:400000’
  • Afx:TabWnd:<hexadecimal number> f.ex. ‘Afx:TabWnd:400000’
  • Afx:ToolBar:<hexadecimal number> f.ex. ‘Afx:ToolBar:400000’

QT

  • Qt5QWindowIcon

Installer: Install Shield

  • GLBSInstall
  • InstallShield_Win

Installer: Inno Setup

  • class name: STATIC, window name: InnoSetupLdrWindow

Enigma Protector (not confirmed)

  • TEnigmaProtectorLoaderButton
  • TEnigmaProtectorLoaderEdit
  • TEnigmaProtectorLoaderFormMessage
  • TEnigmaProtectorLoaderFormRegistration
  • TEnigmaProtectorLoaderGroupBox

RunDll32 execution

  • RunDLL

OLE/DDE Windows

  • OleMainDdeClass

AutoIt

  • AutoIt v3
  • AutoIt v3 GUI
  • Au3Info
  • AutoIt
  • AutoIt – Splash

Standard Windows controls

  • ComboBoxEx32
  • commctrl_DragListMsg
  • msctls_hotkey32
  • msctls_progress32
  • msctls_statusbar32
  • msctls_trackbar32
  • msctls_updown32
  • NativeFontCtl
  • ReBarWindow32
  • RichEdit
  • RichEdit20a
  • SysAnimate32
  • SysDateTimePick32
  • SysHeader32
  • SysIPAddress32
  • SysListView32
  • SysMonthCal32
  • SysPager
  • SysTabControl32
  • SysTreeView32
  • ToolbarWindow32
  • tooltips_class32

Thinstall applications

  • ThStatusBarCtrlClass

Others

  • mdiclient (typical class name for MDI /Multiple Document Interface/)

And last, but not least, a ‘gallery’ of classes from a number of dynamically analyzed samples written in

Borland/Delphi/etc.

  • TAbout
  • TAboutBox
  • TAboutBox1
  • TAboutDlg
  • TAboutForm
  • TAboutFrm
  • TActionMainMenuBar
  • TActionToolBar
  • TActivationForm
  • TAdminForm
  • TAdvGlassButton
  • TAdvGlowButton
  • TAdvListView
  • TAdvMemo
  • TAdvOfficePage
  • TAdvOfficePager
  • TAdvOfficeStatusBar
  • TAdvPageControl
  • TAdvProgress
  • TAdvSmoothButton
  • TAdvSmoothPanel
  • TAdvSpinEdit
  • TAdvTabSheet
  • TAdvToolBar
  • TAfterScan
  • TAnimate
  • TAnPane
  • TAppBuilder
  • TApplication
  • TBitBtn
  • TBrowserDlg
  • TBrowserForm
  • TButton
  • TButton2
  • TButtonGroup
  • TCalc
  • TCalculator
  • TCancelScan
  • TCategoryPanelGroup
  • TCentral
  • TChart
  • TChat
  • TChatWindow
  • TCheckBox
  • TCheckListBox
  • TClient
  • TClientForm
  • TCloseForm
  • TCodePanel
  • TColorBox
  • TColorButton
  • TColorGrid
  • TColorWindow
  • TComboBox
  • TComboBoxEx
  • TComComboBox
  • TConerBtn
  • TConfigForm
  • TConfigServer
  • TControlForm
  • TControllerForm
  • TCoolBar
  • TCpanel
  • TCustomDateTimePicker
  • TDateTimePicker
  • TDebugForm
  • TDesco
  • TDirectoryListBox
  • TDragArrow
  • TDrawGrid
  • TDriveComboBox
  • TDsGroupBox
  • TEdit
  • TEdit97
  • TEditForm
  • TEditListBox
  • TEditN
  • TEdits
  • TEnvWindow
  • TError
  • TExeToolForm
  • TEzHelpWindow
  • TFashionPanel
  • TFileListBox
  • TFinalFantasy
  • TFinalPws
  • TFlatButton
  • TFlatCheckBox
  • TFlatComboBox
  • TFlatEdit
  • TFlatGroupBox
  • TFlatPanel
  • TFlatRadioButton
  • TFlatSpinEditInteger
  • TFlatTitlebar
  • TFmMain
  • TFmPrincipal
  • TForm
  • TForm0
  • TForm1
  • TForm1.UnicodeClass
  • TForm10
  • TForm100
  • TForm101
  • TForm102
  • TForm103
  • TForm104
  • TForm105
  • TForm106
  • TForm107
  • TForm108
  • TForm109
  • TForm11
  • TForm110
  • TForm111
  • TForm112
  • TForm113
  • TForm114
  • TForm115
  • TForm116
  • TForm117
  • TForm118
  • TForm119
  • TForm12
  • TForm120
  • TForm121
  • TForm122
  • TForm123
  • TForm124
  • TForm125
  • TForm126
  • TForm127
  • TForm128
  • TForm129
  • TForm13
  • TForm130
  • TForm131
  • TForm132
  • TForm133
  • TForm134
  • TForm135
  • TForm136
  • TForm137
  • TForm138
  • TForm139
  • TForm14
  • TForm140
  • TForm141
  • TForm142
  • TForm143
  • TForm144
  • TForm145
  • TForm146
  • TForm147
  • TForm148
  • TForm149
  • TForm15
  • TForm150
  • TForm151
  • TForm152
  • TForm153
  • TForm154
  • TForm155
  • TForm156
  • TForm157
  • TForm158
  • TForm159
  • TForm16
  • TForm160
  • TForm161
  • TForm162
  • TForm163
  • TForm164
  • TForm165
  • TForm166
  • TForm167
  • TForm168
  • TForm169
  • TForm17
  • TForm170
  • TForm171
  • TForm172
  • TForm173
  • TForm174
  • TForm175
  • TForm176
  • TForm177
  • TForm178
  • TForm179
  • TForm18
  • TForm180
  • TForm181
  • TForm182
  • TForm183
  • TForm184
  • TForm185
  • TForm186
  • TForm187
  • TForm188
  • TForm189
  • TForm19
  • TForm190
  • TForm191
  • TForm192
  • TForm193
  • TForm194
  • TForm195
  • TForm196
  • TForm197
  • TForm198
  • TForm199
  • TForm1a
  • TForm1b
  • TForm1c
  • TForm1w
  • TForm2
  • TForm20
  • TForm200
  • TForm201
  • TForm202
  • TForm203
  • TForm204
  • TForm205
  • TForm206
  • TForm207
  • TForm208
  • TForm209
  • TForm21
  • TForm210
  • TForm211
  • TForm212
  • TForm213
  • TForm214
  • TForm215
  • TForm216
  • TForm217
  • TForm218
  • TForm219
  • TForm22
  • TForm220
  • TForm221
  • TForm222
  • TForm223
  • TForm224
  • TForm225
  • TForm226
  • TForm227
  • TForm228
  • TForm229
  • TForm23
  • TForm230
  • TForm231
  • TForm232
  • TForm233
  • TForm234
  • TForm235
  • TForm236
  • TForm237
  • TForm238
  • TForm239
  • TForm24
  • TForm240
  • TForm241
  • TForm242
  • TForm243
  • TForm244
  • TForm25
  • TForm26
  • TForm27
  • TForm28
  • TForm29
  • TForm2a
  • TForm2b
  • TForm3
  • TForm30
  • TForm31
  • TForm32
  • TForm33
  • TForm34
  • TForm35
  • TForm36
  • TForm37
  • TForm38
  • TForm39
  • TForm3a
  • TForm3b
  • TForm4
  • TForm40
  • TForm41
  • TForm42
  • TForm43
  • TForm44
  • TForm45
  • TForm46
  • TForm47
  • TForm48
  • TForm49
  • TForm4c
  • TForm4d
  • TForm5
  • TForm50
  • TForm51
  • TForm52
  • TForm53
  • TForm54
  • TForm55
  • TForm56
  • TForm57
  • TForm58
  • TForm59
  • TForm5a
  • TForm6
  • TForm60
  • TForm61
  • TForm62
  • TForm63
  • TForm64
  • TForm65
  • TForm66
  • TForm67
  • TForm68
  • TForm69
  • TForm6a
  • TForm6b
  • TForm7
  • TForm70
  • TForm71
  • TForm72
  • TForm73
  • TForm74
  • TForm75
  • TForm76
  • TForm77
  • TForm78
  • TForm79
  • TForm7w
  • TForm8
  • TForm80
  • TForm81
  • TForm82
  • TForm83
  • TForm84
  • TForm85
  • TForm86
  • TForm87
  • TForm88
  • TForm89
  • TForm9
  • TForm90
  • TForm91
  • TForm92
  • TForm93
  • TForm94
  • TForm95
  • TForm96
  • TForm97
  • TForm98
  • TForm99
  • TForm_About
  • TForm_Main
  • TForm_Options
  • TForm_Principal
  • TForm_splash
  • TForm_Undelete
  • TForm_Update
  • TFormAbout
  • TFormaTudo
  • TFormAutorun
  • TFormbb
  • TFormCreateServer
  • TFormDisclaimer
  • TFormExit
  • TFormHTML
  • TForminfo
  • TFormInstaller
  • TFormLogin
  • TFormMain
  • TFormOptions
  • TFormp
  • TFormPasswords
  • TFormPrinc
  • TFormPrincipal
  • TFormProgress
  • TFormregister
  • TFormRunning
  • TFormSetup
  • TFormShell
  • TFormSlectDir
  • TFormSplash
  • TFormUpdate
  • TFormWait
  • TFormWeb
  • TFormwebbrowser
  • TFormXInstaller
  • TFrame1
  • TFrame4
  • TFrame6
  • TFrm_check
  • TFrm_codigo
  • TFrm_Main
  • TFrmAbout
  • TFrmAd
  • TFrmAgree
  • TFrmBrad
  • TFrmCert
  • TFrmChat
  • TFrmControl
  • TFrmDownAgree
  • TFrmDownload
  • TFrmECleanDel
  • TFrmExport
  • TFrmGF
  • TFrmIDSoc
  • TFrmInit
  • TFrmLogin
  • TFrmMain
  • TFrmNewAccount
  • TFrmPass
  • TFrmPassw
  • TFrmPrincipal
  • TFrmReflet
  • TFrmSeting
  • TFrmSetup
  • TFrmSplash
  • TFrmSynNglp
  • TFrmTOKEN1
  • TFrmUpdate
  • TFrmVrfcdr
  • TFunc
  • TGeoPosition
  • TGradBtn
  • TGradPan
  • TGroupBox
  • TGroupButton
  • THeader
  • THelpForm
  • THiddenForm
  • THintWindow
  • THotButton
  • THotGroupBox
  • THotKey
  • THtmlUIForm
  • TImageForm
  • TInfobusca
  • TInfoForm
  • TInplaceEdit
  • TInstallerForm
  • TInstallForm
  • TKeyForm
  • TKeygenForm
  • TLabel
  • TLabeledEdit
  • TLayerWindow
  • TLinkLabel
  • TLinkText
  • TListBox
  • TListenForm
  • TListView
  • TLogForm
  • TLogin
  • TLogin_Form
  • TLoginForm
  • TLogo
  • TLogoForm
  • TLogonDlg
  • TLogonForm
  • TMain
  • TMain_Form
  • TMainF
  • TMainF0rmVer2
  • TMainFM
  • TMainForm
  • TMainFormVer2
  • TMainFrm
  • TMainMPRForm
  • TMainWin
  • TMainWindow
  • TManForm
  • TMaskEdit
  • TMaster
  • TMediaPlayer
  • TMemo
  • TMemoForm
  • TMenuButton
  • TMessageForm
  • TModifiedEdit
  • TMonitor
  • TMonitorForm
  • TMonthCalendar
  • TMormay1
  • TMsgForm
  • TMsgForm2
  • TMyIEButton2
  • TNetComMainFm
  • TNetWindow
  • TNewButton
  • TNewCheckListBox
  • TNewComboBox
  • TNewDiskForm
  • TNewMemo
  • TNewNotebook
  • TNewNotebookPage
  • TNewRadioButton
  • TNewStaticText
  • TNewWindow
  • TNextGrid
  • TNomeDiferente
  • TNotebook
  • TNotifierWindow
  • TNotifyForm
  • TNxButton
  • TNxPopupList
  • TNxTabSheet
  • TOleContainer
  • TOptionsForm
  • TOutline
  • TOvcfrmSplashDlg
  • TPage
  • TPageControl
  • TPageScroller
  • TPainel_Seguranca
  • TPainel_Seguranca2
  • TPanel
  • TPanels
  • TParentForm
  • TPasswordDlg
  • TPasswordForm
  • TPenWindow2
  • TPlanilha
  • TPlayForm
  • TPlaylistForm.UnicodeClass
  • TPngBitBtn
  • TPoolTemplate
  • TPortRedirForm
  • TPreviewWindow
  • TPrincipal
  • TPrnStatusForm
  • TProcessForm
  • TProgressBar
  • TProgressForm
  • TPromoForm
  • TPserver
  • TPwdForm
  • TRadioButton
  • TRadioGroup
  • TRbButton
  • TReg_Form
  • TRegForm
  • TRegHex
  • TRegisterForm
  • TRegistrationWindow
  • TRichEdit
  • TRichEditViewer
  • TRollShadow
  • TRum_
  • TRunningText
  • TRzBitBtn
  • TRzBmpButton
  • TRzButton
  • TRzButtonEdit
  • TRzButtonPair
  • TRzCheckBox
  • TRzComboBox
  • TRzEdit
  • TRzGroup
  • TRzGroupBox
  • TRzGroupButton
  • TRzMaskEdit
  • TRzPageControl
  • TRzPanel
  • TRzRadioButton
  • TRzRadioGroup
  • TRzSizePanel
  • TRzSpinButtons
  • TRzSpinEdit
  • TRzSplitter
  • TRzTabSheet
  • TRzToolbar
  • TSbookF
  • TScrollBar
  • TScrollBox
  • TScroller
  • TSecCenter
  • TSechDir
  • TSelectLanguageForm
  • TSelectWindow
  • TServerForm
  • TSetForm
  • TSettingsForm
  • TSetupForm
  • TSetupMainForm
  • TShellTreeView
  • TShowPm
  • TSiInMay
  • TSkin
  • TSpinButton
  • TSpinEdit
  • TSpinEdit2
  • TSplash
  • TSplashForm
  • TSplashScreen
  • TStaticText
  • TStatusBar
  • TStatusForm
  • TStoringComboBox
  • TStringGrid
  • TStubForm
  • TSupervisor
  • TSynBaseCompletionProposalForm
  • TSynMemo
  • TSystemUpdateService
  • TTabControl
  • TTabPage
  • TTabSet
  • TTabSheet
  • TTabSheetes
  • TTeButton
  • TTeCustomTabSheet
  • TTePanel
  • TTeSEdit
  • TTestForm
  • TTeTabSheet
  • TTetro1
  • TTipForm
  • TToolBar
  • TToolbar97
  • TTrackBar
  • TTransEdit
  • TTransMemo
  • TTreeView
  • TTurcaButton
  • TUnidadU
  • TUnzipPanel
  • TUpdateForm
  • TUpdateFrm
  • TUpDown
  • TUpIpDate
  • TVeeImageButton
  • TVideoWindow
  • TViewForm
  • TVrDemoButton
  • TWaitForm
  • TWarningForm
  • TWelcome
  • TWinApiWnd
  • TWinControl
  • TWindowDisabler-Window
  • TWinForm
  • TWinMain
  • TWizardForm
  • TWizButton
  • TWizDropDownPanel
  • TWnForm

Enter Sandbox – part 11: Breaking the sandbox, literally :)

Posted on by

My homemade VMs run on VMWare. I use it for a number of years now and is my preference as it’s very fast (especially on SSD), configuration is very flexible, the management of snapshots is very user-friendly and in general – I am really happy with it.

I use VMWare to run some of automated malware analysis too and with nearly 1 million files processed there are occasions when it breaks.

I would be really curious to know what is the failure ratio for the commercial sandboxes, but I would imagine this must be happening quite a bit, given the volume of samples they process. I guess it’s probably one of the best stress tests for VMs – the code ran in a malware sandbox does a lot of funny stuff and is written by gazillions of clever programmers. There is a huge variety of code, data, errors, undocumented tricks, etc. – I bet some researchers already do it, but I would imagine this could be a good way to automate fuzzing of the VM software in order to find VM escapes.

In any case, since this post falls under ‘Enter sandbox’ series, it’s actually just a quickie dedicated to the dialog boxes that every once in a while kill my batch processing 🙂

1

2

3

4

5

6

7

8