Yearly Archives: 2019

Reversing w/o reversing – how to become Alex in practice

Posted on by

If you are new to reversing, or want to get better please watch this excellent presentation by Alex Ionescu. He nailed it: reversers specialize in never-ending acquisition of knowledge and… hamstering ISOs.

Stealing somebody’s preso titles is not a nice thing to do, so I apologize in advance. I hope I am not doing anything wrong tho – I just thought it would be nice to add 5 cents to Alex’ preso. And I mean the practical bit for newcomers.

So, with this post I try to answer the following question: “okay, so Alex is now officially old and joined the elderly that remember int 21h, but what can I do to catch up? cuz most of these ideas and tricks he presented are already dead, because time, money, access, change of politics, discontinuation of services and/or any we can’t legally bypass technical and NDA restrictions that stop us from accessing this mountain of knowledge?”.

So, how one would go about re-creating something that he was able to do when he started it nearly 20 years or so?

I won’t tell you how to change your work patterns, but I will tell you how to gather data that can rapidly put you right behind him.

Everything starts and ends with data. Start collecting it. Cherish it. Hamster it. Process it. Do not commit digital Tsundoku.

Right… so here it goes…

Google dorks

Yes, ridiculous, in 2019 we still can use them a lot. You can use it for pretty much everything.

A simple “index of /” + “file name”, sometimes enhanced with “ext:” can give you access to a lot of data.

For instance, how would you go about looking for libcurl dlls?

FTPing w/o FTPing

FTP repos are almost non-existing today, but you can still find them sometimes (e.g. some vendors still use them). You actually want to find FTP search engines more than the actual FTP sites though.

Why?

Because you don’t want to use them to actually download files per se (although if you can, then it’s great, but most of them link to dead repositories today).

What you need them for is… the file lists.

Your strongest researching tool online is the file name. The more unique, the better. Once you get many of these, this can immediately allow you to build a google dork for specific search. With that you have high chances of finding actual copy of a file, or files.

Collecting libraries

Every once in a while I go on a hunt for all the possible versions of some library, both static and dynamic versions. Basically, any copy of the library in any form. I need it because I want to have them at hand for comparisons.

Many researchers build collections of libraries like this, because when you don’t have a compilation time in an analyzed executable (e.g. it got wiped out) the version of the library can give you some temporal point of reference.

Another reason for collecting libraries are signatures. If you have a lot of copies of the same library you can build sigs that will help you to name functions inside the executable if they use a statically linked library.

What to look for?

Anything lib*: libcurl, libpng, libpcre, and then the usual suspects e.g. adlib, pcre, sqlite3, etc.

Downloading DDK and SDK stuff

Yes. You want as many versions of SDK and DDK available.

Yes. You can find them.

How?

Already told you: you need these file names. Badly.

So, how to go about finding the names of the files you want to find?

You primarily need ISO names. Most of DDK and SDK used to be distributed this way. Lots of them are still there. Somewhere.

How do you find them? You need at least a few file names as a seed 🙂

Here’s a few names:

  • GRMSDK_EN_DVD.iso
  • GRMSDKIAI_EN_DVD.iso
  • GRMSDKX_EN_DVD.iso

Typically, once you know the name of one or two ISOs you will quickly find tones of others. Somehow there is a tendency for anyone who uses them for whatever reason to cluster them (or their names) together with others.

Once you start browsing you will find actual links to downloads. Click link to see the example. What did I tell you? Many of them are still at Microsoft web site. So click through Google results and eventually you will find downloadable versions. And typically, you will get clusters of downloads.

So now you have file names, and links.

Go on. Download it all. Some may not work. Most won’t. But this is a one step closer. You could ask around — if you have a file name, it’s much easier to find than asking for a specific SDK version.

Downloading OS ISOs

Plus, there is more.

Okay, you can download them from warez sites, but it’s not recommended. Apart from legal issues, moral principles, there is also a problem of file integrity and malware.

And there are still some ways, but yes, honestly… rich are privileged. If you don’t have a MSDN subscription you are kinda screwed. In the past you could at least get access to many ISO via a very cheap Technet subscription, but this one is gone as well.

The good news is that many ISOs for more recent Windows versions are actually online & often available directly from the Microsoft site!

Again, you need file names.

Or… you need a site that already did all the work for you. I obviously don’t endorse the web site, and you are visiting and using it at your own risk. If you browse it though you will find a lot of OS ISO file names. These may lead you to further searches + actual downloads. Yes, lo-and-behold, many links present there lead you to the Microsoft Site where you can download actual OS ISOs from.

Here’s a list of example ISO names:

  • de_windows_7_starter_with_sp1_x86_dvd_u_678545.iso
  • de_windows_7_starter_with_sp1_x86_dvd_u_678545.iso
  • cs_windows_7_enterprise_with_sp1_x86_dvd_u_677695.iso
  • ct_windows_10_multi-edition_version_1709_updated_sept_2017_x86_dvd_100090807.iso
  • ct_windows_10_multi-edition_version_1709_updated_sept_2017_x64_dvd_100090806.iso
  • fr_windows_10_multi-edition_version_1709_updated_sept_2017_x86_dvd_100090827.iso
  • fr_windows_10_multi-edition_version_1709_updated_sept_2017_x64_dvd_100090825.iso

Also, you may like this link. It includes a lot of hashes for MSDN-related content.

Dead Links

Once you start hunting for ISO files you will notice that in some cases you will find dead links. If you have file names though you should be able to find _some_ repos online that still keep them. Again, you can also ask around.

Downloading Very Old Stuff

It’s time to try Web Archive ISO project. For example, this link shows you all ISOs hosted there that come from Microsoft. These look like winners:

  • EN_WIN2000_PRO_SP4.ISO
  • dos71floppy.zip
  • windowsmeisoandbootdisk.zip

Again, keep an eye on the file names. These may lead you to weird corners of the internet where someone somewhere is still sitting on these old Resource Kits, SDKs, DDKs, etc.

Good luck.

Messages From Beyond The Grave

Posted on by

This is a silly idea that attempts to abuse one very specific class of Error Messages on Windows: the ones that show up when OS is unable to load a DLL or resolve an API function that an executable is relying on.

On Windows 10 we will see the message below if a DLL is missing (here: kernel3x.dll is missing):

Or this (for an API):

Earlier versions of Windows are a little bit more descriptive as they include a reference to an API as well – in this case a very long non-existing function name:

The longest API name I could use is 248 characters. That’s plenty.

These message boxes come in response to a call to a NtRaiseHardError function. When the ntdll.dll is starting new process it tries to load statically linked libraries and resolve all the functions one by one. If anything fails, the error is raised e.g.

  • 0xC0000135 STATUS_DLL_NOT_FOUND missing DLL
  • 0xC0000138 STATUS_ORDINAL_NOT_FOUND function imported by ordinal not found
  • 0xC0000139 STATUS_ENTRYPOINT_NOT_FOUND unresolved API function

Information about these hard errors is added to the Event Logs (Event ID 26 under System), which may come handy as a way to trace ‘failed processes’ e.g.:

Interestingly, all these error message boxes are actually ‘owned’ by the csrss.exe process – a very interesting target from an attacker’s perspective.

At this stage one can immediately note that:

  • the message relies on a data directly embedded inside a ‘corrupted’ file i.e. the input data is controlled by file developers and there doesn’t seem to be any input sanitation (but in fairness, why should there be one really?)
  • it means we can produce a file with long file name, placed in a location using a long path, using non-existing DLL name(s) and/or API names (248 characters) which in turn will appear in the message box in a way we planned. yup, we can control a big part of the message!
  • this may help to develop simple social engineering attacks
  • a more subtle implication of the above is that we could potentially inject _any_ code/data into csrss.exe process w/o raising any flag (while achieving a code execution is obviously much harder, having an ability to easily inject data into csrss.exe is a nice bonus); this could be abused in a number of ways e.g:
    • a very simple, yet naughty example could be a program using an EICAR as an API name; I have not tested it, but there is a dangerous possibility system could BSOD if AV decided to terminate the process with this string inside
    • misdirection / planting evidence e.g. IOCs of other campaigns, non-sensical URLs, etc. so that they can be found during memory inspection & act as a red herring for analysts

So… we have four ways (path, file name, DLL name, API) to influence that error message on Windows 7, and three on Windows 10 (path, file name, DLL name). With these we can deliver at least two variants of Social Engineering tricks:

  • By swapping an API name with a text of our choice we can attempt to persuade the user to do something they wouldn’t normally do. For example we could try to phish credentials:
  • Manual or ‘persuaded’ bypass of UAC

As long as we don’t close the error message it will continue to appear on the desktop. A funny side-effect (at least on Windows 10) is that it will often keep re-appearing on top of all windows, including the one shown by the UAC dialog box e.g.:

That is, if we run 2 programs where the first one is an intentionally corrupted .exe with our message of choice, and then the program that is requiring the UAC approval, we could overlap the UAC window with our message e.g:

All in all, not a big deal, just an interesting curiosity.