Author Archives: adam

Commander Minority Report

Posted on by

This is an idea I have not tested in practice, but it emerged in response to a simple question:

  • What if sysmon, 4688, EDR command line logging couldn’t catch a thing?

I am not the first one to ask this question and @_xpn_ has a great post about an argument spoofing trick one can use to fool command line interceptors: create a suspended process, then inject a proper command line argument after the process creation event has been intercepted, then resume the process with the new command line injected.
Brilliant!

So… that made me think about what command line really is.

And command line is basically a string that is being parsed to set up a internal state for the program that parses it. And with that we can ask another question: is there a way to manipulate the process state and assign appropriate values to internal engine of the targeted tool and make it run as if a command line argument was provided, but without providing that command line? Of course, to do so one needs to know intricacies of the process that is being manipulated but it’s relatively straightforward for targets like powershell (source code available), or even v|cbscript / cmd.

Perhaps there is a scope for a completely new type of offensive engine that takes instrumentation to a completely new level…

Re-sauce, Part 2

Posted on by

In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name the resources and use them instead of numerical IDs. Many of these are prefixed with the ‘IDD_’, so it makes for an easy target.

Grepping through a large collections of exported resources one can find the following ‘custom-named’ resource names (see file).

Browsing through the content one can find a number of IDDs that are clearly very old e.g.

  • IDD_WIZ97SHEET
  • IDD_DISKETTE
  • IDD_INSERT_DISK

but also lots of very boring names e.g.

  • IDD_DIALOG1
  • IDD_DIALOG2
  • IDD_DIALOG3
  • IDD_DIALOG4
  • IDD_ABOUTBOX
  • IDD_DIALOG_FONT
  • IDD_FONT
  • IDD_UNUSED1
  • etc.

— most likely names auto-created by RAD resource editors. There are some funny typos e.g. IDD_SPLAHSCREEN. Finally, there same some more enigmatic and interesting names like

  • IDD_DEBUG*
  • IDD_NTOPEN
  • IDD_NTCLOSE
  • IDD_CREDITCARD

but these are not really research-worthy.

How can you use this list?

Apart from being an archaeological curiosity this may actually be quite helpful to know which IDD_ resources are at least known in a ‘good sampleset’ space. With that you could create yara rules, and perhaps more advanced ‘good file’ detections. And if you write a PE Viewer/editor/parser, you could always highlight these as ‘known good resources’.

Overall, curiosity more than anything useful, but that’s one of the reasons why we are digging it… out.