Author Archives: adam

Forensic Riddle #1

Posted on by

I have always been interested in riddles and puzzles, and I have a lot of respect for people who create them. So, when I’ve been thinking of opening this blog I always had in mind a section that would be dedicated to riddles. The idea is of course not new. I borrowed this particular one from Richard Wiseman – one of my favorite authors. He posts a puzzle every Friday and provides an answer to it on Monday.

So, stepping on giant’s shoulders I will be posting a new riddle every Friday as well. The topic will be forensics, malware analysis, and any sort of binary-data related fun facts. The goal is to post something short, simple, and relatively easy to crack, yet a bit quirky or with a twist, so that you may have fun and hopefully learn something new. Of course, if you are in the industry long enough, you will crack it in no time.

I will start with something I have came up with 2 years ago while working for my previous employer. I modified it to avoid potential copyright issues, yet the fundamental principle stays the same. In a hindsight, it is not that difficult, yet I think the guys who faced it found it challenging at that time and their interesting approach to the problem (they generated a lot of ideas!) led me to post a few more riddles on our internal mail list.

The Riddle:

  • command executed on the same system
  • command is “dir wimmount.sys”
  • 2 different windows, 2 different results
  • why?


Answer here

How to use HAM?

Posted on by

This is a short intro tutorial on how to use HAM. The basic idea is to show how to:

  • Load an application for analysis
  • Pass command line arguments to the analyzed program
  • Choose APIs
  • Run
  • Observe the output

So, let’s begin:

  • First, download and run HAM. You should see the following screen:
  • Now, Press F3, Ctrl-O, or choose File->Open Executable from the application menu.
  • Go to your System Directory:
  • Type ‘notepad.exe‘ and hit Enter
  • Type the command line argument for Notepad e.g. ‘test.txt‘ – this file will be opened by Notepad:
  • Press Alt+A or click the icon as shown below: 
  • Choose ‘CreateFileW‘ API in the API Functions window:
  • Press F5 or click the icon as shown below:
  • The Notepad will now be launched, modules loaded by Notepad will be shown in a small window; for each module loaded, HAM will attempt to intercept all APIs as selected earlier in the API Functions – in our case it is only ‘CreateFileW’ :
  • Each module loaded by Notepad is shown in the output pane; Notepad window is shown on the Desktop as well; as you can see, CreateFileW API has been called once, and with the argument being a file name that we typed in Notepad Open File window i.e. ‘test.txt‘; 

We can conclude this demo with the following observations:

  • Notepad is indeed using CreateFileW when it opens the files
  • The file is being open with the flag OPEN_EXISTING i.e. it will attempt to open existing file, without overwriting it
  • The file is open in both FILE_SHARE_READ and FILE_SHARE_WRITE mode i.e. you could open file in Notepad and then still overwrite it with an external application e.g. echo foo>test.txt while it is being edited.

We also learnt that:

  • Loading applications for analysis and passing arguments to it is very straightforward
  • In order to use it efficiently, it is good to have some basic understanding of Windows programming, You need to know which APIs to select to monitor the analyzed program efficiently.
  • HAM works on Windows 8 Developer Preview 🙂

As you can see, by just looking at arguments passed to APIs, as well as the flow of the APIs being called, multiple things can be done:

  • it may help in in-house malware analysis
  • it may help with vulnerability research
  • it may help in understanding Windows API and Windows internals
  • it may allow to discover undocumented or unexpected quirks of windows (e.g. what mutexes are created by a given application, what strings are hard coded and compared against by certain APIs, etc.)
Enjoy!
Posted in HAM