You are browsing the archive for Anti-Forensics.

Propagate, Ribbonate

December 22, 2020 in Anti-Forensics, Code Injection, Forensic Analysis, Malware Analysis

I thought Propagate technique is a dead horse. Described, implemented, used in malware.

But.

There is perhaps one more possibility, or four.

When you open Windows Explorer and Ribbons are enabled:

the UIRibbon.dll DLL gets loaded into this process address space:

One of the things the DLL does is setting properties of its internal windows using the following methods:

  • HWndContainer::Build(HWND hWnd, char a2, struct HWndContainer **a3)
    • Property:0xA91C
  • OfficeSpace::Root::SetEventLogger(OfficeSpace::Root *this, struct IUIEventLogger *a2)
    • Property: 0xBCDE
  • NetUI::SetCommandManager(HWND hWnd, HWND hData, struct NetUI::ICommandManager *a3)
    • Property:0xBCDF
  • UXHwndEffectsManager::FInitialize@(HANDLE hData@, HWND hWnd@, bool a3, bool a4, bool a5)
    • Property (atom name): SCENIC_UXHWNDEFFECTSMANAGER_WINDOW_PROP

Example:

So, what do we do with this?

These are all possible targets for a Propagate code injection as all these properties appear to be holding virtual table pointers…

Beyond good ol’ Run key, Part 130

October 19, 2020 in Anti-Forensics, Autostart (Persistence)

Yet another short one, courtesy of @tiraniddo who pointed me to this Microsoft article describing SERVICE_FAILURE_ACTIONSW structure. In essence, you use it to tell service controller what to do when your service breaks. I have seen this technique abused by malware over 10 years ago, but completely forgot about it.

James not only provided the link, but also suggested that you could register a service which you’ll know crashes if you get it bad input on command line but what you really want is it to fail so that it runs the backup command. And you can delay the command for a long time to disconnect between the failure and the command execution.

Thanks James!