Category Archives: Anti-Forensics

ShimBad the Sailor

Posted on by

Application Shims have been extensively covered by security researchers – a very comprehensive overview of the available techniques was presented at BH2015 (PDF warning) by Sean Pierce (@secure_sean who also happens to host a page dedicated to the subject at https://sdb.tools/).

I wondered if we could look at shims from a slightly different perspective, and this post is about it.

What if…

…we didn’t change anything, didn’t add any new entries, no custom databases etc.

What if…

We analyzed the existing shims and identified some that could do some interesting things for us? We would then need to fulfill the conditions required for shim to be triggered, and voila… we could now do things via a covert channel – that is, shim engine could be doing the dirty deed and a casual observer would be none the wiser.

Demo time.

On Windows 7, AOL Instant Messenger can be loaded via aim.exe with following versioninfo properties:

  • CompanyName = America Online, Inc.
  • ProductName = AOL Instant Messenger

When system detects such program it applies a SHIM:

The shim loads a library rtvideo.dll.

I took a basic example from masm32 package and changed the properties of the file accordingly:

and then compiled, renamed to aim.exe and the phantom DLL was added to the program by the shim engine.

This is just a basic example of what is possible/available.

Some of the shims create files, rename them, modify stack, fake reading files, etc. etc. . This offers a gamut of possibilities that are worth considering from various perspectives:

  • anti-sandbox, anti-analysis tricks
  • capture the flag tricks
  • after building a repo of shim gadgets one could potentially deliver a lot of functionality by using dummy, non-malicious files ran in a proper sequence
    • copy files
    • patch bytes (<win10)
    • load DLLs
    • run executables
  • the example with aim.exe is truly fascinating as it represents a possibly novelty type of code injection: phantom sideloading
    • we sideload that DLL with a predetermined name w/o calling any obvious function inside the .exe
    • in the example I am using a custom aim.exe that is just quick & dirty piece of test code; one could potentially find that legitimate, original aim.exe and play with that
    • the latter could be potentially signed
    • and even better, could be not even directly referring to rtvideo.dll
    • as such, it could be a signed .exe phantom sideloading a DLL with a predetermined name — and in some cases becoming a potential phantom lolbin as well
  • persistence is there too to consider

Now, this might have sounded a bit rosy, but reality is that analysing shims is a bit of a pain & options they offer are still pretty limited. Yes, the number of really useful shims is pretty low, let alone these that could be meeting all the cool requirements I listed above… As such, defenders shouldn’t worry about this trick too much… Until this topic is explored a bit more 🙂

Going BAT…mode crazy

Posted on by

What will the following bat file print? Foo, or Bar?

@echo off

 mode con cp select=65000 > nul
 set jump=+ACQ-
 mode con cp select=437 > nul
 goto %jump%

:+ACQ-
 echo Foo
 goto :eof

:$
 echo Bar
 goto :eof

Here’s the answer:

Batch files can be saved as text files using different encodings, including UTF7, and UTF8 as well as MBCS/DBCS characters sets.

One can therefore enforce encoding and change it not only outside of a batch file, but also on the fly, as is the case in the example above. As a result, the part of the code that executes after first ‘mode’ is encoded in UTF7 (‘+ACQ-‘ is an encoded ‘$’ sign), and the second is OEM-US English.

The below example replaces UTF7 in the above example with Traditional Chinese:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

If you look at this code using 950 character set (big5) you will see this:

@echo off

 mode con cp select=950 > nul
 set jump=你好
 mode con cp select=65001 > nul
 goto %jump%

:你好
 echo Foo
 goto :eof

:雿末
 echo Bar
 goto :eof

and if you choose to preview as UTF8:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

Misleading, isn’t it?

When you run this version of script you will see an error from the interpreter – this is a result of it interpreting superfluous UTF8 prefixes that seem to be appearing out of nowhere within the interpreter. Perhaps further study of cmd.exe internals can help to eliminate this quirk. Still, the jump goes to the proper label & errors can be always hidden with standard error redirection: