You are browsing the archive for Anti-*.

Genuine Anti-sandbox trick

May 28, 2020 in Anti-*

This a bit unusual trick, because it relies on a test if Windows version that sample is running on is… legitimate/genuine.

Yes.. we live in these times. Lots of pirated versions of Windows still floating around, but less than say 10 years ago.

When I came up with the idea I googled around and discovered that to verify if Windows is genuine one has to run a single API: SLIsGenuineLocal.

Encouraged, I crafted a small .exe that shows a message that takes a form of either ‘Genuine, continue’ or ‘Pirated, exit’. Since sandbox engines are very unreliable I use 3 methods of message notification:

  • I print to STDOUT
  • I show a message box
  • I create a file with a name equal to the message chosen

To demonstrate the technique, I submitted a test file to VirusTotal hoping that its internal behavioral engine will pick it up. I was not disappointed and after a few tunings and tweaks VT JukeBox presented me with the result as below:

Oh… can it be?

Now, this may come as a surprise, but it is undeniable that many Jukebox sessions I have seen in the past present this bit to the sample submitter:

I am absolutely, positively, undeniably and equivocally certain that this is a genuine mistake and VirusTotal team will fix it soon.

In the mean time, and to distract the audience, let’s remember that 5 engines detected my small .exe as malware:

The genius detectors are not surprising at all. As they say… garbage in, garbage out.

Going BAT…mode crazy

March 12, 2020 in Anti-*, Anti-Forensics, Batch Analysis, File Formats ZOO, Random ideas

What will the following bat file print? Foo, or Bar?

@echo off

 mode con cp select=65000 > nul
 set jump=+ACQ-
 mode con cp select=437 > nul
 goto %jump%

:+ACQ-
 echo Foo
 goto :eof

:$
 echo Bar
 goto :eof

Here’s the answer:

Batch files can be saved as text files using different encodings, including UTF7, and UTF8 as well as MBCS/DBCS characters sets.

One can therefore enforce encoding and change it not only outside of a batch file, but also on the fly, as is the case in the example above. As a result, the part of the code that executes after first ‘mode’ is encoded in UTF7 (‘+ACQ-‘ is an encoded ‘$’ sign), and the second is OEM-US English.

The below example replaces UTF7 in the above example with Traditional Chinese:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

If you look at this code using 950 character set (big5) you will see this:

@echo off

 mode con cp select=950 > nul
 set jump=你好
 mode con cp select=65001 > nul
 goto %jump%

:你好
 echo Foo
 goto :eof

:雿末
 echo Bar
 goto :eof

and if you choose to preview as UTF8:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

Misleading, isn’t it?

When you run this version of script you will see an error from the interpreter – this is a result of it interpreting superfluous UTF8 prefixes that seem to be appearing out of nowhere within the interpreter. Perhaps further study of cmd.exe internals can help to eliminate this quirk. Still, the jump goes to the proper label & errors can be always hidden with standard error redirection: