You are browsing the archive for Archaeology.

Samir is my hero aka colab on browserexport

October 1, 2020 in Archaeology, Living off the land

Samir pinged me about his research into c:\Windows\System32\browserexport.exe, and after few back and forth we cracked some of the command line arguments this program accepts. I then promised Samir that I won’t publish a blog post about it. So this his me keeping my promise. Not.

Luckily to us, browserexport.exe is an easy read in Ida Pro. We also found good references to this .exe inside the btrowserbroker.dll file that helped us to guess what is required for the program invocation. After some quick code eyeballing we have extracted a number of interesting command line wannabe arguments:

  • ALL
  • COOKIES
  • FAVICONS
  • FORMDATA
  • HEURISTIC
  • HISTORY
  • LOGINS
  • LOWCOOKIES
  • SETTINGS

Analysis of code confirmed that the program requires at least 4 arguments so after some more digging we came up with command line arguments that actually worked:

browserexport.exe "" ie11 all foo4

where:

  • “” is a GUID which we don’t exactly know what it is, but it’s only used for exports from IE11; could be related to the GUID of the IE user profile (?),
  • IE11 is just one of the browsers supported by the tool; all the supported browsers are
    • CHROME
    • IE11
    • QIHOO360SE
    • QQBROWSER
  • all – one of the options listed above and below (we have not tried other options assuming that ALL means, well… all)
    • ALL
    • COOKIES
    • FAVICONS
    • FORMDATA
    • HEURISTIC
    • HISTORY
    • LOGINS
    • LOWCOOKIES
    • SETTINGS
  • foo4 — output file name

Have a go and run this command. You will be surprised how much data is saved to foo4. it’s a nice JSON file that includes something along these lines (and I don’t use IE11 too much):

{
"MigrationData": {
"browser": "IE11",
"history": [
{
"title": "…",
"url": "…",
"LastAccessed": …
},
{
"title": "….",
"url": "…",
"LastAccessed": …
},
],
"logins": [

],
"cookies": [
{
"name": "…",
"value": "…",
"domain": "…",
"path": "…",
"dwFlags": …,
"ftExpires": …,
"fExpiresSet": …
},
]
}
}

We feel that BrowserExport.exe is a close cousin of ExtExport.exe. In fact, both are referenced by btrowserbroker.dll. Neither of them can be considered a Lolbin, but then again.. that’s a lot of exportable value they both present w/o any effort from malware authors.

RTF…M

September 26, 2020 in Archaeology

One of the best ways to generate ideas for research is reading manuals and original documentation. Not only we learn new stuff, we also re-learn the old stuff and if we happen to re-visit different versions of the same documentation over the years there are chances that a) we will be aware of changes & stuff that has been phased out b) we will be able to find stuff we missed in previous reading iterations.

Such is the case I want to quickly discuss today.

If I asked you what is the RTF file magic you would most likely reply:

{\rtf OR {\rtf1

Well, I thought so too until I looked at Rich Text Format (RTF) Specification again. It is where I found the following long-forgotten tags:

  • \pwdN
    • Substitute for \rtfN. Introduced by Pocket Word to distinguish its files from general RTF files. Currently only 1 is emitted and the number is ignored by the RTF reader.
  • \urtfN
    • Identifies an RTF file in which all text characters are encoded in UTF-8. Only binary data escapes this transformation. Word does not read this encoding of RTF.

So, there you have it… corner cases, you can’t exploit them per se (I think), but at least now we know.