Category Archives: Archaeology

I’M SO excited

Posted on by

MSO.DLL is a ‘magic’ Microsoft Library that is HUUUUUGE in size and does most of the Microsoft Office work. I have been massaging it for many years and always doing so with a feeling that I am not understanding anything at all. And I really do not even pretend to have any grasp of any piece of it, but I decided to describe what I found out so far, because it may lead us to some places new.

Okay… Where do we start?

MSO.DLL is literally 25MB+ long. It’s a HUUUUUGE DLL. It is crazy, it is loco, it exports 9K APIs last time I checked and many of them via ordinal only. IDA won’t help, and any attempts to analyze it in a conventional way end up with a big, giant, mix of who-knows-what. This code is doing lots of great work, but who knows how it works… I mean… really…

In any case… Adding _any_ sense to such a big pile of code is useful. How? For starters, we can identify wrappers. What are these wrappers? It turns out that MSO.DLL exports a lot of functions that do nothing but wrapping common Windows API around.

I know, we need an example…

Take MSO #222. This function requires two arguments: address of a buffer, and its size. It then fills in that buffer with… yup… whatever a call to GetComputerNameW provides — it just passes the arguments to the final Windows API! Oh, wrappers are easy!

When I spotted this the first time I started digging more and noticed that there is a clearly visible pattern inside mso.dll that tells us about many exported APIs being nothing more but wrappers. If we are patient enough we may effortlessly identify a meaning of many MSO exported functions by just looking at the wrapped APIs they encapsulate…!

And to give a quick, although non-nonsensical demo…. when we run a following export API via rundll:

rundll32 MSO.DLL, #2310

it gives us this message:

It’s just one of 9K APIs that we just understood at the most possible lowest level — it is not implemented and we can all move on!

Divide and conquer approach apparently works. The below list summarizes the wrapper info I could gather so far; the arguments these functions take is a different story, but what’s interesting is that they do wrap lots of common APIs which could be abused in many way.

For starters, imagine an .exe that instead of loading and using common advapi32 or user32.dll APIs to deliver some functionality, proxies it via an existing mso.dll. Ouch. Try to filter this stuff out Mr EDR Threat Hunter!

Yup. Wrapping is condoming. And condoming is avoiding signatures. And to be clear and avoid any doubt: I can imagine a malware taking an advantage of MSO.DLL and delivering lots of its functionality via the wrapped API Calls. Try to sandbox or EDR it out. Good luck!

In any case… here’s the list I gathered so far:

MSO_4367 TlsGetValue
MSO_865 TlsSetValue
MSO_5901 _InterlockedIncrement
MSO_8719 _InterlockedIncrement
MSO_3166 _InterlockedIncrement
MSO_4565 _InterlockedIncrement
MSO_7857 _InterlockedIncrement
MSO_844 RegSetValueExW
MSO_8234 TlsFree
MSO_8768 _InterlockedIncrement
MSO_6388 GetSystemMetrics
MSO_3762 RegQueryInfoKeyW
MSO_3213 GetSysColor
MSO_2727 CreateFontIndirectW
MSO_3029 CompareFileTime
MSO_2833 RegQueryValueW
MSO_7454 GetFileSizeEx
MSO_5917 GetDriveTypeW
MSO_6874 GetTempPathW
MSO_8807 CreateSemaphoreExW
MSO_2466 ShowWindow
MSO_6184 EnumFontFamiliesExW
MSO_6682 UrlMkSetSessionOption
MSO_472 LoadCursorW
MSO_9153 GetKeyboardLayoutList
MSO_6866 GetKeyboardLayout
MSO_4285 AlphaBlend
MSO_1613 SetWindowTextW
MSO_9656 SetCursor
MSO_7047 pow
MSO_1322 SHGetSpecialFolderLocation
MSO_6104 GetFileVersionInfoSizeW
MSO_1029 GetFileVersionInfoW
MSO_1500 VerQueryValueW
MSO_2182 MsoFreePv
MSO_2790 GetWindowLongW
MSO_150 CoInternetGetSession
MSO_3646 SendMessageA
MSO_9800 CopyFileW
MSO_3854 GetComputerNameW
MSO_9474 CreateStdAccessibleObject
MSO_2772 GlobalFree
MSO_6086 CopyFileExW
MSO_6642 GlobalLock
MSO_5402 GlobalSize
MSO_7213 GlobalUnlock
MSO_2563 GetDateFormatEx
MSO_4787 MsoDwRegGetDw
MSO_1603 GetKeyState
MSO_2137 SetTimer
MSO_5880 KillTimer
MSO_4342 SystemParametersInfoW
MSO_3543 MsoPwchStripWtz
MSO_4298 FindMimeFromData
MSO_5716 PostMessageW
MSO_4008 GetVolumeInformationW
MSO_3230 ClosePrinter
MSO_8164 GetAsyncKeyState
MSO_6862 DefWindowProcW
MSO_3611 SetWindowLongW
MSO_2213 SetRect
MSO_8526 StartDocW
MSO_3668 GetTextMetricsA
MSO_6277 WTSUnRegisterSessionNotification
MSO_2998 WTSRegisterSessionNotification
MSO_3627 LresultFromObject
MSO_6992 LoadAcceleratorsW
MSO_1197 CopyAcceleratorTableW
MSO_1656 DestroyAcceleratorTable
MSO_1222 GetTimeFormatEx
MSO_222 GetComputerNameW
MSO_9746 GlobalAlloc
MSO_1645 GetObjectW
MSO_2208 HlinkOnNavigate
MSO_307 CoInternetCompareUrl
MSO_1769 SendMessageA
MSO_811 ShowWindow
MSO_5519 IpcFreeMemory
MSO_4234 IpcGetErrorMessageText
MSO_2310 MessageBoxW
MSO_8408 SendMessageA
MSO_392 SendMessageA
MSO_2497 SendMessageA
MSO_5559 SendMessageA
MSO_941 SendMessageA
MSO_9758 AppendMenuW
MSO_1938 InsertMenuW
MSO_9278 log
MSO_2662 exp
MSO_489 TransparentBlt
MSO_7070 AccessibleObjectFromWindow
MSO_8160 DragQueryPoint
MSO_626 ExtractIconExW
MSO_1501 DragQueryFileW
MSO_2695 ExtractIconW
MSO_9235 SHGetDesktopFolder
MSO_3353 ShellExecuteW
MSO_1363 PathQuoteSpacesW
MSO_879 PathFindFileNameW
MSO_441 PathUnquoteSpacesW
MSO_8683 PathRemoveFileSpecW
MSO_9005 CoInternetParseUrl
MSO_2388 CopyStgMedium
MSO_9793 CoInternetQueryInfo
MSO_3998 CreateURLMonikerEx
MSO_2397 InternetCloseHandle
MSO_7846 InternetReadFile
MSO_352 InternetQueryOptionW
MSO_401 InternetSetOptionW
MSO_1364 InternetOpenW
MSO_437 HttpQueryInfoW
MSO_7998 InternetCanonicalizeUrlW
MSO_4107 InternetCrackUrlW
MSO_4662 GetPrivateProfileIntW
MSO_5487 GetProfileIntW
MSO_614 FreeLibrary
MSO_4224 FormatMessageW
MSO_7302 CallWindowProcW
MSO_8062 GlobalFlags
MSO_9445 MapViewOfFileEx
MSO_33 CreateFileMappingW
MSO_6589 MsoFRegSetWz
MSO_2033 OleSetClipboard
MSO_4704 HlinkUpdateStackItem
MSO_9546 HlinkSetSpecialReference
MSO_3343 RegisterMediaTypeClass
MSO_7797 RegisterBindStatusCallback
MSO_9678 RevokeBindStatusCallback
MSO_8675 SetWindowPos
MSO_769_SEH _CxxFrameHandler3
MSO_6604_SEH _CxxFrameHandler3
MSO_7603_SEH _CxxFrameHandler3

MZ stub strings

Posted on by

Analysing a large corpora of clean files is fun. Many of these files go as early as 1980s. Analysing them en masse gives us a rare insight into the ‘state of the MZ stub’ from that time…

You may ask why would we want to even look at it? Well, these files are still out there. On many inspected systems, servers, mirrors. Being able to recognize them is one way to cluster them into a bucket that we can… simply discard. Yup. We can create yara sigs to catch these old goodware files looking at signatures that were common back then, but today are no longer used. And even if some of them are old malware, they are not important for today’s standard anyway.

After I clustered my collection I was quite amazed. There are tones of strings and signatures that I have not seen for many years, many I never heard of, and many referenced technologies that are long gone.

Here are the stats for top > 1000 hits:

  • !This program cannot be run in DOS mode.
  • This program must be run under Win32
  • !This program requires Microsoft Windows.
  • !This program cannot be run in a DOS session.
  • PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved
  • This program must be run under Microsoft Windows.
  • Not enough
  • !Require Windows
  • !PKLITE Copr. 1990-91 PKWARE Inc. All Rights Reserved
  • This is a Windows
  • dPMODE/W v1.33 DOS extender – Copyright 1994-1
  • LHA’s SFX
  • PMODE/W v1.33 DOS extender – Copyright 1994-1
  • CMicrosoft Windows
  • This program cannot run in DOS mode
  • PKLITE Copr. 1990-91 PKWARE Inc. All Rights Reserved
  • [Y/N]
  • Overwrite
  • Broken file
  • !PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved
  • !Library created by Axialis IconWorkshop

I mentioned 1980s… here are the signatures for these:

  • !PKSFX Copr. 1989-1990 PKWARE Inc. All Rights Reserved.
  • $LHarc’s SFX 1.12S (c)Yoshi, 1989.
  • $LHarc’s SFX 1.13S (c) Yoshi, 1989
  • $LHarc’s SFX 1.13S (c)Yoshi, 1989.
  • 20G0732 (C) Copyright IBM Corporation, 1987-1995
  • Copyright (C) 1986
  • Copyright 1989-1990 PKWARE Inc. All Rights Reserved.
  • LHarc’s SFX 1.13L (c) Yoshi, 1989

And extenders:

  • 32bit DOS-extender and loader.
  • PMODE/W v1.33 DOS extender – Copyright 1994-1
  • PMODE\W v1.33 DOS extender – Copyright 1994-1
  • The pmodedj.exe stub loader is Copyright (C) 1993-1
  • This program requires Phar Lap’s 286|DOS-Extender.
  • WDOSX 0.95 DOS extender Copyright (c) 1996-1998 Michael Tippach
  • WDOSX 0.96 DOS extender Copyright (c) 1996-2000 Michael Tippach
  • WDOSX 0.96 DOS extender Copyright (c) 1996-2001 Michael Tippach
  • WDOSX 0.97 DOS extender Copyright (c) 1996-2002 Michael Tippach

And finally stats for strings that start with ‘This’:

  • This program cannot be run in DOS mode.
  • This program must be run under Win32
  • This program requires Microsoft Windows.
  • This program cannot be run in a DOS session.
  • This program must be run under Microsoft Windows.
  • This is a Windows
  • This program cannot run in DOS mode
  • This program must be run under Win64
  • This program requires OS/2 Presentation Manager.
  • this is a Windows NT (own RTL) dynamic link library
  • this is a Windows NT dynamic link library
  • This program must be run under OS/2.
  • this is an OS/2 16-bit dynamic link library
  • This is a Win32 program.
  • This program cannot be run in DOS mode
  • this is an OS/2 32-bit dynamic link library
  • this is a Windows 16-bit dynamic link library
  • this is a Windows NT character-mode executable
  • This is a Windows program, you cannot run it in DOS.
  • this is an OS/2 32-bit executable
  • this is a Windows NT windowed executable
  • this is an OS/2 linear extended dynamic link library
  • This program cannot be run in DOS mode.$
  • this is a DOS/4G dynamic link library
  • this is an OS/2 and eComStation dynamic link library
  • this is a Windows NT character-mode dynamic link lib
  • this is a Windows 16-bit executable
  • This program cannot run in DOS mode.
  • This program cannot be run in DOS
  • This www.verypdf.combe run in DOS mode.
  • this is an OS/2 dynamic link library
  • this is a Windows dynamic link library
  • This is a Windows 95 dynamic link library
  • this is an OS/2 linear extended executable
  • This program requires Phar Lap’s 286|DOS-Extender.
  • this is a PE dynamic link library
  • this is a Windows 95 executable
  • This program requires Microsoft Windows
  • This is a TrueType font, not a program.
  • This program requires OS/2.
  • this is a Windows executable
  • this is a Windows NT windowed dynamic link library
  • This www.verypdf.com e run in DOS mode.
  • This is an OS/2 executable module
  • this is a PE executable
  • this is a 32 bit OS/2 Configurator executable
  • This program requires OS/2
  • This program must be run under Win32.
  • This program cannot be ran in DOS mode.
  • This is a Windows font file.
  • This Salford program requires Win32 or Win32s
  • This program runs under Win32/win64
  • this is a win32 executable
  • this is a Windows NT executable
  • This program requires Microsoft Windows.\r\n$
  • This is a SNAP binary portable dynamic link library

We can see references to OS/2, DOS, DOS Extenders, Windows 95, Windows NT, etc.

It’s a really old-school stuff.