Category Archives: Archaeology

MZ stub strings

Posted on by

Analysing a large corpora of clean files is fun. Many of these files go as early as 1980s. Analysing them en masse gives us a rare insight into the ‘state of the MZ stub’ from that time…

You may ask why would we want to even look at it? Well, these files are still out there. On many inspected systems, servers, mirrors. Being able to recognize them is one way to cluster them into a bucket that we can… simply discard. Yup. We can create yara sigs to catch these old goodware files looking at signatures that were common back then, but today are no longer used. And even if some of them are old malware, they are not important for today’s standard anyway.

After I clustered my collection I was quite amazed. There are tones of strings and signatures that I have not seen for many years, many I never heard of, and many referenced technologies that are long gone.

Here are the stats for top > 1000 hits:

  • !This program cannot be run in DOS mode.
  • This program must be run under Win32
  • !This program requires Microsoft Windows.
  • !This program cannot be run in a DOS session.
  • PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved
  • This program must be run under Microsoft Windows.
  • Not enough
  • !Require Windows
  • !PKLITE Copr. 1990-91 PKWARE Inc. All Rights Reserved
  • This is a Windows
  • dPMODE/W v1.33 DOS extender – Copyright 1994-1
  • LHA’s SFX
  • PMODE/W v1.33 DOS extender – Copyright 1994-1
  • CMicrosoft Windows
  • This program cannot run in DOS mode
  • PKLITE Copr. 1990-91 PKWARE Inc. All Rights Reserved
  • [Y/N]
  • Overwrite
  • Broken file
  • !PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved
  • !Library created by Axialis IconWorkshop

I mentioned 1980s… here are the signatures for these:

  • !PKSFX Copr. 1989-1990 PKWARE Inc. All Rights Reserved.
  • $LHarc’s SFX 1.12S (c)Yoshi, 1989.
  • $LHarc’s SFX 1.13S (c) Yoshi, 1989
  • $LHarc’s SFX 1.13S (c)Yoshi, 1989.
  • 20G0732 (C) Copyright IBM Corporation, 1987-1995
  • Copyright (C) 1986
  • Copyright 1989-1990 PKWARE Inc. All Rights Reserved.
  • LHarc’s SFX 1.13L (c) Yoshi, 1989

And extenders:

  • 32bit DOS-extender and loader.
  • PMODE/W v1.33 DOS extender – Copyright 1994-1
  • PMODE\W v1.33 DOS extender – Copyright 1994-1
  • The pmodedj.exe stub loader is Copyright (C) 1993-1
  • This program requires Phar Lap’s 286|DOS-Extender.
  • WDOSX 0.95 DOS extender Copyright (c) 1996-1998 Michael Tippach
  • WDOSX 0.96 DOS extender Copyright (c) 1996-2000 Michael Tippach
  • WDOSX 0.96 DOS extender Copyright (c) 1996-2001 Michael Tippach
  • WDOSX 0.97 DOS extender Copyright (c) 1996-2002 Michael Tippach

And finally stats for strings that start with ‘This’:

  • This program cannot be run in DOS mode.
  • This program must be run under Win32
  • This program requires Microsoft Windows.
  • This program cannot be run in a DOS session.
  • This program must be run under Microsoft Windows.
  • This is a Windows
  • This program cannot run in DOS mode
  • This program must be run under Win64
  • This program requires OS/2 Presentation Manager.
  • this is a Windows NT (own RTL) dynamic link library
  • this is a Windows NT dynamic link library
  • This program must be run under OS/2.
  • this is an OS/2 16-bit dynamic link library
  • This is a Win32 program.
  • This program cannot be run in DOS mode
  • this is an OS/2 32-bit dynamic link library
  • this is a Windows 16-bit dynamic link library
  • this is a Windows NT character-mode executable
  • This is a Windows program, you cannot run it in DOS.
  • this is an OS/2 32-bit executable
  • this is a Windows NT windowed executable
  • this is an OS/2 linear extended dynamic link library
  • This program cannot be run in DOS mode.$
  • this is a DOS/4G dynamic link library
  • this is an OS/2 and eComStation dynamic link library
  • this is a Windows NT character-mode dynamic link lib
  • this is a Windows 16-bit executable
  • This program cannot run in DOS mode.
  • This program cannot be run in DOS
  • This www.verypdf.combe run in DOS mode.
  • this is an OS/2 dynamic link library
  • this is a Windows dynamic link library
  • This is a Windows 95 dynamic link library
  • this is an OS/2 linear extended executable
  • This program requires Phar Lap’s 286|DOS-Extender.
  • this is a PE dynamic link library
  • this is a Windows 95 executable
  • This program requires Microsoft Windows
  • This is a TrueType font, not a program.
  • This program requires OS/2.
  • this is a Windows executable
  • this is a Windows NT windowed dynamic link library
  • This www.verypdf.com e run in DOS mode.
  • This is an OS/2 executable module
  • this is a PE executable
  • this is a 32 bit OS/2 Configurator executable
  • This program requires OS/2
  • This program must be run under Win32.
  • This program cannot be ran in DOS mode.
  • This is a Windows font file.
  • This Salford program requires Win32 or Win32s
  • This program runs under Win32/win64
  • this is a win32 executable
  • this is a Windows NT executable
  • This program requires Microsoft Windows.\r\n$
  • This is a SNAP binary portable dynamic link library

We can see references to OS/2, DOS, DOS Extenders, Windows 95, Windows NT, etc.

It’s a really old-school stuff.

DefineDosDevice symbolic link trick

Posted on by

I don’t know who is the original author of this trick – I saw it being used by some malware a few years ago and it was also discussed on KernelMode forum, and StackOverflow. Reading McAfee’s paper about Process Reimaging I suddenly remembered it.

How does it work?

With a DefineDosDevice API (the same API that is used by the subst command) we can create a new MSDOS device name. We can map it to a new, non-existing file path. The main executable can be then moved to that new space (i.e. new path the space is mapped to).

This little trick makes the original file ‘disappear’ from the system. Most of the process listing tools continue to map the running process to its original path, yet any attempts to access properties of the file itself end up with nothing. This is because the process is running, but the file it was launched from is ‘not there’ anymore:

Let’s examine it step by step:

  • Create a foobar namespace using DefineDosDevice and point it to \??\c:\test\test_hidden.exe.
  • Move the current process’ file e.g. c:\test\test.exe to \.\foobar.

That’s it.

In my test case I just renamed test.exe to test_hidden.exe, still inside the c:\test. It could be any location really, including very deeply nested directories that may be harder to inspect w/o forensic tools.

To find such mapping, one has to use tools like WinObj – it shows the DosDevice called foobar that points to the .exe:

One can also launch it via \\.\foobar (need a dedicated tool tho).

And if you are wondering what Sysmon will see when we launch such hidden file – luckily, it will link to a proper image on the drive:

Last, but not least – we can create a space that maps to Alternate Data Stream too 🙂 e.g. \??\c:\test\test.exe:hidden. In such case, a copy command can be used to copy files to such newly-created space/location e.g.:

  • copy test.exe \\.\foobar