Category Archives: Archaeology

Mapping the API mapping/code redundancy

Posted on by

In my last post I have shown that some of the shell32.dll functions are now mapped to windows.storage.dll.

This sort of API mapping, as well as blatant code redundancy present in many Windows binaries is not new, and we have seen many instances of it over the years:

  • Windows API sets
  • gdi32.dll and gdi32full.dll
  • gdi32full.dll and win32u.dll
  • combase.dll and ole32.dll
  • kernel32.dll and KernelBase.dll
  • IEAdvpack.dll and advpack.dll
  • crtdll.dll, msvcirt.dll, ucrtbase.dll and their many, many versions over the years
  • ntdll.dll and ntoskrnl.exe (user mode vs. kernel mode mapping)

and so on, and so forth.

It is probably not surprising that after that latest discovery it was only natural for me to build a list of APIs (API names) that are shared between many libraries to see if I can discover more interesting bits.

Looking at the list of API names that appear to be shared between at least 2 DLL libraries on the Windows 11 24 H2 build – win11_24H2_list_64_shared.txt – one can immediately see a lot of interesting findings:

  • sqlite functions are exported by SearchIndexerCore.dll, StateRepository.Core.dll, winsqlite3.dll
  • apart from kernel32.dll and KernelBase.dll there is now also kernel.appcore.dll
  • code base of tcblaunch.exe and winload.exe seems to be overlapping a lot
  • edgehtml.dll replaces mshtml.dll

Unfortunately, I have not seen anything similar to ShellExec_RunDLL – a discovery that kicked off this research 🙁

Browsing the browsers

Posted on by

This a weird post; it doesn’t give many answers and it pretty much focuses on describing results of a simple task of data hoarding…

When people think of a ‘browser’ they usually think of a software like Chrome, Safari, Firefox, Opera, Brave, Vivaldi, maybe Edge, and some older people maybe think of Internet Explorer (rip) and Netscape (totes rip). And if we ask malware authors, they will probably expand this list to include many chrome-based browsers that ‘appeared on the market’ in recent years. And if we look at some of the actual Microsoft code, we will find out that they consider many Web control hosting apps to be browsers as well.

For example, at the time of Internet Explorer dominance, many applications were utilizing IE’s web control (IWebBrowser) to deliver a flashy, HTML-based GUI. At some stage in early 2000s it was so ‘fad’ and prevalent that eventually every major software company was using it, and most of users… hated it. And here we are, in 2024, with web controls still all over the place – f.ex. including most of the Electron apps (ignored in this post).

I have outlined some of the process names associated with browsers in this old post, and today I will expand on it a bit.

How? By building a more robust list of processes that kinda meet the ‘is this a browser process?’ condition:

  • 360chrome.exe
  • 360se.exe
  • authhost.exe
  • avant.exe
  • brave.exe
  • browser.exe
  • browser_broker.exe
  • chrome.exe
  • citrio.exe
  • coolnovo.exe
  • coowon.exe
  • cyberfox.exe
  • DCIScanner
  • deepnet.exe
  • dooble.exe
  • epic.exe
  • explorer.exe
  • FAKEVIRTUALSURFACETESTAPP.EXE
  • firefox.exe
  • FirstLogonAnim.exe
  • IEUTLAUNCH.EXE
  • iexplore.exe
  • iridium.exe
  • jshost.exe
  • k-meleon.exe
  • LOADER42.EXE
  • maxthon.exe
  • MicrosoftEdge.exe
  • MicrosoftEdgeBCHost.exe
  • MicrosoftEdgeCP.exe
  • MicrosoftEdgeDevtools.exe
  • MicrosoftEdgeSH.exe
  • midori.exe
  • msedge.exe
  • msedge_proxy.exe
  • msedge_pwa_launcher.exe
  • MSFEEDSSYNC.EXE
  • MSHTMPAD.EXE
  • MSOOBE.EXE
  • mustang.exe
  • NETPLWIZ.EXE
  • opera.exe
  • orbitum.exe
  • palemoon.exe
  • pickerhost.exe
  • qqbrowser.exe
  • qupzilla.exe
  • RESTOREOPTIN.EXE
  • safari.exe
  • seamonkey.exe
  • sleipnir.exe
  • sogueexplorer.exe
  • superbird.exe
  • SYSPREP.EXE
  • TE.EXE
  • Te.ProcessHost.exe
  • tor.exe
  • torch.exe
  • USERACCOUNTBROKER.EXE
  • vivaldi.exe
  • Windows.WARP.JITService.exe
  • WWAHOST.EXE

But… we know this is not everything…

Over last few years we have seen a number of randomly-named Chrome-based browser clones appearing ‘on the market’ and Threat Actors did take a notice.

Many infostealers actively look for user profiles associated with these browser paths:

  • \360Chrome\Chrome\
  • \7Star\7Star\
  • \8pecxstudios\Cyberfox\
  • \Amigo\
  • \BraveSoftware\Brave-Browser\
  • \CatalinaGroup\Citrio\
  • \CentBrowser\
  • \Chedot\
  • \Chromium\
  • \CocCoc\Browser\
  • \Comodo\Dragon\
  • \Comodo\IceDragon\
  • \Coowon\Coowon\
  • \CryptoTab Browser\
  • \Elements Browser\
  • \Epic Privacy Browser\
  • \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
  • \Flock\Browser\
  • \Google\Chrome\
  • \Google Chrome Canary\
  • \Chrome SxS\
  • \Iridium\
  • \K-Meleon\
  • \Kometa\
  • \liebao\
  • \MapleStudio\ChromePlus\
  • \Microsoft\Edge\
  • \Moonchild Productions\Pale Moon\
  • \Mozilla\Firefox\
  • \Mozilla\icecat\
  • \Mozilla\SeaMonkey\
  • \NETGATE Technologies\BlackHawk\
  • \Opera Software\Opera Stable\
  • \Orbitum\
  • \Postbox\
  • \QIP Surf\
  • \Sputnik\Sputnik\
  • \Tencent\QQBrowser\
  • \Torch\
  • \uCozMedia\Uran\
  • \Vivaldi\
  • \Waterfox\
  • \Yandex\YandexBrowser\

I believe this is a very comprehensive list, but I bet I missed some entries. If you notice anything missing, please let me know and I will add it.

The bottom line: there are so many browsers or web control-hosting apps out there today that it makes sense to build a list of keywords that reference them, so we can detect info stealers’ quickly – in their code, data and/or in the telemetry they generate…