You are browsing the archive for Clustering.

ELF sections stats

March 13, 2021 in Clustering, linux

If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never looked at ELF section the same way. With this post I took a first stab at it. The below are nothing but quick & dirty stats from a reasonably sized sampleset of ELF files:

47165 .shstrtab
44289 .bss
33390 .comment
31664 .strtab
31651 .symtab
23516 .data
20756 .got
12634 .debug_aranges
12628 .debug_line
12628 .debug_info
12628 .debug_abbrev
12181 .debug_frame
11408 .sbss
10339 .mdebug.abi32
9359 .ARM.attributes
8239 .jcr
6703 .dynamic
6547 .rodata
6432 .debug_str
6386 .ctors
6343 .dtors
6035 .debug_pubnames
5846 .debug_ranges
5834 .debug_loc
5101 .fini_array
4915 .data.rel.ro
4858 .pdr
4133 .eh_frame
3056 .fini
2919 .text
2877 .plt
2515 .init
2444 .sdata
1858 .got.plt
1778 .note
1542 .init_array
1335 .stabstr
1335 .stab
1140 .rel.plt
1003 __libc_freeres_ptrs
862 .tbss
839 .tdata
820 .note.gnu.gold-version
812 .gcc_except_table
791 __libc_thread_subfreeres
739 .ARM.exidx
484 .ARM.extab
423 .data.rel.ro.local
414 .eh_frame_hdr
283 __libc_atexit
245 __libc_subfreeres
239 .note.ABI-tag
172 .preinit_array
140 .note.stapsdt
138 .stapsdt.base
117 .bmp
114 .mips
113 .compiler
110 .dynstr
96 .rld_map
76 .gnu.attributes
75 .noptrbss
73 .context
71 .note.go.buildid
49 .rel.dyn
45 .gnu_debuglink
38 .gnu.prelink_undo
36 .debug_pubtypes
33 .gnu_extab
30 .stab.indexstr
30 .stab.index
29 .note.GNU-stack
29 .engine
20 .xt.prop
19 .xtensa.info
19 .xt.lit
19 .debug_gdb_scripts
19 .bep
18 .rel.gnu.linkonce.this_module
18 .gnu.warning.llseek
17 .interp
17 .gnu.linkonce.this_module
16 .rodata.str1.1
15 .gnu.conflict
14 .rel.debug_aranges
14 .rel.data
13 .rel__ex_table
13 .rel.debug_pubnames
13 .redata
13 .jgd
12 __ex_table
12 .rodata.str1.4
12 .rel.eh_frame
12 .dynbss
11 __versions
11 .rel.rodata
11 .modinfo
10 __mcount_loc
10 .rel__mcount_loc
10 .rel.debug_line
10 .data1
8 __ksymtab
8 .plt.got
8 .exception_ranges
8 .ex_shared
8 .debug_macinfo
8 .data.rel.local
7 COFF
7 .mdebug
6 .rodata1
6 .rel.text
6 .rel.fixup
6 .rel.debug_info
6 .MIPS.stubs
5 __param
5 PROGRAM
5 IBC_2.0
5 ABI
5 .xzrodata
5 .rel__param
5 .rel.debug_loc
5 .rel.debug_frame
4 .note.android.ident
4 .got2
4 .gnu.version_r
4 .cpp_finidata
4 .arm_vfe_header
3 Input file:
3 .upx.1
3 .smp_locks
3 .rel.smp_locks
3 .rdata
3 .ident
2 text_env
2 ta
2 odata
2 elink
2 __verbose
2 __ksymtab_strings
2 ___ksymtab_gpl+fb_mode_option
2 ___ksymtab_gpl+fb_destroy_modelist
2 ___ksymtab+vesa_modes
2 ___ksymtab+fb_videomode_to_var
2 ___ksymtab+fb_var_to_videomode
2 ___ksymtab+fb_mode_is_equal
2 ___ksymtab+fb_match_mode
2 ___ksymtab+fb_find_nearest_mode
2 ___ksymtab+fb_find_mode_cvt
2 ___ksymtab+fb_find_mode
2 ___ksymtab+fb_find_best_mode
2 ___ksymtab+fb_find_best_display
2 Import
2 C_2.0
2 .vmp
2 .tptext
2 .tm_clone_table
2 .rodata.cst4
2 .rela.plt
2 .rel__verbose
2 .rel___ksymtab_gpl+fb_mode_option
2 .rel___ksymtab_gpl+fb_destroy_modelist
2 .rel___ksymtab+vesa_modes
2 .rel___ksymtab+fb_videomode_to_var
2 .rel___ksymtab+fb_var_to_videomode
2 .rel___ksymtab+fb_mode_is_equal
2 .rel___ksymtab+fb_match_mode
2 .rel___ksymtab+fb_find_nearest_mode
2 .rel___ksymtab+fb_find_mode_cvt
2 .rel___ksymtab+fb_find_mode
2 .rel___ksymtab+fb_find_best_mode
2 .rel___ksymtab+fb_find_best_display
2 .rel.debug_pubtypes
2 .null
2 .msym
2 .fixup
2 .conststring
2 .constdata
2 .compact_rel
2 .comment.SUSE.OPTs
2 .PPC.EMB.apuinfo

Re-sauce, Part 3

November 27, 2020 in Archaeology, Clustering, Code Injection, File Formats ZOO, Forensic Analysis

I like extracting data from many samples because this way I often discover new things. Combing through a set of manifest files I have extracted from a large sampleset of good samples was an interesting exercise and brought a few interesting findings.

Manifest files I came across were saved as plain text, Unicode 16 LE, and utf8. Some were malformed, some used incorrect data, others included commented out manifest sections and sometimes the commented out parts would use HTML entities to represent opening and closing brackets. Quotation marks vs. apostrophes, boilerplate values (e.g. name = “CompanyName.ProductName.YourApplication”, name = “YourCompanyName.YourDivision.YourApp”, etc.), and typos (e.g. “schema-microsoft-com:asm.v3”, or “urn:schemas-microsoft.com:asm.v3”).

I tried to see if I can find any publicKeyToken outliers — these are often used to reference a specific library version – the most popular being comctl32.dll v6.0 enabling visual styles back in the days when it still mattered (publicKeyToken=”6595b64144ccf1df”).

Quick histogram of publicKeyToken values shows a small number of unique values, some of which are kinda questionable (e.g. empty, zeroed, or using a reference):

publicKeyToken="6595b64144ccf1df"
publicKeyToken="1fc8b3b9a1e18e3b"
publicKeyToken="000000000000000"
publicKeyToken="02ad33b422233ae3"
publicKeyToken="73A0BB510A53FB51"
publicKeyToken="31BF3856AD364E35"
publicKeyToken="0000000000000000"
publicKeyToken="dfbe2673baf698eb"
publicKeyToken="6595B64144CCF1DF"
publicKeyToken="89845dcd8080cc91"
publicKeyToken="13acf979d16e8a17"
publicKeyToken="b03f5f7f11d50a3a"
publicKeyToken="B03F5F7F11D50A3A"
publicKeyToken="$(Build.WindowsPublicKeyToken)"
publicKeyToken="5a496c7842cd4787"
publicKeyToken="296da4bedbebef8f"
publicKeyToken="df38d5d136a3092e"
publicKeyToken=""
publicKeyToken="fcc99ee6193ebbca"
publicKeyToken="b77a5c561934e089"
publicKeyToken="81e233547d425e6b"
publicKeyToken="6bd6b9abf345378f"
publicKeyToken="C7153A0601FA8C89"
publicKeyToken="7a259a25b8d448e5"
publicKeyToken="654bb64156ccf1af"
publicKeyToken="40C4B6FC221F4138"
publicKeyToken="31bf3856ad364e35"
publicKeyToken="1fc8b3b9a1e18e3c"
publicKeyToken="02d1dcd786c7c243"
publicKeyToken="f92d94485545da78"
publicKeyToken="a03853097df2bf0c"
publicKeyToken="A2625990D5DC0167"
publicKeyToken="71E9BCE111E9429C"
publicKeyToken="669E0DDF0BB1AA2A"
publicKeyToken="5120E14C03D0593C"
publicKeyToken="47D0C84D0EBB13E5"
publicKeyToken="4267b751a96a28a1"
publicKeyToken="30AD4FE6B2A6AEED"

Another statistic I was interested in was requestedExecutionLevel, but it didn’t bring anything interesting:

level="asInvoker"
level="highestAvailable"
level="leastPrivilege"
level="requireAdministrator"

Looking at processorArchitecture we get:

$(build.processorArchitecture)
*
AMD64
Amd64
IA64
MSIL
SXS_PROCESSOR_ARCHITECTURE
X64
X86
amd64
arm
ia64
msil
x64
x86

For uiAccess:

"false"
FALSE
False
TRUE
True
false
true
true|false

Another target of these analysis were URIs. These constantly pop up during memdump analysis and knowing a list of clean ones can save us some time. Here’s a list I extracted (including these prefixed with ‘urn’):

http://blogs.msdn.com/b/chuckw/archive/2013/09/10/manifest-madness.aspx
http://ipmsg.org/tools/fastcopy.html
http://ltsc.ieee.org/xsd/LOM
http://manifests.microsoft.com/win/2004/08/windows/events
http://mozilla.org/MPL/2.0/.
http://msdn.microsoft.com/en-us/library/aa374191
http://msdn.microsoft.com/en-us/library/aa374191(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa965884%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/dd371711
http://msdn.microsoft.com/en-us/library/hh848036
http://msdn.microsoft.com/en-us/library/hh848036(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/ms633543.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/dn302074%28v=vs.85%29.aspx
http://msdn.microsoft.com/windowsvista/prodinfo/what/security/default.aspx?pull=/library/en-us/dnlong/html/AccProtVista.asp
http://opensource.org/licenses/cpl.php
http://opensource.org/licenses/cpl1.0.php
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2010/WindowsSettings
http://schemas.microsoft.com/SMI/2011/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://schemas.microsoft.com/SMI/2017/WindowsSettings
http://schemas.microsoft.com/win/2004/08/events
http://social.msdn.microsoft.com/Forums/en/winformssetup/thread/7787c8b9-18c3-4135-bd8a-2802eba98e3c
http://www.adlnet.org/xsd/adlcp_v1p3
http://www.apache.org/licenses/LICENSE-2.0
http://www.imsglobal.org/xsd/imscp_v1p1
http://www.w3.org/2000/09/xmldsig#
http://www.w3.org/2000/09/xmldsig#sha1
http://www.w3.org/2001/XMLSchema
http://www.w3.org/2001/XMLSchema-instance
http://yourserver/iis_auth.asp?debug=1
urn:0073chemas-microsoft-com:asm.v3
urn:schemas-microsoft-com:asm.v1
urn:schemas-microsoft-com:asm.v2
urn:schemas-microsoft-com:asm.v3
urn:schemas-microsoft-com:clickonce.v1
urn:schemas-microsoft-com:clickonce.v2
urn:schemas-microsoft-com:compatability.v1
urn:schemas-microsoft-com:HashTransforms.Identity
urn:schemas-microsoft-com:HashTransforms.ManifestInvariant

Finally, attributes (note, some may only exist within comments, that is, between <!–…-> not the actual manifest XML):

name
iid
version
clsid
progid
hash
description
proxyStubClsid32
tlbid
Id
numMethods
publicKeyToken
task
message
language
value
xmlns
processorArchitecture
uiAccess
level
type
class
file
standalone
inType
encoding
mask
flags
manifestVersion
threadingModel
keywords
size
chid
runtimeVersion
guid
xmlns:asmv3
company
optional
outType
helpdir
xmlns:co.v2
copyright
allowDelayedBinding
opcode
xmlns:asmv2
length
xmlns:ms_asmv3
buildType
hashalg
parameters
xmlns:adlcp
xsi:schemaLocation
xmlns:cmp
culture
xmlns:ms_asmv1
profile
xmlns:ms_windowsSettings
xmlns:xsi
baseInterface
majorVersion
face
xmlns:xsd
miscStatusContent
resourceFileName
xmlns:asmv1
isolation
dependencyType
servicePackMajor
xmlns:co.v1
channel
xmlns:lom
assemblyname
xmlns:ms_asmv2
messageFileName
xmlns:ms_compatibility
template
xmlns:mssv2
minorVersion
miscStatus
enabled
asmv2:product
product

And last, but not least… this classic paper [PDF warning] from 2006 on manifest file abuse was yet another reason I looked at manifest files en masse. I speculated that maybe, maybe, maybe, maybe there are some signed executables that take advantage of manifest’ file tag as described in the document:

and inadvertently may become a vehicle for a ‘by design’ manifest-based DLL side-loading. The scenario would play like this: you run a signed executable that uses a manifest leveraging the file tag and you provide it the malicious DLL named as the manifest expects and place it in a current directory. Should work?

After grepping the manifest files for <file tag I found quite a few of them. So many that I can’t paste it here. But you can view them here.

What’s next? Obviously, more research.