Clustering | Hexacorn

Update 2016-07-08

Added Thinstall applications

Old post

An ability to determine the compiler used to compile a binary is quite important. It determines the way we approach the reversing session and automatically tells us what tools to use. There are many static analysis tools available that help with the determination of the compiler/linker/protector used to build a specific binary.

Sometimes it may not be enough though.

In this post I will list a number of windows-related artifacts created by various programming frameworks that may help us to determine what is the payload compiled with. While there are many of such frameworks many of them rely on a very fixed number of more-or-less hidden windows, or window classes that stay persistent across many versions of the framework, or are created at some point in time.

This is by no means an exhaustive list – if you have anything to add, or find a mistake, I will appreciate the feedback.

Note: such list may be used for many purposes:

compiler/protector determination
data reduction (from strings, or f.ex. strings recognition in IDA, if it itself failed to do so well)
classification (whitelisting/blacklisting) of the sandboxes samples
installer discovery in sandbox analysis (may trigger a different handling routine f.ex. if Auto It is detected, or any installer, low-level logging may be disabled until the actual autoir / installer script starts execution, etc.)

Here’s the list I gathered:

Visual Basic

ThunderRT6Main
VBMsoStdCompMgr
VBFocusRT6 (this is from Visual Basic 6.0)
VBBubbleRT6 (this is from Visual Basic 6.0)
VBFocusRT5 (this is from Visual Basic 5.0)
VBBubbleRT5 (this is from Visual Basic 5.0)

Visual Basic .NET

VBNetStudio

MFC (Microsoft Foundation Classes/Application Framework Extensions)

Afx:<hexadecimal number>:<hexadecimal number> f.ex. ‘Afx:400000:0’ or ‘Afx:10000000:0’
Afx:StatusBar:<hexadecimal number> f.ex. ‘Afx:StatusBar:400000’
Afx:TabWnd:<hexadecimal number> f.ex. ‘Afx:TabWnd:400000’
Afx:ToolBar:<hexadecimal number> f.ex. ‘Afx:ToolBar:400000’

Qt5QWindowIcon

Installer: Install Shield

GLBSInstall
InstallShield_Win

Installer: Inno Setup

class name: STATIC, window name: InnoSetupLdrWindow

Enigma Protector (not confirmed)

TEnigmaProtectorLoaderButton
TEnigmaProtectorLoaderEdit
TEnigmaProtectorLoaderFormMessage
TEnigmaProtectorLoaderFormRegistration
TEnigmaProtectorLoaderGroupBox

RunDll32 execution

RunDLL

OLE/DDE Windows

OleMainDdeClass

AutoIt

AutoIt v3
AutoIt v3 GUI
Au3Info
AutoIt
AutoIt – Splash

Standard Windows controls

ComboBoxEx32
commctrl_DragListMsg
msctls_hotkey32
msctls_progress32
msctls_statusbar32
msctls_trackbar32
msctls_updown32
NativeFontCtl
ReBarWindow32
RichEdit
RichEdit20a
SysAnimate32
SysDateTimePick32
SysHeader32
SysIPAddress32
SysListView32
SysMonthCal32
SysPager
SysTabControl32
SysTreeView32
ToolbarWindow32
tooltips_class32

Thinstall applications

ThStatusBarCtrlClass

Others

mdiclient (typical class name for MDI /Multiple Document Interface/)

And last, but not least, a ‘gallery’ of classes from a number of dynamically analyzed samples written in

Borland/Delphi/etc.

TAbout
TAboutBox
TAboutBox1
TAboutDlg
TAboutForm
TAboutFrm
TActionMainMenuBar
TActionToolBar
TActivationForm
TAdminForm
TAdvGlassButton
TAdvGlowButton
TAdvListView
TAdvMemo
TAdvOfficePage
TAdvOfficePager
TAdvOfficeStatusBar
TAdvPageControl
TAdvProgress
TAdvSmoothButton
TAdvSmoothPanel
TAdvSpinEdit
TAdvTabSheet
TAdvToolBar
TAfterScan
TAnimate
TAnPane
TAppBuilder
TApplication
TBitBtn
TBrowserDlg
TBrowserForm
TButton
TButton2
TButtonGroup
TCalc
TCalculator
TCancelScan
TCategoryPanelGroup
TCentral
TChart
TChat
TChatWindow
TCheckBox
TCheckListBox
TClient
TClientForm
TCloseForm
TCodePanel
TColorBox
TColorButton
TColorGrid
TColorWindow
TComboBox
TComboBoxEx
TComComboBox
TConerBtn
TConfigForm
TConfigServer
TControlForm
TControllerForm
TCoolBar
TCpanel
TCustomDateTimePicker
TDateTimePicker
TDebugForm
TDesco
TDirectoryListBox
TDragArrow
TDrawGrid
TDriveComboBox
TDsGroupBox
TEdit
TEdit97
TEditForm
TEditListBox
TEditN
TEdits
TEnvWindow
TError
TExeToolForm
TEzHelpWindow
TFashionPanel
TFileListBox
TFinalFantasy
TFinalPws
TFlatButton
TFlatCheckBox
TFlatComboBox
TFlatEdit
TFlatGroupBox
TFlatPanel
TFlatRadioButton
TFlatSpinEditInteger
TFlatTitlebar
TFmMain
TFmPrincipal
TForm
TForm0
TForm1
TForm1.UnicodeClass
TForm10
TForm100
TForm101
TForm102
TForm103
TForm104
TForm105
TForm106
TForm107
TForm108
TForm109
TForm11
TForm110
TForm111
TForm112
TForm113
TForm114
TForm115
TForm116
TForm117
TForm118
TForm119
TForm12
TForm120
TForm121
TForm122
TForm123
TForm124
TForm125
TForm126
TForm127
TForm128
TForm129
TForm13
TForm130
TForm131
TForm132
TForm133
TForm134
TForm135
TForm136
TForm137
TForm138
TForm139
TForm14
TForm140
TForm141
TForm142
TForm143
TForm144
TForm145
TForm146
TForm147
TForm148
TForm149
TForm15
TForm150
TForm151
TForm152
TForm153
TForm154
TForm155
TForm156
TForm157
TForm158
TForm159
TForm16
TForm160
TForm161
TForm162
TForm163
TForm164
TForm165
TForm166
TForm167
TForm168
TForm169
TForm17
TForm170
TForm171
TForm172
TForm173
TForm174
TForm175
TForm176
TForm177
TForm178
TForm179
TForm18
TForm180
TForm181
TForm182
TForm183
TForm184
TForm185
TForm186
TForm187
TForm188
TForm189
TForm19
TForm190
TForm191
TForm192
TForm193
TForm194
TForm195
TForm196
TForm197
TForm198
TForm199
TForm1a
TForm1b
TForm1c
TForm1w
TForm2
TForm20
TForm200
TForm201
TForm202
TForm203
TForm204
TForm205
TForm206
TForm207
TForm208
TForm209
TForm21
TForm210
TForm211
TForm212
TForm213
TForm214
TForm215
TForm216
TForm217
TForm218
TForm219
TForm22
TForm220
TForm221
TForm222
TForm223
TForm224
TForm225
TForm226
TForm227
TForm228
TForm229
TForm23
TForm230
TForm231
TForm232
TForm233
TForm234
TForm235
TForm236
TForm237
TForm238
TForm239
TForm24
TForm240
TForm241
TForm242
TForm243
TForm244
TForm25
TForm26
TForm27
TForm28
TForm29
TForm2a
TForm2b
TForm3
TForm30
TForm31
TForm32
TForm33
TForm34
TForm35
TForm36
TForm37
TForm38
TForm39
TForm3a
TForm3b
TForm4
TForm40
TForm41
TForm42
TForm43
TForm44
TForm45
TForm46
TForm47
TForm48
TForm49
TForm4c
TForm4d
TForm5
TForm50
TForm51
TForm52
TForm53
TForm54
TForm55
TForm56
TForm57
TForm58
TForm59
TForm5a
TForm6
TForm60
TForm61
TForm62
TForm63
TForm64
TForm65
TForm66
TForm67
TForm68
TForm69
TForm6a
TForm6b
TForm7
TForm70
TForm71
TForm72
TForm73
TForm74
TForm75
TForm76
TForm77
TForm78
TForm79
TForm7w
TForm8
TForm80
TForm81
TForm82
TForm83
TForm84
TForm85
TForm86
TForm87
TForm88
TForm89
TForm9
TForm90
TForm91
TForm92
TForm93
TForm94
TForm95
TForm96
TForm97
TForm98
TForm99
TForm_About
TForm_Main
TForm_Options
TForm_Principal
TForm_splash
TForm_Undelete
TForm_Update
TFormAbout
TFormaTudo
TFormAutorun
TFormbb
TFormCreateServer
TFormDisclaimer
TFormExit
TFormHTML
TForminfo
TFormInstaller
TFormLogin
TFormMain
TFormOptions
TFormp
TFormPasswords
TFormPrinc
TFormPrincipal
TFormProgress
TFormregister
TFormRunning
TFormSetup
TFormShell
TFormSlectDir
TFormSplash
TFormUpdate
TFormWait
TFormWeb
TFormwebbrowser
TFormXInstaller
TFrame1
TFrame4
TFrame6
TFrm_check
TFrm_codigo
TFrm_Main
TFrmAbout
TFrmAd
TFrmAgree
TFrmBrad
TFrmCert
TFrmChat
TFrmControl
TFrmDownAgree
TFrmDownload
TFrmECleanDel
TFrmExport
TFrmGF
TFrmIDSoc
TFrmInit
TFrmLogin
TFrmMain
TFrmNewAccount
TFrmPass
TFrmPassw
TFrmPrincipal
TFrmReflet
TFrmSeting
TFrmSetup
TFrmSplash
TFrmSynNglp
TFrmTOKEN1
TFrmUpdate
TFrmVrfcdr
TFunc
TGeoPosition
TGradBtn
TGradPan
TGroupBox
TGroupButton
THeader
THelpForm
THiddenForm
THintWindow
THotButton
THotGroupBox
THotKey
THtmlUIForm
TImageForm
TInfobusca
TInfoForm
TInplaceEdit
TInstallerForm
TInstallForm
TKeyForm
TKeygenForm
TLabel
TLabeledEdit
TLayerWindow
TLinkLabel
TLinkText
TListBox
TListenForm
TListView
TLogForm
TLogin
TLogin_Form
TLoginForm
TLogo
TLogoForm
TLogonDlg
TLogonForm
TMain
TMain_Form
TMainF
TMainF0rmVer2
TMainFM
TMainForm
TMainFormVer2
TMainFrm
TMainMPRForm
TMainWin
TMainWindow
TManForm
TMaskEdit
TMaster
TMediaPlayer
TMemo
TMemoForm
TMenuButton
TMessageForm
TModifiedEdit
TMonitor
TMonitorForm
TMonthCalendar
TMormay1
TMsgForm
TMsgForm2
TMyIEButton2
TNetComMainFm
TNetWindow
TNewButton
TNewCheckListBox
TNewComboBox
TNewDiskForm
TNewMemo
TNewNotebook
TNewNotebookPage
TNewRadioButton
TNewStaticText
TNewWindow
TNextGrid
TNomeDiferente
TNotebook
TNotifierWindow
TNotifyForm
TNxButton
TNxPopupList
TNxTabSheet
TOleContainer
TOptionsForm
TOutline
TOvcfrmSplashDlg
TPage
TPageControl
TPageScroller
TPainel_Seguranca
TPainel_Seguranca2
TPanel
TPanels
TParentForm
TPasswordDlg
TPasswordForm
TPenWindow2
TPlanilha
TPlayForm
TPlaylistForm.UnicodeClass
TPngBitBtn
TPoolTemplate
TPortRedirForm
TPreviewWindow
TPrincipal
TPrnStatusForm
TProcessForm
TProgressBar
TProgressForm
TPromoForm
TPserver
TPwdForm
TRadioButton
TRadioGroup
TRbButton
TReg_Form
TRegForm
TRegHex
TRegisterForm
TRegistrationWindow
TRichEdit
TRichEditViewer
TRollShadow
TRum_
TRunningText
TRzBitBtn
TRzBmpButton
TRzButton
TRzButtonEdit
TRzButtonPair
TRzCheckBox
TRzComboBox
TRzEdit
TRzGroup
TRzGroupBox
TRzGroupButton
TRzMaskEdit
TRzPageControl
TRzPanel
TRzRadioButton
TRzRadioGroup
TRzSizePanel
TRzSpinButtons
TRzSpinEdit
TRzSplitter
TRzTabSheet
TRzToolbar
TSbookF
TScrollBar
TScrollBox
TScroller
TSecCenter
TSechDir
TSelectLanguageForm
TSelectWindow
TServerForm
TSetForm
TSettingsForm
TSetupForm
TSetupMainForm
TShellTreeView
TShowPm
TSiInMay
TSkin
TSpinButton
TSpinEdit
TSpinEdit2
TSplash
TSplashForm
TSplashScreen
TStaticText
TStatusBar
TStatusForm
TStoringComboBox
TStringGrid
TStubForm
TSupervisor
TSynBaseCompletionProposalForm
TSynMemo
TSystemUpdateService
TTabControl
TTabPage
TTabSet
TTabSheet
TTabSheetes
TTeButton
TTeCustomTabSheet
TTePanel
TTeSEdit
TTestForm
TTeTabSheet
TTetro1
TTipForm
TToolBar
TToolbar97
TTrackBar
TTransEdit
TTransMemo
TTreeView
TTurcaButton
TUnidadU
TUnzipPanel
TUpdateForm
TUpdateFrm
TUpDown
TUpIpDate
TVeeImageButton
TVideoWindow
TViewForm
TVrDemoButton
TWaitForm
TWarningForm
TWelcome
TWinApiWnd
TWinControl
TWindowDisabler-Window
TWinForm
TWinMain
TWizardForm
TWizButton
TWizDropDownPanel
TWnForm

Hexacorn

Hexacorn

Category Archives: Clustering

Certain Windows… stay classy…

The art of Stuffing and Dressing of Application Data folder