Category Archives: Forensic Analysis

Re-sauce, Part 2

Posted on by

In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name the resources and use them instead of numerical IDs. Many of these are prefixed with the ‘IDD_’, so it makes for an easy target.

Grepping through a large collections of exported resources one can find the following ‘custom-named’ resource names (see file).

Browsing through the content one can find a number of IDDs that are clearly very old e.g.

  • IDD_WIZ97SHEET
  • IDD_DISKETTE
  • IDD_INSERT_DISK

but also lots of very boring names e.g.

  • IDD_DIALOG1
  • IDD_DIALOG2
  • IDD_DIALOG3
  • IDD_DIALOG4
  • IDD_ABOUTBOX
  • IDD_DIALOG_FONT
  • IDD_FONT
  • IDD_UNUSED1
  • etc.

— most likely names auto-created by RAD resource editors. There are some funny typos e.g. IDD_SPLAHSCREEN. Finally, there same some more enigmatic and interesting names like

  • IDD_DEBUG*
  • IDD_NTOPEN
  • IDD_NTCLOSE
  • IDD_CREDITCARD

but these are not really research-worthy.

How can you use this list?

Apart from being an archaeological curiosity this may actually be quite helpful to know which IDD_ resources are at least known in a ‘good sampleset’ space. With that you could create yara rules, and perhaps more advanced ‘good file’ detections. And if you write a PE Viewer/editor/parser, you could always highlight these as ‘known good resources’.

Overall, curiosity more than anything useful, but that’s one of the reasons why we are digging it… out.

When good URLs are bad for business

Posted on by

Analyzing memory dumps comes with a price – ‘good’ information overload. One that annoys me a lot is running URl/domain extraction tools over the memdump and finding tones of legitimate URLs that make it harder to find the juicy stuff I am after. I mean, things like:

  • http://www.w3.org/2001/XMLSchema-instance
  • http://www.w3.org/2000/svg
  • http://www.w3.org/1999/xlink
  • http://www.w3.org/XML/1998/namespace
  • http://www.w3.org/1999/xhtml
  • http://www.w3.org/2000/xmlns/
  • http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd
  • http://update.microsoft.com
  • http://schemas.microsoft.com/rtc/2009/05/simplejoinconfdoc

There is a lot of ‘good’ URLs embedded in manifests, various resources (e.g. HTML/XML/Json/CSS files), certificates, and many are introduced as a side-effect of linking with static libraries that often include copyright information and URL to author’s page. And of course, there is vendor information either directly in the resources or in binary or its config files.

Not only memory dump analysis suffer from it. The same goes for network log analysis – lots of requests that ‘hide’ the juicy stuff are related to authentication checks, downloads from certificate stores, etc..

In an effort to help with analysis I started building a small repository of these ‘good’ URL (at the moment primarily related to certificates). I extracted these from my ‘good’ sample repository so I believe all of them are legitimate. If you find any error, please let me know.

You can download the repo here.