You are browsing the archive for Living off the land.

aMus(ing)Notification

January 3, 2021 in Archaeology, LOLBins, Undocumented Windows Internals

Update

Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the way 🙂

Old Post

Have you ever got annoyed by this popup?

I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of MusNotification.exe and MusNotificationUx.exe.

This one in particular is a lunch of:

MusNotificationUx.exe Dialog_EngagedFourthReminder 0

The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the UserProcess:: GetNotificationCommandLineArguments routine inside the MusNotification.exe:

  • Dialog_AllowSchedulingFirstReminder
  • Dialog_AllowSchedulingForcedReminder
  • Dialog_AllowSchedulingPerAUPolicy
  • Dialog_AllowSchedulingRebootFailed
  • Dialog_AllowSchedulingSecondReminder
  • Dialog_AllowSchedulingThirdReminder
  • Dialog_AllowSchedulingWarning
  • Dialog_CantDownloadUpdate
  • Dialog_CantInstallUpdate
  • Dialog_DataMigrationFailed
  • Dialog_DownloadAvailable
  • Dialog_DownloadNeedUserAgreementPerCTA
  • Dialog_EngagedFourthReminder
  • Dialog_EnhancedEngagedAcceptAuto
  • Dialog_EnhancedEngagedForcedPrecursor
  • Dialog_EnhancedEngagedForcedWarning
  • Dialog_EnhancedEngagedRebootFailed
  • Dialog_EnhancedEngagedRebootImminent
  • Dialog_EnhancedEngagedRebootReminder
  • Dialog_EnhancedEngagedSecondRebootReminder
  • Dialog_ExpeditedReboot
  • Dialog_InstallNeedEula
  • Dialog_InstallNeedUserAgreement
  • Dialog_LowUptime
  • Dialog_PolicyDeadlineApproaching
  • Dialog_PolicyDeadlineEngagement
  • Dialog_PolicyDeadlineRebootFailed
  • Dialog_PolicyDeadlineRebootImminent
  • Dialog_PolicyDeadlineUserScheduled
  • Dialog_RebootActiveHoursForcedReminder
  • Dialog_RebootActiveHoursForcedWarning
  • Dialog_RebootActiveHoursImminent
  • Dialog_RebootActiveHoursUserSelected
  • Dialog_RebootDTU
  • Dialog_RebootForcedDTU
  • Dialog_RebootImminent
  • Dialog_RebootPolicyEnabledForcedWarning
  • Dialog_RebootPostponeMgmt
  • Dialog_RebootWarning
  • Dialog_ScheduleUpdate
  • Dialog_ScheduleUpdateFailed
  • Dialog_SuggestedActiveHours

You can pick up any of them and run via a similar invocation using MusNotificationUx.exe e.g.

MusNotificationUx.exe Dialog_CantDownloadUpdate 0

and others:

Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day.

There also seem to be a possibility of a Lolbin as the invocations of MusNotificationUx.exe via MusNotification.exe refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory — still a questionable programmer’s choice prevalent in many native OS binaries.

Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:

  • Toast_CompatIssue
  • Toast_DesktopKeepOnReminder
  • Toast_DownloadNeedMoreSpace
  • Toast_DownloadNeedUserAgreement
  • Toast_DownloadNeedUserAgreementPerCTA
  • Toast_DownloadNeedWifi
  • Toast_DownloadViaCellularNeedUserAgreement
  • Toast_EngagedFirstReminder
  • Toast_EngagedRebootFailed
  • Toast_EngagedRebootWarning
  • Toast_EngagedSecondReminder
  • Toast_EngagedThirdReminder
  • Toast_EnhancedEngagedRebootReminder
  • Toast_FailedDiskSpaceCheck
  • Toast_FairWarningDesktop
  • Toast_FairWarningLaptop
  • Toast_FairWarningPolicyNotifyDeadline
  • Toast_InstallBlocked
  • Toast_InstallNeedEula
  • Toast_InstallNeedMoreSpace
  • Toast_InstallNeedUserAgreementPerAUPolicy
  • Toast_KeepAliveOnBatteryWarning
  • Toast_LaptopPlugInReminder
  • Toast_LowUptime
  • Toast_MeteredConnection
  • Toast_NotifyToDownload
  • Toast_NotifyToInstall
  • Toast_OOBEDownloadInProgress
  • Toast_PersistentReadyToReboot
  • Toast_PolicyDeadlineEngagement
  • Toast_RebootActiveHoursForcedReminder
  • Toast_RebootActiveHoursImminent
  • Toast_RebootNeedUserAgreementPerAUPolicy
  • Toast_RebootOtherUsers
  • Toast_RebootReminder
  • Toast_SuggestedActiveHours
  • Toast_UpdateFailed

Last, but not least, there are some additional options the tool accepts, in particular:

  • RebootWithUXForceOthers
  • RebootWithUX
  • ClearActiveNotifications
  • QueryNotificationState
  • -Embedding
  • /CV – correlation vector
  • /MusUxStateString
  • /ToastAction, where the action can be one of these:
    • AlwaysAllowAutoUpdates
    • DeferRestartInHour
    • DeferRestartNow
    • ForcedRemRestartNow
    • ImmAnotherTime
    • ImmRestartNow
    • NotifyRestartNow
    • OthersPickTime
    • OthersRestartAnyway
    • RemPickTime
    • RemRestartNow
    • RemSnooze
    • RestartFailedRetry
    • RestartTonight
    • RestartWarningOption
    • Settings
    • Setup
    • SnoozeUx
    • SuggestedAHConfirm
    • SuggestedAHDontChange
    • WarnPickTime
    • WarnRestartNow
    • dismiss
  • eDTERestartTonight
  • /ToastLaunchTimestamp

Samir is my hero aka colab on browserexport

October 1, 2020 in Archaeology, Living off the land

Samir pinged me about his research into c:\Windows\System32\browserexport.exe, and after few back and forth we cracked some of the command line arguments this program accepts. I then promised Samir that I won’t publish a blog post about it. So this his me keeping my promise. Not.

Luckily to us, browserexport.exe is an easy read in Ida Pro. We also found good references to this .exe inside the btrowserbroker.dll file that helped us to guess what is required for the program invocation. After some quick code eyeballing we have extracted a number of interesting command line wannabe arguments:

  • ALL
  • COOKIES
  • FAVICONS
  • FORMDATA
  • HEURISTIC
  • HISTORY
  • LOGINS
  • LOWCOOKIES
  • SETTINGS

Analysis of code confirmed that the program requires at least 4 arguments so after some more digging we came up with command line arguments that actually worked:

browserexport.exe "" ie11 all foo4

where:

  • “” is a GUID which we don’t exactly know what it is, but it’s only used for exports from IE11; could be related to the GUID of the IE user profile (?),
  • IE11 is just one of the browsers supported by the tool; all the supported browsers are
    • CHROME
    • IE11
    • QIHOO360SE
    • QQBROWSER
  • all – one of the options listed above and below (we have not tried other options assuming that ALL means, well… all)
    • ALL
    • COOKIES
    • FAVICONS
    • FORMDATA
    • HEURISTIC
    • HISTORY
    • LOGINS
    • LOWCOOKIES
    • SETTINGS
  • foo4 — output file name

Have a go and run this command. You will be surprised how much data is saved to foo4. it’s a nice JSON file that includes something along these lines (and I don’t use IE11 too much):

{
"MigrationData": {
"browser": "IE11",
"history": [
{
"title": "…",
"url": "…",
"LastAccessed": …
},
{
"title": "….",
"url": "…",
"LastAccessed": …
},
],
"logins": [

],
"cookies": [
{
"name": "…",
"value": "…",
"domain": "…",
"path": "…",
"dwFlags": …,
"ftExpires": …,
"fExpiresSet": …
},
]
}
}

We feel that BrowserExport.exe is a close cousin of ExtExport.exe. In fact, both are referenced by btrowserbroker.dll. Neither of them can be considered a Lolbin, but then again.. that’s a lot of exportable value they both present w/o any effort from malware authors.