Category Archives: Living off the land

Dictionary files (.dctx)

Posted on by

This is not a very important research really. Just a ‘blurb’ of what I observed during my quick tests.

So…

First of all, I noticed that .dctx files are being handled by this program:

  • C:\Windows\System32\IME\shared\IMEWDBLD.EXE

These are dictionary files (source) and are compiled to some other binary format (.dctc AFAICT). These dictionaries seem to be heavily used (and needed?) for Asian languages, so most of info on them can be found online on forums discussing Japanese and Chinese language keyboard input.

Examples: here, and here.

When you open a .dctx file on Windows 10 you will be presented with this dialog box:

When we click OK, we will see another dialog box:

I have not figured out what that means, but it seems to be a highly prevalent error and many users report it. I couldn’t bypass it despite toying around with various parameters embedded inside my test .dctx file. I tried to use variations of English language (US vs. UK), different encoding, etc., but it always comes back with the same error.

Also, after looking at IMEWDBLD.EXE, I noticed that it takes a -v <logfile> command line argument (where -v stands for -verbose, I guess). Using it during testing is a better alternative to that non-descriptive dialog box shown above. After trying to open the very same .dctx with IMEWDBLD.EXE and -v flag enabled I observed this in the ouput of the log file:

Error: Encountered fatal error(0x80070057:The parameter is incorrect.).
Error: There is a problem with the dictionary file. Please try to download again.

Unfortunately, this error is very prevalent inside the binary (IMEWDBLD.EXE), so I didn’t spend too much time trying to figure it out. Okay, if you must know, 0x80070057 stands for an invalid argument. Would be really handy to know which argument triggered it… hmm…..

So, that’s it really.

If you want to play around, this is a minimalistic sample .dctx file you can try to import on your Windows 10 system. Download, and double click. That’s it.

Bonus

I think the IME components are not very well researched and can potentially offer mechanisms that will allow for less-known attacks focused on:

  • persistence
  • bypassing security controls
  • RCE

Why?

They seem to be developed for a niche (but not negligible due to number!) group of users in Asia (Japanese, Chinese), and most likely have been poorly tested. The last IME-related research I could find is here.

Why?

If you look at IMEWDBLD.EXE binary you will notice a bunch of flags that are not documented anywhere on the internet. Hence, they could be limited to a test environment at MS, or only taken into account on OS versions that require IME. The lower the scope, the lower the testing priority. A.K.A. if it is not documented on the Internet, then it’s likely internal.

Some food for a thought:

  • HKLM\SOFTWARE\Microsoft\IME\PlugInDict
  • EncryptAllPlugInDict
  • DisableAllPlugInDict

Command line arguments for IMEWDBLD.EXE:

  • -encrypt <unknown>
  • -pluginguid <guid>
  • -w <unknown>
  • -pm <unknown>
  • -v <logfile> – saves the verbose info to logfile
  • -nofilter <unknown>
  • -testing <unknown>

Beyond good ol’ Run key, Part 101

Posted on by

This is a bit unusual way of establishing persistence.

We don’t add any Registry entries. We also don’t really drop any malicious executable files, unless we have to (fileless malware could establish a persistence this way).

How?

By leveraging the omnipresent files: unins000.dat and unins000.exe that are dropped by any setup program that is built using the InnoSetup installer.

One can build a small InnoSetup script e.g. like this:

[Setup]
 AppName=test
 AppVersion=1
 DefaultDirName=.
 DefaultGroupName=test
 [Run]
 Filename: "c:\windows\system32\calc.exe"
 [UninstallRun]
 Filename: "c:\windows\system32\notepad.exe"

After installing the .exe, we can collect the unins000.dat and unins000.exe that are generated during this session. They ensure that Notepad is executed when the application is uninstalled. Attacker could simply ‘borrow’ these and place these in a folder where there are already existing files unins000.dat and unins000.exe (typically under c:\Program Files, or c:\Program Files (x86) subfolders).

We need to replace unins000.exe too, because the custom-made unins000.exe files that are dropped by installer may have dependencies that our unins000.dat doesn’t resolve.

Once the user tries to uninstall the program that relies on InnoSetup uninstall process, the unins000.exe will process the content of the unins000.dat and will run the Notepad.

Since the unins000.exe is clean, and only the unins000.dat is really the bad guy here, it is a sort of Lolbin, or Lobinstaller. Security companies are forced to either detect the malicious content inside the .dat file, or rely on behavioral analysis.

Obviously, another trivial persistence method that is related to Uninstallation process, and one I believe I have not discussed before here, and one which is actually not related to InnoSetup per se, is to modify the Uninstall/QuietUninstall strings for the programs installed on the system.

While they typically point to the native uninstallers, there is no problem in replacing them with commands that can run any other program:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<program name>=<string>

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QuietUninstallString\<program name>=<string>

Anytime someone runs the uninstaller, they will run the command of attacker’s choice. Again, the good news is that one needs rights to mod these entries since they are under HKLM key.