You are browsing the archive for Malware Analysis.

MUI Poisoning in practice

August 22, 2020 in Anti-Forensics, Living off the land, Malware Analysis, Random ideas

In my old post I discussed the idea of MUI poisoning. Today I want to show a practical example of this technique – one that has an interesting impact on incident response efforts.

Some security solutions rely on running local, native OS binaries to collect information from the system. Tool like netstat, ipconfig, etc. are executed on regular basis and data is collected and aggregated in some log repository.

These local tools often rely on MUI files and this is where we step in. By modifying the MUI files of selected tools one could force these tools to return complete garbage. For instance, the following example shows netstat.exe where its MUI was modified to always return a source IP where the destination IP would be listed. The change can be made using the old tool Resource Hacker:

Once we replace the MUI file, netstat.exe will return stuff like this:

This anti-forensic technique could be potentially expanded to cover every single piece of software that relies on external language files (let it be MUI, or anything else). As long as these format string patterns can be manipulated security software could be forced to present garbage output; for instance – malware alerts reporting wrong paths (e.g. hardcoded, non existing paths), or Windows Event logs reporting misleading information.

FridaTrace++ – quick & dirty API monitor, Part 2

June 7, 2020 in Batch Analysis, Frida, Malware Analysis, Sandboxing

In my previous post I described my first encounter with Frida. Since then I slowly incorporate new ideas into the monitor, including:

  • object to object name resolution for APIs that rely on handles
  • data dumps of buffers for common APIs e.g. Read File, Write File
  • generating a list of all objects in a separate file (kinda like list of possible IOCs.)

Adding this functionality is trivial and I am still perplexed that it can be so quick.

Here’s a little demo of how this looks like – list of all files accessed via CreateFile when I launch Notepad:

and buffers intercepted when I opened Python NEWS file, typed ‘a’ and saved it in Notepad:

More to come… stay tuned 🙂