Category Archives: Malware Analysis

Monitoring clipboard – a quick antisandbox trick

Posted on by

Many existing anti-sandbox tricks rely on using timers, detecting mouse movement, checking the presence of the security tools, detecting virtualization, etc. While the list of existing tricks is long I don’t recall seeing clipboard monitoring being mentioned in this context and was curious if anyone discussed that before. Quick google search didn’t bring any results so I thought I will at least describe a high-level idea (FWIW most of the stuff I found online refers to malware monitoring clipboard in order to steal data that is copied to it – this includes an in-depth post by Michael Ligh who discusses it in a context of Volatility framework.)

Btw. if you know any malware that is already using this trick it would be great if you could let me know. Thanks!

As per Microsoft, there are three ways to check if the clipboard content has changed; all of them rely on using dedicated APIs + in some cases require processing of window messages:

  • Monitoring GetClipboardSequenceNumber return value changes
  • AddClipboardFormatListener + WM_CLIPBOARDUPDATE message
  • SetClipboardViewer + WM_DRAWCLIPBOARD message

There are at least two ways to incorporate these functions in an anti-sandbox routine:

  • One can use GetClipboardSequenceNumber API in a way similar to rdstc / GetTickCount trick and stall the code execution until a decent number of clipboard changes occurred (under assumption that the real person is actually using the system and CTRL+C/CTRL+V will generate enough changes to trigger the payload)
  • Using AddClipboardFormatListener / SetClipboardViewer will require creation of a worker window that will need to respond to the respective clipboard change window messages and when they arrive, the program can increase the internal counter until the threshold is met; only then execute the payload

Both are very easy to implement, and I won’t be providing a PoC code as you can grab it from MSDN and/or popular coding forums.

So, if you write sandboxes you may consider monitoring use of these APIs and trigger appropriate playbook that will generate a sequence of clipboard changes to trigger the code execution.

It’s good to mention that all of these APIs have their Nt equivalents that are processed by the win32u.dll/win32kfull.sys:

  • NtUserGetClipboardSequenceNumber
  • NtUserAddClipboardFormatListener
  • NtUserSetClipboardViewer

So may be worth monitoring them on this level too.

Beyond good ol’ Run key, Part 72

Posted on by

In my old post I described a simple trick that shows how to set up a hot key that can be assigned to execute shortcuts (.LNK files) placed on a Desktop or in a Start Menu. This action survives reboots and logon/logoffs so it’s a nice, and somehow accidental persistence mechanism.

Turns out there is one more variant of this trick that relies on using the .URL files.

Placing a .URL files containing the following data:

[InternetShortcut]
URL=file:///c:/windows/system32/calc.exe
HotKey=768

on a Desktop will assign CTRL+SHIFT sequence to an action that will trigger the execution of the calculator.

The Hotkey can be assigned either manually (via properties):

– in such case you won’t be able to assign the more trickier combinations like CTRL+SHIFT. Or we can do it manually, and in such case all the hotkey tricks are available. All you have to do is to assign a proper value to the HotKey parameter inside the .url file.

You can find out what values represent what codes or by experimenting… or… you can cheat and read this old guide: An Unofficial Guide to the URL File Format.