Category Archives: Others

Regulex & Visualized regexes

Posted on by

A few days ago I noticed a twit referring to http://jex.im/regulex/, a home page for a cute engine that visualizes regular expressions. It is great!

If you struggle with regular expressions, or just want to toy around this is an excellent tool for learning and testing purposes; it may be also a good way to enrich forensic / investigation reports.

Let’s see what it can do by feeding it a few examples:

Track data

In my old post from 2012 about POS malware I mentioned a sample D9A3FB2BFAC89FEA2772C7A73A8422F2 that contains regular expressions used to parse track data; here they are:

  • Track 1
    • ((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
  • Track 2
    • ([0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})

Feeding them to Regulex gives us the following results:

  • Track 1

regulex_t1

  • Track 2

regulex_t2When converted by Regulex, they make a lot of sense and are very readable.

Email

Using an example regex to validate email presented on http://www.regular-expressions.info/email.html:

[a-z0-9!#$%&’*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&’*+/=?^_`{|}~-]+)*@ (?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+(?:[A-Z]{2}|com|org|net|edu|gov|mil| biz|info|mobi|name|aero|asia|jobs|museum)\b

we can get the following diagram:

regulex_emailAwesome, isn’t it ?

Trivial AppID Impersonation

Posted on by

I was wondering what would happen if one tried to impersonate the AppID of the common applications i.e. run my own application and change its AppID to that of a well-known application during run-time. Kinda lame, I know.

To test it, I wrote a quick PoC that uses SetCurrentProcessExplicitAppUserModelID API to pretend it is Internet Explorer, Remote Desktop and Sticky Notes using their respective AppIDs. I also added the AppID for Notepad – while it doesn’t have a standard AppID like the 3 other applications I just wanted to show that we can still enforce the AppID association using Notepad’s normalized path {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe (for details see my older post about AppIDs).

Here’s a list of AppIDs used:

  • Internet Explorer – Microsoft.InternetExplorer.Default
  • Remote Desktop – Microsoft.Windows.RemoteDesktop
  • Sticky Notes – Microsoft.Windows.StickyNotes
  • Notepad – {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe

I pinned all these 4 applications to the Taskbar on Windows 8.1. and then ran my test application, pausing it each time I changed the AppID to take a screenshot I got the result combined on the below picture. Not surprisingly anytime I changed the AppID a different pinned taskbar icon got highlighted (the test application needs to do some GUI operation for it to work; it can simply show a message box).

appid_rotation

This is quite a tiny level of impersonation – hard to really come up with some really useful scenarios here – perhaps one could use it to enforce social engineering attempts (e.g. escalation of privileges triggered by malware while pretending to be from some legitimate Windows application, or perhaps AV) ? But aren’t existing GUI manipulation tricks better than that? Oh well, trivial is trivial.