Category Archives: Reversing

Windows 10 is ‘mine’…, Part 1

Posted on by

I don’t like Windows 10, but it likes… the progress…

So… now that win7 is ded, and winxp doesn’t work that well for malware analysis (and it’s 32-bit only), I finally (a few months back really) put myself together to build my perfect test guest 64-bit Windows 10 OS… and while doing so I came across a lot of quirks, took some screenshots, and I thought I will jot down some notes here in case you face similar issues…

Note, I am a big fan of VMWare, so the info below is primarily focused on VMWare Workstation… VirtualBox experience should not be too far off though… I hope….

Here are the steps I took to make my Windows 10 Guest OS perfect (to be clear, I followed many of these steps on my host Windows 10 as well):

  • Install to SSD
    • I bought my first SSD circa 2011 and never looked back; this an incredible performance booster and you need it for your frequently used VM guests!!!
    • Assume your SSD will go kaput on you at any time around 3-5 years down the line, so make regular backups
  • Install the Windows 10 OS; whether you go from a clean ISO, or upgrade your old Win7/Win8 it doesn’t matter
  • Go through the wizard…
  • Choose your OS version and continue until you install the whole thing
  • Note: do not use Microsoft accounts if asked, only the local one!!!
  • Decline all the privacy/spying Options:
  • Go on…
  • After 1-2 restarts you should have a clean OS installed
  • It’s time to install VM Tools:
  • You may need to run the VMTools setup64.exe manually from a mounted DVD:
  • Restart

At this stage you have the OS installed and VM Tools are running – SAVE THE VM SNAPSHOT NOW. If anything goes wrong, you can revert to it.

The VM tools allows you to change screen resolution and copy & paste between the host and the guest system, as well as access the network shares.

Hooray!

But it’s just the beginning…

  • Download and run O&O ShutUp10. Choose all options aka ‘Apply all settings’. Yup, make it all green:
  • You will need to restart the system after applying the changes
  • Now…
  • OS is installed, the basic nuisance is gone, but it’s not over yet.
  • Download Total Commander 64-bit version (TC) from https://www.ghisler.com/
    • Run TC as Admin
    • Now you can do anything you like on the system and have a better Program/File Manager than Explorer will ever be
    • Hope you have a Total Commander license, it’s worth it!
  • Now download psexec
    • Run psexec -s -i cmd.exe from your elevated cmd.exe (admin)
    • Now you have a terminal under SYSTEM account
    • Launch Regedit.exe
    • Go to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Yeaah…
    • Time to kill annoying services:
      • You have two options: be a good boy, or a bad boy; choose the latter….
      • aka….
        • Walk through all of them; I know it’s painful, but…
        • If you don’t like the particular service, just mod its ‘Start’ entry to become ‘4’ which is an equivalent of ‘Disabled’
        • I know for some options you can run gpedit.msc and select ‘disable service’ options under admin templates, but well… these will in the end run services. Since you just want to kill the nuisance, kill it at source i.e. this is right under Services key… Be brutal… Windows 10 is a telemetry and nuisance virus and you need to make it work like kinda enhanced Windows 7.
        • In particular, disable Windows Update, Windows Defender, MS Store, Security Health services and Search indexing
        • Be aware that disabling all this you will lose updating capability –> snapshots are your friends !!!
  • Time to customize your UI
    • I personally prefer good ALT-TAB with icons, so I add
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AltTabSettings=1
    • I kill Cortana bar (remove from view), manually
  • I lock the Taskbar
  • I make all notification icons to be always visible
  • I choose ‘Never Combine taskbar tools’
  • And then install tools…

Part 2 to follow…

API Monitoring under Windows 10

Posted on by

I recently asked around about Win10 API Monitoring. The reason I asked about it is that I noticed that:

  • API monitoring tools from the past no longer work (e.g. Rohitab, WIn32Override non-commercial version)
  • They are usually focused on 32-bit anyway
  • Many of them use legacy approach (aggressive hooking) that causes troubles on win10

I am looking for an alternative that works…

The following are the ideas I gathered from various sources (thanks to anyone who replied):

  • Frida
    • https://github.com/FuzzySecurity/Fermion
  • DTRace
    • https://techcommunity.microsoft.com/t5/windows-kernel-internals/dtrace-on-windows/ba-p/362902
  • Pinitor
    • https://rayanfam.com/topics/pinitor/
  • WinDBG Time Travel Debugging
  • Commercial SpyStudio
    • https://www.nektra.com/products/spystudio-api-monitor/download/
  • Commercial WinAPIOverride
    • http://jacquelin.potier.free.fr/winapioverride32/

API Monitoring is pretty important to reverse engineers. Not only it speeds up analysis, but it also paves a way to understand rapidly developing changes in the Windows environment. Old API Monitors primarily worked in 32-bit, used aggressive hooking, and often leveraged kinda dodgy kernel drivers, and csrss code injection. They also don’t understand New Low-Level Binaries, WOW, .NET, and Metro apps.

As such… it’s time for some creative soul to kick off a new project :-). A full blown API Monitor for 64-bit userland…

How would we go about building a tool like this?

Today is so much better than 15 years ago. I still remember hunting down API definitions in early noughties (e.g. re-using files with VB API declarations) and later writing scripts to extract API definitions from .hlp, .chm, .hx* files that MSDN/SDK help was shipped as, as well as ‘talking’ to local MSDN server to retrieve XML definitions of API… It was tough, inconsistent, but doable. In fact, the definitions for 12000 APIs that HAM monitored were built this way. And today it’s… easier. Only a few days ago Microsoft released a full-blown API documentation that can be easily transformed to API definitions that any API monitor can digest. Times changed…

So now that we have API definitions… all we need is a good API hooking engine.

Which technology to use? There are actually many available today… Modern sandboxes use hypervisors, emulation, but I don’t see these being used in any available API Monitosr. Moreso, the nature of reverse engineering often asks for tools that work inside a limited VM guest environment so neither emulation or hypervisors can be efficiently used on these systems (someone correct me on this!).

But things are not too bad. Alex Ionescu outlined a few interesting ideas in his presentation from … 2015, including time travel debugging, app verifier, miniwin, shims and CFG. We can also probably force-patch system DLLs (a bad idea!), or use either DotLocal or KnownDll modification to force-redirect loading of OS DLLs to a local directory where we can use our own versions of these libraries. I have not tested these ideas, but it may work. And then there is Frida and PIN as well as ReactOS and Wine. And after I posted this, a couple of guys pinged me to let me know that Detours still works on win10 pretty well (thanks!). Also, one more update from me, apparently Quiling can work too, as well as EasyHook library.

I started playing with these ideas and will see if I have enough strength to make it a workable solution, but in the meantime… the notes are here, If you are bored… I am sure RCE world will welcome any contribution.

If you know any existing tool that should be added to the list, or know an engine that could be used for API hooking that is not listed here, please let me know.