Category Archives: Sandboxing

NTFS Sparse files – another possible quick anti- trick

Posted on by

A number of tricks that cause trouble to sandboxes, as well as malware analysts leverage less known features of NTFS (note: less known to programmers and perhaps reversers than to forensic experts). NTFS is rich in features and malware successfully abused these in the past, and… still does nowadays e.g. storing the code and data inside the Alternate Data Streams, Extended Attributes, toying around with Unicode character set by using RTLO (Right To Left Override) or homographic attacks to hide or obfuscate file names.

What about Sparse files?

The way it works is that one can create a normal file using e.g. CreateFile API then use the FSCTL_SET_SPARSE control code to make this file grow in a perceived size very quickly. The change is instant as the system allocates a chain of clusters for such file inside the $MFT and does so in a smart way without actually using physical clusters that it would normally fill in with data (zeroes). So large these files can become that copying them outside of lab/sandbox will cause a lot of trouble, and who knows, in some cases may even DoS the whole lab device or network.

There is also one more trick that can be done here (while it doesn’t require using sparse files per se it is certainly easier to deliver it with this specific feature being enabled): a slightly more complex malware could artificially generate a new payload – a large PE file (and creating it in a sparse mode would be the fastest way to do so).  It would then fill it in with a modified PE header/sections data and sections placed in the vast space of a new file yet in a way that the file can be still executed. There are some constraints against maximum size and available memory of course. Again, it will be impossible to copy such file outside the lab/sandbox w/o either compressing it or shrinking it somehow. It may also be harder to dump its memory and post-process/analyze it efficiently (note that if these artificially created PE sections are large enough malware could fill it in memory with a lot of random data so the memory dump would contain some ‘data’ – imagine how long would it take to generate strings from it).

And last but not least – such trickery may affect forensic evidence processing – such files would be certainly harder to extract. I don’t know what techniques forensics software can use to ensure extraction of sparse files is done efficiently (and how forensic software deals with it today), but well… using sparse files for the output could be probably a good idea? Also, how to browse such files efficiently? Some special mode that removes zeroes from the output and shows ‘islands’ of data? Some food for thought.

No PoCs as it is just a random thought.

Monitoring clipboard – a quick antisandbox trick

Posted on by

Many existing anti-sandbox tricks rely on using timers, detecting mouse movement, checking the presence of the security tools, detecting virtualization, etc. While the list of existing tricks is long I don’t recall seeing clipboard monitoring being mentioned in this context and was curious if anyone discussed that before. Quick google search didn’t bring any results so I thought I will at least describe a high-level idea (FWIW most of the stuff I found online refers to malware monitoring clipboard in order to steal data that is copied to it – this includes an in-depth post by Michael Ligh who discusses it in a context of Volatility framework.)

Btw. if you know any malware that is already using this trick it would be great if you could let me know. Thanks!

As per Microsoft, there are three ways to check if the clipboard content has changed; all of them rely on using dedicated APIs + in some cases require processing of window messages:

  • Monitoring GetClipboardSequenceNumber return value changes
  • AddClipboardFormatListener + WM_CLIPBOARDUPDATE message
  • SetClipboardViewer + WM_DRAWCLIPBOARD message

There are at least two ways to incorporate these functions in an anti-sandbox routine:

  • One can use GetClipboardSequenceNumber API in a way similar to rdstc / GetTickCount trick and stall the code execution until a decent number of clipboard changes occurred (under assumption that the real person is actually using the system and CTRL+C/CTRL+V will generate enough changes to trigger the payload)
  • Using AddClipboardFormatListener / SetClipboardViewer will require creation of a worker window that will need to respond to the respective clipboard change window messages and when they arrive, the program can increase the internal counter until the threshold is met; only then execute the payload

Both are very easy to implement, and I won’t be providing a PoC code as you can grab it from MSDN and/or popular coding forums.

So, if you write sandboxes you may consider monitoring use of these APIs and trigger appropriate playbook that will generate a sequence of clipboard changes to trigger the code execution.

It’s good to mention that all of these APIs have their Nt equivalents that are processed by the win32u.dll/win32kfull.sys:

  • NtUserGetClipboardSequenceNumber
  • NtUserAddClipboardFormatListener
  • NtUserSetClipboardViewer

So may be worth monitoring them on this level too.