Samir is my hero aka colab on browserexport

Posted on by

Samir pinged me about his research into c:\Windows\System32\browserexport.exe, and after few back and forth we cracked some of the command line arguments this program accepts. I then promised Samir that I won’t publish a blog post about it. So this his me keeping my promise. Not.

Luckily to us, browserexport.exe is an easy read in Ida Pro. We also found good references to this .exe inside the btrowserbroker.dll file that helped us to guess what is required for the program invocation. After some quick code eyeballing we have extracted a number of interesting command line wannabe arguments:

  • ALL
  • COOKIES
  • FAVICONS
  • FORMDATA
  • HEURISTIC
  • HISTORY
  • LOGINS
  • LOWCOOKIES
  • SETTINGS

Analysis of code confirmed that the program requires at least 4 arguments so after some more digging we came up with command line arguments that actually worked:

browserexport.exe "" ie11 all foo4

where:

  • “” is a GUID which we don’t exactly know what it is, but it’s only used for exports from IE11; could be related to the GUID of the IE user profile (?),
  • IE11 is just one of the browsers supported by the tool; all the supported browsers are
    • CHROME
    • IE11
    • QIHOO360SE
    • QQBROWSER
  • all – one of the options listed above and below (we have not tried other options assuming that ALL means, well… all)
    • ALL
    • COOKIES
    • FAVICONS
    • FORMDATA
    • HEURISTIC
    • HISTORY
    • LOGINS
    • LOWCOOKIES
    • SETTINGS
  • foo4 — output file name

Have a go and run this command. You will be surprised how much data is saved to foo4. it’s a nice JSON file that includes something along these lines (and I don’t use IE11 too much):

{
"MigrationData": {
"browser": "IE11",
"history": [
{
"title": "…",
"url": "…",
"LastAccessed": …
},
{
"title": "….",
"url": "…",
"LastAccessed": …
},
],
"logins": [

],
"cookies": [
{
"name": "…",
"value": "…",
"domain": "…",
"path": "…",
"dwFlags": …,
"ftExpires": …,
"fExpiresSet": …
},
]
}
}

We feel that BrowserExport.exe is a close cousin of ExtExport.exe. In fact, both are referenced by btrowserbroker.dll. Neither of them can be considered a Lolbin, but then again.. that’s a lot of exportable value they both present w/o any effort from malware authors.

IDA Fonts of Eton

Posted on by

The other day I twitted example of IDA Pro showing code using a very posh font called Harrington:

I also posted Comic Sans Serif version by special request from @silascutler 😉

and

If you are curious how I did it — well, I chose the hardest possible way w/o looking at alternatives.

If you open IDA Pro Font choosing Dialog Box you will only see a subset of fonts that have a fixed width (Monospaced fonts):

In order to adjust IDA’s behaviour to allow me to choose any font I… didn’t check configuration files or Registry – I went directly to the co(d|r)e.

If you ever played with GDI API functions you know that font selection is associated with a variety of CreateFont* functions. One of the lowest level user-mode functions that is eventually called is CreateFontIndirectW. If you know that, the recipe is simple – open IDA Pro under XDBG, put a breakpoint on CreateFontIndirectW, disable it, let IDA Run, Open Font Dialog Box, choose any font – now you are game, now enable breakpoint, hit OK – change font name in XDBG, run. Et Voilà!