Hexacorn

One of the most annoying things I come across during analysis are … function names. It’s great to have many of them resolved either via flirt of symbols, but the length of some of these function names is making it really hard to read code.

It is especially important with ‘basic’ string functions that hide behind constructs like:

std::basic_string,std::allocator,_STL70>::assign
(std::basic_string,std::allocator,_STL70> const &,uint,uint)

std::basic_string,std::allocator,_STL70>::operator=(ushort const *)

Why not simple ‘assign’ and ‘operator’?

It’s because it’s puristic and accurate, that’s why 🙂

Reading code listings relying on these functions is difficult, and it involves a lot of mental processing to find the actual method name in these long strings.

I got bored doing so and coded a very badly written idapython script that replaces these names with a shorter version. Again, this is a blasphemy to both IDA and IDAPython so you have been warned.

import idaapi
import idc
import types
import os
import pprint
import random

mask = idc.GetLongPrm(idc.INF_SHORT_DN)

for func_ea in idautils.Functions():
    function_name = idc.GetFunctionName(func_ea)
    function_name_dem = idc.Demangle(function_name, mask)
    if function_name_dem != None:
       function_name = function_name_dem
    m=re.search(r'hex_',function_name,re.IGNORECASE) 
    if not m:
       print function_name 
       m=re.search(r'basic_string.*?::([^:=]+)\(',function_name,re.IGNORECASE) 
       if m: 
          short_fun = m.group(1) 
          short_fun1 = re.sub('[\(=< ~\'\"\+\`-].+$','',short_fun) 
          cnt=0 
          while True: 
             short_fun = 'hex_string_' + short_fun1 + "_" + str(cnt) 
             res = MakeName(func_ea,short_fun) 
             if res: 
                print short_fun 
                break 
             cnt = cnt + 1 
             if cnt>1000: 
                break

The result:

before

after

Update

Turns out @0gtweet posted about it in January and I missed that!!!

Old Post

Been awhile since I posted in this series, so here comes a new trick.

It is not your typical executable for sure, change.exe that is. When I looked at it for the first time I was perplexed — within first few lines of code it literally executes other executables. Must be something good I thought, and good it was indeed.

When launched, change.exe does something very strange – it enumerates Registry entries under this location:

HKLM\System\CurrentControlSet\Control\Terminal Server\Utilities\change

These entries are … interesting, because they look like some stringified flags followed by executable names. Possible abuse opportunity?

When you run ‘change /?’ you get the following help information:

CHANGE { LOGON | PORT | USER }

Do you see the pattern? — no? look at these Registry entries again.

In my first attempt I added ‘foo|0 1 NOTEPAD notepad.exe’:

I then ran ‘change notepad’ and … notepad executed.

Now, if you paid attention there are other registry keys listed on the first screenshot:

change -> change.exe 
query -> query.exe 
reset -> reset.exe

They all follow the same pattern and fetch command list from Registry!

So you can either add a new entry, or modify an existing one. Access rights are in place and the key is owned by TrustedInstaller, but… well… once on the box, always on the box.

Last, but not least – it’s a persistence mechanism and a LOLBIN in one.

Hexacorn

IDA colonoscopy

Beyond good ol’ Run key, Part 125