Sleeping DLL beauties

Posted on by

How do we sleep?

We do one of these:

  • kernel32/kernelbase ! Sleep
  • kernel32/kernelbase ! SleepEx
  • ntdll ! ZwDelayExecution

but… not only.

Windows 10 offers more libs with more sleeping goodness:

  • staterepository.core.dll ! sqlite3_win32_sleep
  • winsqlite3.dll ! sqlite3_win32_sleep
  • number of tools e.g. Visual Studio offer access to e_sqlite3.dll ! sqlite3_win32_sleep, Python to sqlite3.dll ! sqlite3_win32_sleep

These are actually identical SQLite functions exported by various libraries.

And then you may have LibreSSL on your system (c:\windows\system32\libcrypto.dll), so you can use:

  • libcrypto.dll, sleep

All of them can be used as a lame anti-sandbox/anti-analysis alternative to traditional delay functions listed at the top of the post. And as a random, but lasting very long delay replacing a never ending loop in batch files, or if lucky, maybe even ping 127.0.0.1.

How?

By executing these APIs via rundll32:

  • start /wait rundll32 kernel32.dll, Sleep
  • start /wait rundll32 kernelbase.dll, Sleep
  • start /wait rundll32 kernel32.dll, SleepEx
  • start /wait rundll32 kernelbase.dll, SleepEx
  • start /wait rundll32 staterepository.core.dll, sqlite3_win32_sleep
  • start /wait rundll32 winsqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 sqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 e_sqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 libcrypto.dll, sleep

In these cases the argument to functions will be pretty high numbers (taken from stack and kinda random), but it’s not about logic, is it? 😉

SettingSyncHost.exe as a LolBin

Posted on by

This native OS binary has two interesting options:

  • -LoadAndRunDiagScript <name>
  • -LoadAndRunDiagScriptNoCab <name>

When executed with these options, it will extract the .bat file stored inside its resources, save it as %TEMP%\RoamDiag.cmd, and then it will execute it.

There are at least two ways we can exploit it.

We can create our own %TEMP%\RoamDiag.cmd and make the SettingSyncHost.exe execute it, but there is a caveat. The .cmd file is always deleted and issues with that will stop program from working. Still, we could try a race condition approach i.e. run SettingSyncHost.exe with the parameters specified while at the same time we could run a batch file that overwrites %TEMP%\RoamDiag.cmd with a content of our choice in a never ending loop. This could work, but I have not tested it.

Why?

Because there is an easier way. The batch file extracted from resources of SettingSyncHost.exe and saved as %TEMP%\RoamDiag.cmd executes a number of OS programs including:

  • wevtutil
  • makecab
  • reg
  • ipconfig
  • settingsynchost.exe
  • tracelog

These programs are executed w/o specifying a full path, and in most of cases – not even file extensions. So… we can literally create a malicious file named like any of these 6, drop them inside the %TEMP% directory (including settingsynchost.exe !) and launch them using the following syntax:

cd %TEMP% & c:\windows\system32\SettingSyncHost.exe -LoadAndRunDiagScript foo