Beyond good ol’ Run key, Part 129

October 17, 2020 in Anti-Forensics, Autostart (Persistence)

Browsing through windows libraries I came across a few that had an intriguingly named function being resolved during run-time: DllBidEntryPoint.

The libraries referencing this API are:

  • msado15.dll
  • msadomd.dll
  • msadox.dll
  • msadrh15.dll
  • msadce.dll
  • msadco.dll
  • msadds.dll
  • msdaprst.dll
  • msdarem.dll
  • msdaora.dll
  • msdasql.dll
  • msdatl3.dll
  • oledb32.dll
  • sqloledb.dll

As usual, the first thing was to go to Google and soon I discovered that it’s a part of a documented tracing interface used by SQL Server called Built-in Diagnostics (BID).

One can use one of these keys:

  • HKLM\Software\Microsoft\BidInterface\Loader
  • HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\BidInterface\Loader

and add ‘:Path ‘ value name pointing to a DLL that will act as a tracing DLL.

As usual, the linked document contains all the gore details.

DeXRAY 2.22 update

October 17, 2020 in DeXRAY, Software Releases

Added Amiti IFC files. It’s not a well-known AV program, but I came across it today and couldn’t resist so … here we are.

The latest version of DeXRAY can be downloaded here.

DeXRAY supports:

  • AhnLab (V3B)
  • Amiti (IFC)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • Cisco AMP
  • CMC Antivirus (CMC)
  • Comodo (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s .bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Antimalware / Microsoft Security Essentials
  • Microsoft Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 metadata + 0B AD malicious content
  • Panda Zip files
  • Sentinel One (MAL)
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN), including from SEP on Linux
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal files
  • Vipre (_ENC2)
  • Zemana files+quarantine.db
  • Any binary file (using X-RAY scanning)