Sign your name across my heart; vendor… use one name only…

Posted on by

I have been looking at a data stored by vendors inside the VERSIONINFO structure for quite some time now. The TODO bit is one issue I described previously, but there are more.

One of the most annoying things is a crazy number of names that vendors use in a CompanyName field. This is of course kinda understandable – large companies have many departments and coding teams scattered across the whole world. It certainly looks like an impossible task to ensure all of them go through a single, bureaucratic office that will double-check if all of them use the very same vendor name. And perhaps there are other reasons too – I don’t know laws of all the countries of course, there could be a genuine need in some places to always use an official name of the company in that field(?). I really dunno.

In any case… From a threat hunting perspective, it complicates our life. For example, when you want to whitelist some of these vendor names you will always end up with a never-ending whack-a-mole game. In my experience, for every entry I add per vendor, there are another 1-5 out there that are very similar, and which I will add some time in the future. I don’t think there is any good solution for this today.

To demonstrate the issue, let’s have a look at common vendor names one can encounter…:

HP:

  • Hewlett Packard
  • Hewlett Packard Enterprise Company
  • Hewlett-Packard
  • Hewlett-Packard Company

Intel:

  • Intel Corporation
  • Intel Corporation – Business Client Platform Division
  • Intel Corporation – Client Components Group
  • Intel Corporation – Client Connectivity Division
  • Intel Corporation – Embedded Subsystems and IP Blocks Group
  • Intel Corporation – Intel® Management Engine Firmware
  • Intel Corporation – Intel® Rapid Storage Technology
  • Intel Corporation – Mobile Wireless Group
  • Intel Corporation – pGFX
  • Intel Corporation – Rapid Storage Technology
  • Intel Corporation – Software and Firmware Products
  • Intel Corporation ? Non-Volatile Memory Solutions Group
  • Intel Corporation-Mobile Wireless Group
  • Intel Corporation-Wireless Connectivity Solutions
  • Intel MCG PIV Tablet Validation
  • Intel Technology Sdn. Bhd.
  • Intel Wireless Display
  • Intel(R) Baytrail Wintablet
  • Intel(R) CherryTrail Windows
  • Intel(R) CISD Software
  • Intel(R) Client Connectivity Division SW
  • Intel(R) CN
  • Intel(R) Embedded Subsystems and IP Blocks Group
  • Intel(R) Intel Network Drivers
  • Intel(R) Intel_ICG
  • Intel(R) INTELND1617
  • Intel(R) INTELND1617S2
  • Intel(R) INTELNPG1
  • Intel(R) Network Platform Group
  • Intel(R) NVMe Windows Driver
  • Intel(R) OWR
  • Intel(R) pGFX
  • Intel(R) Rapid Storage Technology
  • Intel(R) Rapid Storage Technology enterprise
  • Intel(R) Smart Connect software
  • Intel(R) Smart Sound Technology
  • Intel(R) Software
  • Intel(R) Software (Pre-release)
  • Intel(R) Software and Firmware Products
  • Intel(R) Software Development Products
  • Intel(R) Software Products
  • Intel(R) Update Manager
  • Intel(R) USB eXtensible Host Controller Drivers
  • Intel(R) Wireless Connectivity Solutions
  • Intel(R) Wireless Display
  • Intel® Identity Protection Technology Software
  • Intel® Rapid Storage Technology

Lenovo:

  • LENOVO
  • Lenovo (Beijing) Limited
  • Lenovo (Beijing) Ltd.
  • Lenovo (Japan) Ltd
  • Lenovo (Japan) Ltd.
  • Lenovo Group Limited
  • Lenovo Information Products (Shenzhen) Co.
  • Lenovo Japan
  • Lenovo(Japan)Ltd.
  • Lenovo.Ltd
  • LenovoEMC Products USA

Microsoft:

  • Microsoft Corporation
  • Microsoft Corporation (Europe)
  • Microsoft Dynamic Code Publisher
  • Microsoft Mobile Device Privileged Component Update Publisher
  • Microsoft Windows
  • Microsoft Windows 2000 Publisher
  • Microsoft Windows 2000 Publisher (Europe)
  • Microsoft Windows Component Publisher
  • Microsoft Windows Hardware Compatibility Publisher
  • Microsoft Windows Publisher
  • Microsoft Windows XP Publisher

Apple:

  • Apple Computer
  • Apple Inc.

Google:

  • Google
  • Google Inc

Dell:

  • Dell Computer Corporation
  • Dell Inc
  • Dell Inc.
  • Dell Incorporated

Alcor Mirco:

  • Alcor Micro
  • AlcorMicro

Baidu:

  • Baidu (China) Co.
  • Baidu Online Network Technology (Beijing) Co.
  • Beijing baidu Netcom science and technology co.ltd
  • BeiJing Baidu Netcom Science Technology Co.

ASIX Electronics:

  • ASIX Electronics Corp.
  • ASIX Electronics Corp.<blank character>

IBM:

  • IBM
  • IBM (China) Investment Company Limited
  • IBM Corporation
  • IBM Japan
  • IBM UK Ltd
  • IBM United Kingdom Limited
  • IBMUK Ltd

Wacom:

  • Wacom Co.
  • Wacom Technology Corp.
  • Wacom Technology Corporation

As we can see, lots of typos, single letter differences – a full stop, a hyphen, a blank character, lots of cosmetic issues, etc.

Whack-a-mole is the name of the game.

Talking to, and handling (edit) boxes

Posted on by

In my older posts I mentioned that data injection techniques are as important as code execution. If you can sneak in some data into another process’ address space w/o being caught… you get a foot in a door for a stealth code execution/evasion.

Writing data to other processes is quite easy, but finding where it is actually stored is much harder. Nowadays, aggressive enumeration / scanning of memory regions of other processes’ address space will surely trigger some alerts (it’s a technique known as RAM Scraping and some security solutions detect it).

Luckily, windows messages come to the rescue again – they are still benefiting from a very unrestricted access to memory of other processes while providing a convenient interface to access this goodness (an the interface itself is kinda hard to monitor).

EM_GETHANDLE and EM_SETHANDLE messages are used by Edit Controls. When you send the first of these messages you will get an address to a buffer where the edit control stores its text (i.e. whatever you e.g. type in Notepad). When you send the second – you can actually change the address of this buffer to whatever you want, even if temporarily.

You could therefore launch Notepad, send keystrokes to it to ‘type’ a set of characters – a cleverly crafted shellcode – or simply launch the program to open your payload file as text, and then find the memory of the address where this data is stored via EM_GETHANDLE message, and then finally use one of the known code execution techniques to run this code.

The shellcode itself needs to be Unicode-compatible (if you use English letters only, each 8-bit character will be converted to Unicode as a 16-bit word with a leading zero; shellcode needs to take this into account). Luckily, the fact characters must be Unicode is actually beneficial, as the characters can be almost anything and these may form a nice binary shellcode (i.e. you could save the shellcode natively as UTF16 and use BOM to let Notepad know how to load the file). Notably, E9 and EB (opcodes for unconditional jumps) seem to be easy to inject w/o any tricks (both of them are Latin letters ‘e’ with accents).