Enter Sandbox – part 16: The symbols, the ApiSetSchema, and other possible future evasions

Posted on by

It’s been a while since I wrote about Sandboxes and I thought I will revive the series by listing a couple of ideas that I believe may be still under the radar of both sandbox solution creators, and reverse engineers.

Symbols

When we analyze Windows native OS libraries one of the most useful features we have at hand is leveraging debugging symbols. IDA, windbg, and many other reversing tools can use these symbols very efficiently – with symbols in place we can see names of internal functions, variables, and this code/data enrichment provides us with an invaluable context that speeds up the analysis.

Now, since the tools can use it, there is nothing that could stop malware from… doing the same.

Imagine the possibilities!

Instead of relying on export/import tables, a clever malware that leverages symbols could make calls to internal functions, or find ways to hook code deep inside the functions that are typically monitored (at least on the userland level). Symbols could also help to detect caves i.e. areas of code/data that are rarely used, and allow malware to overwrite them and persist in a much stealthier way than usual. There is a lot of potential for surgical modification of code to launch the payload code using the EPO (Entry Point Obscuring) technique.

Note that while there could be a need to download these PDB files directly on the infected system, nothing stops malware from sending copies of the DLLs from the system to its server first, decompiling / disassembling them on a remote server.  The malware could then craft the payload using hardcoded offsets obtained via symbols to deliver the required functionality. A side effect of such trickery would be that such crafted payloads would not run on sandboxes, and manual analysis would typically fail unless the file was analyzed on the exactly same system (meaning: with the same versions of libraries as existing on the victim’s system); obviously, ASLR needs to be taken into account for all offsets and calls. Another caveat is that such approach would require constant monitoring of Windows Update service; if files are replaced, the code would need to be updated to the most up to date version that works with the new libraries.

Leveraging functions of ApiSetSchema libraries

Now that we have not only kernel32.dll, but also KernelBase.dll, and the whole api-ms-*.dll zoo, it is possible to call these wrapper functions instead of the pure exports from kernel32.dll, advapi32.dll, etc..

Leveraging internal/undocumented functions

These can be either located via symbols, or via ApiSetSchema libraries; a quick browsing through internal functions referenced by kernel32.dll reveals a lot of interesting possibilities e.g.:

  • PrivCopyFileExW – undocumented function that allows to copy files
  • A couple of exported Internal functions that can be potentially used as callbacks (to run shellcodes, payload code, etc.)
    • Internal_EnumCalendarInfo
    • Internal_EnumDateFormats
    • Internal_EnumLanguageGroupLocales
    • Internal_EnumSystemCodePages
    • Internal_EnumSystemLanguageGroups
    • Internal_EnumSystemLocales
    • Internal_EnumTimeFormats
    • Internal_EnumUILanguages
  • A couple of exported Internal functions that can be used to access both the Registry and the File System bypassing documented APIs:
    • RegCreateKeyExInternalA
    • RegCreateKeyExInternalW
    • RegDeleteKeyExInternalA
    • RegDeleteKeyExInternalW
    • RegOpenKeyExInternalA
    • RegOpenKeyExInternalW
    • ReplaceFileExInternal

There is certainly more.

New technologies (well, sometimes not that new)

While it doesn’t really rely on symbols, it does fit the topic of the article – there is a class of APIs that are not commonly used yet, but certainly will be heavily utilized in the future:  I am talking about enclave functions; as per MS:

An enclave is an isolated region of code and data within the address space for an application. Only code that runs within the enclave can access data within the same enclave.

Example functions:

So, you got yourself yet another API set for both code injection and protection.

I am obviously not the first one to highlight it; a paper from 2015 (3 years ago!) by Alex Ionescu covers the topic and lists a number of possible issues enclaves bring to the world of security solutions including AV, EDR, and perhaps memory acquisition tools.

Beyond good ol’ Run key, Part 78

Posted on by

Here’s a quick persistence mechanism for you: we all know that you can change the HKCR settings for file extensions to introduce a malicious proxy executable that can then launch the appropriate file. Changes to HKCR’s .exe, .txt, handlers are as old as Windows malware itself.

It turns out that you can apply the same trick to folders, and you can do so with an extra twist. To do so, just add these Registry entries:

  • HKCR\Folder\shell\(default)=test
  • HKCR\Folder\shell\test\command
    @=”notepad.exe”

And from now on, anytime you open any folder in Windows Explorer the notepad.exe will launch. And for the twist –  note that we are introducing a new ‘verb’ called ‘test’ for Shell and not modifying the ‘open’ command; spotting this may be much harder as you need the security solution to read what the default verb is first, then read its settings from the Registry. You can leverage this trick to modify shell’s behavior for any file type.

Obviously, such changes may ruin the user’s folder browsing experience, but Notepad is now a folder parasite and is here to stay…

If you wanted to be a bit more sneaky, and apply it to specific folders only, e.g. Recycle Bin, you just need to add (in this case we modify the ‘open’ verb settings, for simplicity):

HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command
@=”c:\\windows\\system32\\calc.exe”

Where the 645FF040-5081-101B-9F08-00AA002F954E CLSID refers to Recycle Bin folder. Same goes for other special folders (as long as they are supported on your Windows version – win8/10 changes a lot here as they introduce that awful AOLish Start Menu).