Certain Windows… stay classy… part 2

Posted on by

In one of the older posts I listed a number of very recognizable windows classes that can be found hard-coded as strings inside various programs (including malware). The intention there was to help with a recognition of a compiler/protector/installer that was used to create/build/protect the file.

I thought it would be good to expand this list with a whitelist of common classes created by various legitimate Windows applications. Such list may help to determine which windows classes are potentially anomalous (e.g. if you run ‘windows’ or ‘wintree’ command in volatility).

Here’s a short list I came up so far – if you see any class missing, please let me know and I will add it:

  • $$$UI0Background
  • _SearchEditBoxFakeWindow
  • {37E561C9-40E3-44de-AF62-CECD75524364}
  • ActionsMenuOwner
  • Address Band Root
  • AMNotificationDialog
  • AppResizeAcc
  • AudioDevStubWindow32
  • AutoplayHandlerChooser
  • AVIWnd32
  • Breadcrumb Parent
  • Button
  • CabinetWClass
  • CDDEServer
  • CDVDMsgWindowClass
  • CicLoaderWndClass
  • CM Monitor Window
  • ComboBox
  • ComboBoxEx32
  • COMPDESK_DISPALYCHANGE_CLASS
  • Compose_CvPgPreview
  • ConnectionManagerMsgProc
  • ConsoleWindowClass
  • CtlFrameWork_Parking
  • CtrlAccWindow
  • CtrlNotifySink
  • CustomEventWindowClass
  • DDE Channel
  • DDE Server Window
  • DDE ViewObj
  • DeviceUpdateClass
  • DIEmWin
  • DocWndClass
  • DragWindow
  • DsPropNotifyWindow
  • DummyDWMListenerWindow
  • Dwm
  • EalMessageWindow
  • Edit
  • elevationdummy
  • EnhancedStorageAuthentication
  • ERCUITHREADMARSHALLER
  • Event Viewer Snapin Synch
  • EVRFullscreenVideo
  • EVRPowerMsgWindowClass
  • EVRVideoHandler
  • EvtQProcWndClass
  • FaxME_DocHost
  • FaxTiffView_Host
  • FDBthProviderClass
  • FloatNotifySink
  • Fn Notify Window
  • FocusMonitorWindowClass
  • GDI+ Window
  • GestureArbitrationEngineWindowClass
  • Ghost
  • GhostDivider
  • GRIDWNDCLASS
  • HH CustomNavPane
  • HH Parent
  • HH SizeBar
  • HH_API
  • HidServClass
  • HighlightCursorClass
  • HitTestWorker
  • HostCtrlAccWindow
  • IEFrame
  • InkEditReflectClass
  • invisible bmp window
  • Isolation Thread Message Window
  • ItemWndClass
  • JobPropWnd
  • JointDivider
  • JointResizeAcc
  • KBEMWndClass
  • L21DecMsgWnd
  • listbox
  • LOCATIONNOTIFICATION
  • Magnifier
  • MCI command handling window
  • mdiclient
  • MDRESNOTIFYCLASS
  • MESSAGE
  • MGMTAPI Notification Class
  • MNC_TaskmanWindow
  • MobilityCenterHelpButton
  • MobilityCenterIcon
  • MobilityCenterStatusText
  • MobilityCenterTileName
  • MouseMonitorWindowClass
  • MRT
  • MS:SyncNotificationWindow
  • MS:WPDStatusProviderNotificationWindow
  • MSAA_DA_Class
  • MSCTFIME Composition
  • msctls_progress32
  • msctls_statusbar32
  • msctls_trackbar32
  • msctls_updown32
  • MstscRemoteSessionsMgrWndClass
  • MTVDragInputHandler
  • NarratorTIEWIndowClass
  • NarratorTouchWindow
  • Notepad
  • NotificationsMenuOwner
  • OCHost
  • OE_Envelope
  • OleDocWndClass
  • OleSrvrWndClass
  • Palette Watcher
  • PCALUA
  • PowerCPL Message Window
  • PPCHiddenWindow
  • proquota
  • PRSEVENTRECEIVER
  • RadioButtonList
  • RdpClipRdrWindowClass
  • RdpSaInvitationManagerHiddenWindowClass
  • RDPSoundDVCWnd
  • RDPSoundInputWnd
  • RdvSessionMonitorClass
  • ReBarWindow32
  • RectWndClass
  • REListBox20W
  • RelMonGraphWindow
  • RICHEDIT
  • RICHEDIT50W
  • RunDLL
  • RunLegacyCPL
  • Scroll
  • SCROLLBAR
  • Search Box
  • SearchEditBoxWrapperClass
  • SeparatorBand
  • Shell Preview Extension Temporary Parent
  • Shell_Dim
  • Shell_SecondaryTrayWnd
  • Shell_TrayWnd
  • SI WMP sync hidden window
  • SJE_FULLSCREEN
  • SlideshowCache
  • SlideshowManager
  • SoftKBDClsC1
  • SoftKBDClsT1
  • SoftkbdIMXOwnerWndClass
  • SPACEAGENT!PNP!MESSAGEWND
  • SrvrWndClass
  • SSDemoParent
  • Static
  • StubNtPrintWindow
  • StubPrintWindow
  • StubWindow32
  • sync hidden window
  • SysHeader32
  • SysLink
  • SysListView32
  • SysMonthCal32
  • SysPager
  • SysTabControl32
  • SystemMonitorWindowClass
  • SystemTray_Main
  • SysTreeView32
  • TabCal_WndClass
  • TabletModeCoverWindow
  • TabletModeInputHandler
  • Tapi32WndClass
  • Task Host Window
  • TaskListOverlayWnd
  • TaskListThumbnailWnd
  • TextRendererMsgProc
  • TiBusUpdate
  • ToolbarWindow32
  • tooltips_class32
  • TravelBand
  • TrayDummySearchControl
  • TrayInputIndicatorWClass
  • TrayNotifyWnd
  • TrayShowDesktopButtonWClass
  • TSC_POPUP_PARENT_WNDCLASS
  • TSMF Geometry
  • UIAInvokeHelperWndClass
  • UIManager Message Window
  • UniversalSearchBand
  • UpBand
  • URL Moniker Notification Window
  • UserAdapterWindowClass
  • VBBubbleRT6
  • VBFocusRT6
  • VisualViewportMessageWindow
  • VolNotifySink
  • WdcGraphWindow
  • WebInstanceCoreInputWindow
  • Webview Window
  • WiaPreviewControl
  • WMPMessenger
  • WMPSimpleMessageWindow
  • WMPTransition
  • WorkerA
  • WorkerMessageWindow
  • WorkerW
  • WusaHidden
  • XAMLMessageWindowClass
  • XAMLWebViewHostWindowClass
  • XCPDeferredClass
  • XCPTimerClass
  • XMLMimeWnd
  • YO
  • ZIP Folder STUB window

DeXRAY 2.06 update

Posted on by

A few weeks ago Brian contacted me about his research on Symantec Quarantine files. He has already worked on some parts of DeXRAY and he suggested that he could improve the code handling the VBN files. And so he did – the result is lots of new code that enables DeXRAY to decrypt these files much better!

Brian wrote a post explaining the internals of Symantec VBN files and you should definitely go and read it!

Really great piece of work. Thank you Brian!

You can download the latest version of DeXRAY here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)