DeXRAY 2.10 update

Posted on by

Brian and I worked together again on fixing some bugs in the way DeXRAY handles the VBN files. The result is a quick update which you can download here.

Thx Brian!

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 6

Posted on by

In my recent post I documented how you can drop your own wmplayer.exe and force it to be loaded via dvdplay.exe. Here, I will show one of many DLLs that we can force to execute a specifically-named executable – mstran40.exe.

The msrepl40.dll’s internal name is ‘Microsoft Replication Library’ – as far as I can guess it is used by the Microsoft database engine – well, at least it exports a number of database-related functions so it must be somehow related. It doesn’t matter too much.

We are going to use one of the exported functions (#2091) that is kind enough to run any executable that is named mstran40.exe – provided a specific registry key is set. The internal name of the aforementioned function #2091 is JetTrClientInit. The mstran40.exe doesn’t exist on Windows 7 and XP, so while attempting to execute it system will search the PATH directories and since it won’t find it it will run it from a current directory. The trick doesn’t work on Win 10 :(.

The Registry key in question is this:

  • HKLM\SOFTWARE\Microsoft\Jet\4.0\Transporter\TransporterId=GUID

where GUID can be simply this:

  • {00000000-0000-0000-0000-000000000000}

It is required so that the function IIDFromString can succeed in converting it into a proper GUID. We are just providing the conditions for the JetTrClientInit function not to exit prematurely.

See attached animation to see how it works in practice:

Here’s a list of commands:

reg add HKLM\SOFTWARE\Microsoft\Jet\4.0\Transporter /v TransporterId /t REG_SZ /d {00000000-0000-0000-0000-000000000000}

md en-US
copy c:\WINDOWS\system32\en-US\calc.exe.mui c:\test\en-US\mstran40.exe.mui
copy c:\windows\system32\calc.exe c:\test\mstran40.exe

rundll32.exe msrepl40.dll,#2091

And if you are wondering why am I copying the En-us directory and the MUI file; this is to ensure calc.exe (renamed to mstran40.exe) finds its resources which are stored in a separate file (if I chose a different .exe e.g. any console-based program this wouldn’t be necessary, but we all want to see that Calculator, don’t we…).