Enter Sandbox: Special edition

I recently wrote Cyber version of Orgasmatron. Writing one for Metallica’s Enter Sandman was on my mind for much longer since it’s almost impossible not to think of it when you read the title of this series… So… here it is:

Enter Sandbox

QEMU, VMWare
Don’t forget the Xen
And Sandboxie’s there

Virtual Box, Cuckoo rocks
Parallels’s in stock
Till the Sandbox he comes

Sleep is nopped and faster
Cursor is moving too

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

Something’s wrong, freeze the guest
Heavy loaded host
And it’s not doing its best

Mining coins, WannaCry
Virus spreads like fire
And the Pafish will bite

Sleep is nopped and faster
Cursor is moving too

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

Now I call the function Sleep
Time Stamp Counter I will keep
If I delta some of it
Numbers bad? It’s time to quit

Hash the file, and check the strings
And never mind that noise you see
It’s just the fake I, O and C
In your report, for VP

Exit: Threads
Enter: Creds
Calling rand()

Exit: Threads
Enter: Creds
Fakenet snoops
While we patch the stalling loops

The Wizard of X – Oppa PlugX style

Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve.

Why?

When you run it with a ‘/h’ command line parameter, you will get this info:


Something about the unusual command line parameters described there caught my eye.

After a quick inspection I discovered why. The arguments are actually… names of functions exported from xwizards.dll!

Very nice!

And even nicer is the fact the LoadLibraryEx that loads that xwizards.dll finds its conveniently in the current path…

Ouch…

So… all you have to do is copy c:\WINDOWS\system32\xwizard.exe to your folder, drop your xwizards.dll DLL there and call xwizard.exe with at least two arguments.

And the Microsoft-signed xwizards.exe will load xwizards.dll of your choice…