Beyond good ol’ Run key, Part 41

Posted on by

Thinstall apps are portable and can be quite handy. They leverage an engine that virtualizes the environment in a way that makes it possible for these awful, bloated apps to be loaded from a single executable.

It’s a cute idea, but the way it is implemented… could be abused for malicious purposes.

And that’s why I am talking about it today 🙂

In the past I talked about abusing perl2exe programs that can act as a launcher for a malicious code. The idea of leveraging Thinstall programs for persistence is similarly crazy and remote and… yeah, desperate really, but hey… the possibilities are out there, so should be investigated.

Right?

To my surprise, the Thinstall apps don’t seem to be very well researched. When I ran the example app through my analysis tool, I noticed that many environment variables are being used f.ex.:

  • <name of the thinstal app>_SANDBOX_DIR
  • THINSTALL_BIN
  • THINSTALL_CACHE_DIR
  • THINSTALL_SANDBOX_DIR
  • THNOCMDLN
  • TS_CMDLINE
  • TS_CWD
  • TS_DESKTOP
  • TS_LOGGING_ENABLED
  • TS_MODN
    • TS_MOD0
    • TS_MOD1
    • TS_MODN
  • TS_OPTIONS
  • TS_ORIGIN
  • TS_ORIGSHOWWINDOWVALUE
  • TS_SBCLEANUP
  • TS_SBCLEANUP_CONTINUE
  • TS_SOURCE
  • TS_SUBPROC
  • TS_UPDATE_N
    • TS_UPDATE_0
    • TS_UPDATE_1
    • TS_UPDATE_N
  • TS_UPDATE_THINREG
  • TS_UPDATE_CMDLINE
  • TS_USER_SID

My immediate guess was that some of them could be potentially leveraged to modify the behaviour of the Thinstalled app. While googling for some of them, I could not find too many references – this is the only one that is the most accurate (in Russian) that I could find. The post lists additional 3 environment variables:

  • TS_DEBUGGED
  • TS_EXECUTE_EXTERNAL
  • TS_SVCINIT

This made me poke around more – dumping the memory of the thinstalled app process and running strings/grep over it surely reveals even more TS_ environment variables:

  • TS__ST
  • TS_LOG_FILENAME
  • TS_SKIP_APPSYNC
  • TS_TOKEN_INTEGRITY_LEVEL
  • TS_WAITINIT

This is actually plenty of stuff to research on a rainy day, so for now I will just focus on the persistence mechanisms.

Here are three quick wins in this space:

Persistence mechanism number 1

Looking at the TS_ environment variables we can see that there are two potential candidates for an immediate abuse:

  • TS_UPDATE_N
  • TS_UPDATE_CMDLINE

After toying around with it for a bit, I quickly came up with the following combo:

  • set TS_UPDATE_0=1
  • set TS_UPDATE_CMDLINE=c:\windows\system32\notepad.exe

Sure enough, when you set up these environment variables, notepad will be launched from the Thinstall app anytime it starts (this could potentially lead to an escalation of privileges as well).

Of course, to be a real persistent mechanism these environment variables have to be permanently set via Registry (f.ex. HKEY_CURRENT_USER\Environment key).

Note: this persistence mechanism breaks the Thinstall app (the original app doesn’t launch; the update mechanism seems to require a restart of the application so this needs to be done by the program referenced by TS_UPDATE_CMDLINE; it’s a bit like a companion virus)

Persistence mechanism number 2

When launched, one of the first files Thinstall app tries to find is os_debug.dll – if present in the local directory it will be loaded. Hence, dropping a malicious os_debug.dll inside the same folder will ensure the DLL is loaded:

os_debug

 

Persistence mechanism number 3

Looking at the other files the Thinstall app is looking for when it starts I discovered that it attempts to enumerate the following folder:

  • %PROGRAM_FILES%\ThinstallPlugins

I created this directory and dropped a random DLL inside it, and sure enough, it was loaded when the Thinstall app started.Thinstall_Plugin

As I mentioned, leveraging Thinstall apps as a persistence mechanism is a very VERY desperate idea, but hey… any chance to investigate (even if superficially) a rarely seen file format is always interesting to me. And I bet there is still more to discover there… On this note, I have added the Thinstall app window class to the Certain Windows… stay classy… post.

Enter Sandbox – part 12: The Library of naughty libraries

Posted on by

Updated 2021-02-26

Added Avast libs

Updated 2020-06-22

Added ivm-inject.dll and log_api32. Andrew sent these long time ago, but I sat on it even longer. I finally managed to update the post & apologies to Andrew for this taking so long!!!

Updated 2019-10-17

And a few more additions from Andrew! RapportGP, RapportGP_x64, and aswhook. Thanks !

Updated 2019-09-20

Added a few more pointed out by Andrew! fshook32, aswhookx, aswhooka. Thanks!

Updated 2019-08-20

Added a few libraries pointed out by Andrew! ollydbg.dll vboxhook.dll, vghookx.dll and avghooka.dll. Thanks!

Updated 2018-07-14

Added apihex86.dll and apihex64.dll + apilogen.dll & amxread.dll

Updated 2017-12-17

Added makin library ahlo.dll

Updated 2017-11-18

Fixed incorrectly attributed iDefense Labs libs, added some 64- bit libs and updated descriptions

Old post

Detecting sandboxes is a cool domain for research. It’s been a fav topic for many companies to cover for many years in their blogs and there is… no end to it.

In this short summary, I’ll try to list all the phantom/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment.

Some of them are very well known, some of them… less.

If you know any others, please do let me know.

Thank you!

Here they are:

  • a2hooks32    Emsisoft 32-bit
  • a2hooks64    Emsisoft 64-bit
  • adialhk    Kaspersky Anti-Virus
  • amxread.dll    Used by logman API Trace – API Tracing Manifest Read Library
  • AMSI.dll   Used by Antimalware Scan Interface (AMSI)
  • aswAMSI.dll   Used by Avast
  • anvirhook56    AnVir Software
  • apihex86.dll    Used by logman API Trace (32-bit) – API Tracing X86 Hook Engine
  • apihex64.dll    Used by logman API Trace (64-bit) – API Tracing x64 Hook Engine – also see this link
  • api_log    iDefense Labs
  • apihookdll    (Generic API Hooking DLL name)
  • apilogen.dll    Used by logman API Trace – API Tracing Log Engine
  • apshook    Cognizant Application Protection Hook
  • asho    Library injected by makin
  • aswhook    Avast Security Suite
  • avgrsstx    AVG Internet Security
  • avcuf32    BitDefender 32-bit
  • avcuf64    BitDefender 64-bit
  • avghooka    AVG (Link, Thx Andrew!)
  • avghookx    AVG (Link, Thx Andrew!)
  • aswhooka.dll    Avast (Link, Thx Andrew!)
  • aswhookx.dll    Avast (Link, Thx Andrew!)
  • BgAgent    BullGuard
  • cmdvrt32    Comodo 32-bit
  • cmdvrt64    Comodo 64-bit
  • cssdll32    Comodo (SafeSurf)
  • dbghelp    Debug Help (Potentially used to detect sandboxing env)
  • desktopmessaging    Sophos Anti-Virus
  • dir_watch    iDefense Labs
  • eeconsumer    Sophos Anti-Virus
  • fshook32    F-Secure (Link, Thx Andrew!)
  • guard32    Comodo 32-bit
  • guard64    Comodo 64-bit
  • hinthk    HintSoft
  • iatloader    API Override
  • icadapter    Sophos Anti-Virus
  • icmanagement    Sophos Anti-Virus
  • ieprot    Rising Information Technology (IE Protector)
  • ivm-inject.dll  Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
  • kakatool    Rising Information Technology
  • kloehk    Kaspersky Anti-Virus (Outlook Express Hook)
  • kmon    Rising Information Technology
  • log_api32   Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
  • log_api64   Buster Sandbox Analyzer (Link, Thx Andrew!)
  • legacyconsumers    Sophos Anti-Virus
  • mzvkbd    Kaspersky Anti-Virus
  • ollydbg    AVG (Link, Thx Andrew!)
  • pavshook    Panda
  • PCTGMhk    PC Tools
  • persistance    Sophos Anti-Virus
  • pinvm    PIN (Instrumentation Framework)
  • printfhelp    Unknown Sandbox
  • psapi    Possibly loaded to look for processes/modules
  • pstorec    Possible SunBelt Sandbox (but also other sandboxes that preload DLLs)
  • QOEHook    Qurb
  • R3HOOK    Kaspersky Anti-Virus (Ring 3 Hooker)
  • rapport    Trusteer
  • rapportGP    Trusteer
  • rapportGP_x64    Trusteer
  • rooksbas    Trusteer
  • sar1    Sophos Anti-Rootkit
  • sar2    Sophos Anti-Rootkit
  • sar3    Sophos Anti-Rootkit
  • sar4    Sophos Anti-Rootkit
  • savneutralres    Sophos Anti-Virus
  • savreseng    Sophos Anti-Virus
  • savshellext    Sophos Anti-Virus 32-bit
  • savshellextx64    Sophos Anti-Virus 64-bit
  • sbie    SandBoxie
  • sbie!ll    SandBoxie
  • sbiedll    SandBoxie
  • sbiedllx    SandBoxie
  • scaneditfacade    Sophos Anti-Virus
  • scanmanagement    Sophos Anti-Virus
  • security    Sophos Anti-Virus
  • sf2    Avast
  • sipsmanagement    Sophos Anti-Virus
  • snxhk    Avast
  • sophos_detoured    Sophos Anti-Virus
  • sophos_detoured_x64    Sophos Anti-Virus
  • sophosbho    Sophos Anti-Virus
  • sophosbhox64    Sophos Anti-Virus
  • sophtaineradapter    Sophos Anti-Virus
  • ssleay32    Trusteer (could be a legitimate use of OpenSSL library though)
  • swi_filter    Sophos Anti-Virus
  • swi_ifslsp    Sophos Anti-Virus
  • swimanagement    Sophos Anti-Virus
  • sxin    Qihoo 360
  • systeminformation    Sophos Anti-Virus
  • tamperprotectionmanagement    Sophos Anti-Virus
  • threatdetection    Sophos Anti-Virus
  • translators    Sophos Anti-Virus
  • UMEngx86    Norton Sonar
  • VBOXHOOK    VirtualBox (Sample; Thx Andrew!)
  • virusdetection    Sophos Anti-Virus
  • vmcheck    Virtual PC
  • vmhgfs    VMWare
  • wbsys    Stardock.Net (WindowBlinds)
  • wl_hdlr    Agnitum (Outpost)
  • wl_hook    Agnitum (Outpost)
  • wpcap    Attempts ot WinPCAP library (possible sandbox detection)
  • wpespy    Winsock Packet Editor (WPE)

A separate category is the OS DLLs. The technique that some malware relies on requires loading f.ex. ntdll.dll as a data file, parsing it manually as a PE file, then discovering its exports, finding the code of the API functions that are typically hooked, and eventually comparing that ‘static’ code with the code of the actually loaded library (in memory). This is a trick used by some older packers (AFAIR Themida), but also some custom (and typically advanced, since written in asm most of the time) malware.

Note: if you use this list in a commercial sandbox, please ensure you give a credit 🙂