Enter Sandbox โ€“ part 2: COM, babe COM

Posted on by

API hooking, or interception described in part 1 is great for many analysis and works very well for many older generic samples, but to be able to handle modern samples sandbox needs to handle Component Object Model (COM) as well. COM is a bitch when it comes to analysis and hooking, because it’s omnipresent, not everything is properly documented, there are lots of ways to do the same thing and funnily enough – developers using COM make lots of mistakes and often incorrectly reference pointers. While their apps crash internally and exceptions are handled by the respective frameworks any intrusive sandbox will typically crash the application if it is not prepared to handle programmers’ mistakes.

When I say that the same thing can be done in many ways it’s for a simple reason. While COM objects are typically instantiated using e.g. CoCreateInstance, CoCreateInstanceEx, CoGetClassObject, or by actually calling some COM methods there is also a myriad of ‘regular’ APIs that can also instantiate COM objects – a simple example is PStoreCreateInstance.

COM is quite a mess and the deeper you dig the more weird stuff you will find (f.ex. interfaces changing names over time messing up your collection of CLSIDs).

Good luck handling it all…

Hooking COM objects requires either manipulating original virtual tables that are hidden inside the code/data of the COM object provider or dynamically – only inside the buffers allocated for instantiated objects. Whatever way, it sometimes is not welcome by the hooked applications which may have a code implemented to prevent COM hooking (I have seen this). Non-invasive interception is possible as well, but requires good tracking mechanism – some samples can call COM many times during the analysis session.

If you read that far you may be wondering, what COM objects we could hook and why it really matters?

Nowadays many malicious apps use various evasions, and lots of them are implemented using COM. A simple example is IBackgroundCopyJob used by FinFisher and attempting to copy files under the noses of sandboxes/AV. COM is also used to create/modify shortcuts, download stuff in a background using Background Intelligent Transfer Service (BITS) and other interfaces – and you may _not_ get to see URLs/domains contacted if you only rely on API hooking. Last, but not least – popular evasions rely on enumerating various properties using WMI and these are also handled via COM.

Not hooking this stuff leaves a lot of unanswered questions and limits the actionable data that can be extracted from the session.

This is an example of COM hooking in action:

  • Using ShellLink to create a shortcut file
    • CoCreateInstanceEx (ShellLink, IShellLinkA)
    • IShellLinkA::SetPath (%SYSTEM%\malware.exe)
    • IPersistFile::Save (C:\Documents and Settings\user\Start Menu\Programs\malware.lnk)
  • Using web browser object to download stuff
    • IWebBrowser2::Navigate (URL=http://xx.xx.xx.xx/media/1,Flags=,TargetFrameName=,PostData=,Headers=)
  • Using WMI to enumerate processes
    • IWbemLocator::ConnectServer (strNetworkResource=root\cimv2, user=, password=, locale=)
    • IWbemServices::ExecQuery (strQueryLanguage=WQL, Query=SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process)

Beyond good olโ€™ Run key, Part 31

Posted on by

The last piece in the series talked about Synaptics software – a program to manage the touchpad on some of the popular laptops (e.g. from Toshiba).

Turns out Synaptics is not the only company providing a software managing the touchpad extensions and this short post introduces yet another one – from Alps company. The relationship between these two aforementioned companies seems to be actually quite close; I have not investigated it very thoroughly, but if you google these two, you will find a lot of overlaps; I personally don’t care too much – at the end of the day they both use different Registry entries, and this is all that matters ;).

So, anyways, Alps touchpads can be found on many popular laptops e.g. from Dell and Toshiba. Here, I will talk about the Dell version.

Looking at available options we can easily find the familiar ‘Run’ command that can be associated with buttons’ activities:

DellA simple test (Run Notepad when we click Left button on the touchpad) allows us to quickly discover the location in the Registry where the settings are stored:

AlpsThe key is located under HKCU:

  • HKEY_CURRENT_USER\Software\Alps

and the specific settings for buttons are located at:

  • HKEY_CURRENT_USER\Software\Alps\Apoint\Button

where:

  • AppReg1 = <path to executable>
  • ButtonFunction1 = 0x1b to run the program (while default=0x5 means simply ‘Click’)

(this is for the Left button specifically – other buttons use consecutive numbers i.e. AppReg2, AppReg3; ButtonFunction2, ButtonFunction3)

Again, it’s moreย  a curiosity than a real threat, but still good to have it documented, even if that briefly ๐Ÿ™‚

If you know any other software like this, and can send me screenshots/reg entries I will be forever grateful ๐Ÿ™‚ Thanks in advance.