Links to post series

ximad pinged me asking if I can make some of the content more readable – I will think of it and perhaps convert some of this stuff into a PDF, but in the mean time providing a series of links for the ‘longer’ series on the blog

Da Li’L World of DLL Exports and Entry Points

Da Li’L World of DLL Exports and Entry Points, Part 1
https://www.hexacorn.com/blog/2013/08/08/da-lil-world-of-dll-exports-and-entry-points-part-1/

Da Li’L World of DLL Exports and Entry Points, Part 2
https://www.hexacorn.com/blog/2013/08/11/da-lil-world-of-dll-exports-and-entry-points-part-2/

Da Li’L World of DLL Exports and Entry Points, Part 3
https://www.hexacorn.com/blog/2013/08/21/da-lil-world-of-dll-exports-and-entry-points-part-3/

Anti-forensics

The shortest anti-forensics code in the world
https://www.hexacorn.com/blog/2012/01/21/the-shortest-anti-forensics-code-in-the-world/

The shortest anti-forensics code in the world – take #2
https://www.hexacorn.com/blog/2012/03/16/the-shortest-anti-forensics-code-in-the-world-take-2/

Purple Haze – Anti-forensics and anti-detection
https://www.hexacorn.com/blog/2012/02/13/purple-haze-anti-forensics-and-andi-detection/

Anti-forensics – live examples
https://www.hexacorn.com/blog/2012/02/18/anti-forensics-live-examples/

Anti-forensics – live examples, Part 2
https://www.hexacorn.com/blog/2014/06/27/anti-forensics-live-examples-part-2/

Anti-forensics – live examples, Part 3
https://www.hexacorn.com/blog/2014/08/29/anti-forensics-live-examples-part-3/

Enter Sandbox Series

Enter Sandbox – part 1: All APIs are equal, but some APIs are more equal than others
https://www.hexacorn.com/blog/2015/05/29/enter-sandbox-part-1-all-api-are-equal-but-some-apis-are-more-equal-than-others/

Enter Sandbox – part 2: COM, babe COM
https://www.hexacorn.com/blog/2015/06/09/enter-sandbox-part-2-com-babe-com/

Enter Sandbox – part 3: If you see Native code is creative
https://www.hexacorn.com/blog/2015/06/10/enter-sandbox-part-3-if-you-see-native-code-is-creative/

Enter Sandbox – part 4: In search for Deus Ex Machina
https://www.hexacorn.com/blog/2015/06/12/enter-sandbox-part-4-in-search-for-deus-ex-machina/

Enter Sandbox – part 5: In search for Deus Ex Machina II
https://www.hexacorn.com/blog/2015/06/17/enter-sandbox-part-5-in-search-for-deus-ex-machina-ii/

Enter Sandbox – part 6: The Nullsoft hypothesis and other installers' conundrums
https://www.hexacorn.com/blog/2015/06/26/enter-sandbox-part-6-the-nullsoft-hypothesis-and-other-installers-conundrums/

Enter Sandbox – part 7: Hello, مرحبا, 您好, здравствуйте, γεια σας
https://www.hexacorn.com/blog/2015/06/27/enter-sandbox-part-7-hello-%d9%85%d8%b1%d8%ad%d8%a8%d8%a7-%e6%82%a8%e5%a5%bd-%d0%b7%d0%b4%d1%80%d0%b0%d0%b2%d1%81%d1%82%d0%b2%d1%83%d0%b9%d1%82%d0%b5-%ce%b3%ce%b5%ce%b9%ce%b1-%cf%83/

Beyond good ol’ Run key

Beyond good ol’ Run key

 https://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/

  •  A large number of different, more and less known mechanisms described – firts part of the series and as such, quite a big post
  • ICQ
    • HKCU\Software\Mirabilis\ICQ\Agent\Apps
  • Standard apps that contain functionality / options to launch mandatory programs(P2P apps, etc.)
  • ‘Scanning’ files with AV when downloaded
  • Windows Shell alternatives
  • AutoStart when Scanner button is pressed
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\Handlers
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications
    • HKLM\SYSTEM\CurrentControlSet\Control\StillImage\Events\STIProxyEvent
  • Autostart by re-using existing autostart entries
  • Autostart via Plugins
  • File System infection

Beyond good ol’ Run key, Part 2

https://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/

  • Focused on standard apps that contain functionality / options to launch mandatory programs (Archivers, downloaders, Messengers, etc.) and the functionality is related to external viewers, AV scanners
    • WinRar
      • HKCU\Software\WinRAR\Viewer\ExternalViewer
      • HKCU\Software\WinRAR\VirusScan\Name
    • WinZip
      • HKCU\Software\Nico Mak Computing\WinZip\programs\zip2exe
      • HKCU\Software\Nico Mak Computing\WinZip\programs\viewer
      • HKCU\Software\Nico Mak Computing\WinZip\programs\vviewer
      • HKCU\Software\Nico Mak Computing\WinZip\programs\arc
      • HKCU\Software\Nico Mak Computing\WinZip\programs\arj
      • HKCU\Software\Nico Mak Computing\WinZip\programs\lha
      • HKCU\Software\Nico Mak Computing\WinZip\programs\scan
      • HKCU\Software\Nico Mak Computing\WinZip\programs\viewer
      • HKCU\Software\Nico Mak Computing\WinZip\programs\zip2exe
    • Internet Download Manager
      • HKCU\Software\DownloadManager\VScannerProgram
    • Download Accelerator Plus (DAP)
      • HKCU\Software\SpeedBit\Download Accelerator\AntiVirusEXE
    •  Orbit Downloader
      • %USERPROFILE%\Application Data\Orbit\conf.dat%USERPROFILE%\Application Data\Orbit\conf.dat
    •  Windows Live Messenger
      • HKCU\Software\Microsoft\MSNMessenger\AntiVirus
    • Miranda
      • %USERPROFILE%\Application Data\Miranda\PROFILEFOLDER\PROFILEFILENAME.dat

Beyond good ol’ Run key, Part 3

https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/

  • Code-in-the-middle proxy
  • Application Registration (App Paths) hijacking
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
  • Text Services (TSF)
  • DLL load order
  • IIS Server Extensions (ISAPI filters)
  • AppCertDlls
    • HKLM\CurrentControlSet\Control\Session Manager\AppCertDlls

Beyond good ol’ Run key, Part 4
https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/

  • Hijacking debuggers
    • Standalone Debugger (32- and 64- bit)
      • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
      • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
    • NET Debugger (32- and 64- bit)
      • HKLM\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
      • HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
    • Script Debugger
      • HKCR\CLSID\{834128A2-51F4-11D0-8F20-00805F2CD064}\LocalServer32\@
  • Hijacking Process Debug Manager
    • HKLM\SOFTWARE\Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32\@
  • ServiceDll Hijack
    • ServiceDll parameter under HKLM\SYSTEM\CurrentControlSet\Services\
  • Mapi32 Stub Library
    • HKLM\Software\Clients\Mail::(default)\DLLPath
    • HKLM\Software\Clients\Mail::(default)\DLLPathEx
  • Hijacking Client executables
    • HKLM\Software\Clients\ f.ex.
      • HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\HideIconsCommand
      • HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\ReinstallCommand
      • HKLM\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo\ShowIconsCommand
  • Windows 2000 Welcome
    • C:\WINNT\Welcome.exe via
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\tips\Show

Beyond good ol’ Run key, Part 5
https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

  • A number of Phantom DLLs that are loaded as code via LoadLibrary variants, but not present on a system in its default install

Beyond good ol’ Run key, Part 6
https://www.hexacorn.com/blog/2014/01/10/beyond-good-ol-run-key-part-6-2/

  • Visual Basic persistence via
    • HKLM\SOFTWARE\Microsoft\VBA\Monitors

Beyond good ol’ Run key, Part 7
https://www.hexacorn.com/blog/2014/02/09/beyond-good-ol-run-key-part-7/

  • Oasys (Office Automation System) loading %windir%\system32\BTLOG.DLL via
    • HKLM\SOFTWARE\Microsoft\OASys\OAClient

Beyond good ol’ Run key, Part 8
https://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/

  • Persistence via Jumplists, including Multiple Link functionality that launches more than one application with one click

Beyond good ol’ Run key, Part 9
https://www.hexacorn.com/blog/2014/03/02/beyond-good-ol-run-key-part-9/

  • Persistence via Pinned Apps pointing to malicious components

Beyond good ol’ Run key, Part 10
https://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/

  • HKCU\Software\Microsoft\Office Test\Special\Perf (used by Sofacy)
  • WWLIBcxm.DLL proxy loaded via
    • HKCU\Software\Microsoft\Office\14.0\Word

Beyond good ol’ Run key, Part 11
https://www.hexacorn.com/blog/2014/04/27/beyond-good-ol-run-key-part-11/

  • Added large repository of autoruns mechanisms
    • http://gladiator-antivirus.com/forum/index.php?showtopic=24610
  • Persistence via modified Environment variables (permanently set inside the Registry)
    • HKCU\Environment

 

Beyond good ol’ Run key, Part 12
https://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/

Beyond good ol’ Run key, Part 13
https://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/

Beyond good ol’ Run key, Part 14
https://www.hexacorn.com/blog/2014/07/08/beyond-good-ol-run-key-part-14/

Beyond good ol’ Run key, Part 15
https://www.hexacorn.com/blog/2014/08/04/beyond-good-ol-run-key-part-15/

Beyond good ol’ Run key, Part 16
https://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/

Beyond good ol’ Run key, Part 17
https://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/

Beyond good ol’ Run key, Part 18
https://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/

Beyond good ol’ Run key, Part 19
https://www.hexacorn.com/blog/2014/12/04/beyond-good-ol-run-key-part-19/

Beyond good ol’ Run key, Part 20
https://www.hexacorn.com/blog/2015/01/01/beyond-good-ol-run-key-part-20/

Beyond good ol’ Run key, Part 21
https://www.hexacorn.com/blog/2015/01/03/beyond-good-ol-run-key-part-21/

Beyond good ol’ Run key, Part 22
https://www.hexacorn.com/blog/2015/01/06/beyond-good-ol-run-key-part-22/

Beyond good ol’ Run key, Part 23
https://www.hexacorn.com/blog/2015/01/09/beyond-good-ol-run-key-part-23/

Beyond good ol’ Run key, Part 24
https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/

Beyond good ol’ Run key, Part 25
https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-25/

Beyond good ol’ Run key, Part 26
https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-26/

Beyond good ol’ Run key, Part 27
https://www.hexacorn.com/blog/2015/02/19/beyond-good-ol-run-key-part-27/

Beyond good ol’ Run key, Part 28
https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/

Beyond good ol’ Run key, Part 29
https://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/

Beyond good ol’ Run key, Part 30
https://www.hexacorn.com/blog/2015/04/26/beyond-good-ol-run-key-part-30/

Beyond good ol’ Run key, Part 31
https://www.hexacorn.com/blog/2015/05/29/beyond-good-ol-run-key-part-31/

Beyond good ol’ Run key, Part 32
https://www.hexacorn.com/blog/2015/09/12/beyond-good-ol-run-key-part-32/

Beyond good ol’ Run key, Part 33
https://www.hexacorn.com/blog/2015/10/20/beyond-good-ol-run-key-part-33/

Beyond good ol’ Run key, Part 34
https://www.hexacorn.com/blog/2016/02/16/beyond-good-ol-run-key-part-34/

Beyond good ol’ Run key, Part 35
https://www.hexacorn.com/blog/2016/03/01/beyond-good-ol-run-key-part-35/

Beyond good ol’ Run key, Part 36
https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/

Beyond good ol’ Run key, Part 37
https://www.hexacorn.com/blog/2016/03/26/beyond-good-ol-run-key-part-37/

Beyond good ol’ Run key, Part 38
https://www.hexacorn.com/blog/2016/05/27/beyond-good-ol-run-key-part-38/

Beyond good ol’ Run key, Part 39
https://www.hexacorn.com/blog/2016/05/30/beyond-good-ol-run-key-part-39/

Beyond good ol’ Run key, Part 40
https://www.hexacorn.com/blog/2016/06/02/beyond-good-ol-run-key-part-40/

Beyond good ol’ Run key, Part 41
https://www.hexacorn.com/blog/2016/07/08/beyond-good-ol-run-key-part-41/

Beyond good ol’ Run key, Part 42
https://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

Beyond good ol’ Run key, Part 43
https://www.hexacorn.com/blog/2016/07/28/beyond-good-ol-run-key-part-43/

Enter Sandbox – part 7: Hello, مرحبا, 您好, здравствуйте, γεια σας

Most of modern applications use Windows APIs that rely on Unicode (or, at least its subset) and as such they rely on ‘W’ versions of the APIs as opposed to older apps that used ANSI ‘A’ versions (f.ex. CreateFileW vs. CreateFileA). Of course, the native APIs rely on Unicode for a long time. Unicode makes it easy and avoids ambiguities associated with the ANSI encodings which can always be mapped to many character sets – depending on the OS/application version. This is why running old localized applications on English OS leads to some unrecognizable garbage characters shown on the UI.

The number of old apps that rely on ANSI functions is still very huge and not taking them into account makes it harder to cherry-pick some interesting clues from the samples. Some of these clues can make it to the final report as well and actually enrich it a lot.

Let’s look at an example.

An application does something, and then displays a message box with a caption ‘Îøèáêà’ saying ‘Çàïðàøèâàåìûé ôàéë íå íàéäåí’.

msgbox1
Obviously, it doesn’t tell us much.

What if we attempted to translate it blindly into Unicode using the most popular ANSI encodings?

We would get sth like this:

1250 (Central Europe)           = Îřčáęŕ
1251 (Cyrillic)                 = Ошибка
1252 (Latin I)                  = Îøèáêà
1253 (Greek)                    = Ξψθακΰ
1254 (Turkish)                  = Îøèáêà
1255 (Hebrew)                   = ־רטבךא
1256 (Arabic)                   = خّèلêà
1257 (Baltic)                   = Īųčįźą
1258 (Vietnam)                  = Îøèáêà
 874 (Thai)                     = ฮ๘่แ๊เ
 932 (Japanese Shift-JIS)       = ホ碎
 936 (Simplified Chinese GBK)   = 硒栳赅
 949 (Korean)                   = 丘矮魏
 950 (Traditional Chinese Big5) = 昮魨罻

for the caption, and for the message:

1250 (Central Europe)           = Çŕďđŕřčâŕĺěűé ôŕéë íĺ íŕéäĺí
1251 (Cyrillic)                 = Запрашиваемый файл не найден
1252 (Latin I)                  = Çàïðàøèâàåìûé ôàéë íå íàéäåí
1253 (Greek)                    = Ηΰοπΰψθβΰεμϋι τΰιλ νε νΰιδεν
1254 (Turkish)                  = Çàïğàøèâàåìûé ôàéë íå íàéäåí
1255 (Hebrew)                   = ַאןנארטגאולי פאיכ םו םאיהום
1256 (Arabic)                   = اàïًàّèâàهىûé ôàéë يه يàéنهي
1257 (Baltic)                   = Ēąļšąųčāąåģūé ōąéė ķå ķąéäåķ
1258 (Vietnam)                  = Çàïđàøèâàǻûé ôàéë íå íàéäåí
 874 (Thai)                     = วเ๏๐เ๘่โเๅ์๛้ ๔เ้๋ ํๅ ํเ้ไๅํ
 932 (Japanese Shift-JIS)       = ヌ瑜籵褌隆 鴉 淲 浯鱠褊
 936 (Simplified Chinese GBK)   = 青镳帏桠噱禧?羿殡 礤 磬殇屙
 949 (Korean)                   = 행穽星外齧荏?牒雨 張 壯藕孼
 950 (Traditional Chinese Big5) = 瀔僤魤馲檞?邍澣 翴 縺毈樇

Even without the knowledge of the specific languages it’s easy to pick up the correct mapping which is ‘Ошибка’ (meaning ‘Error’) for the caption, and ‘Запрашиваемый файл не найден’ (meaning ‘File not found’) in Russian.

We can confirm it by running it on the Russian OS:

msgbox2

The exercise above my friend is an attempt to make a sandbox polyglottic. Add some modules to recognize the most common languages and who knows, maybe it will be able to recognize that these calls to FindWindow know no linguistical boundaries and are… not too friendly:

  • Скрытый процесс запрашивает сетевой доступ
  • Hidden Process Requests Network Access
  • Ein versteckter Prozess verlangt Netzwerkzugriff.
  • Un proceso oculto solicita acceso a la red
  • Un processus cache requiert une connexion reseau.
  • Внимание: некоторые компоненты изменились
  • Warning: Components Have Changed
  • Warnung: Einige Komponenten wurden verandert.
  • Advertencia: Los componentes han cambiado
  • Avertissement : Les composants ont change
  • Menedżer Zadań Windows
  • Создать правило для
  • Create rule for
  • Regel fur
  • Crear regla para
  • Creer une regle pour
  • 瑞星杀毒软件
  • 登录信息
  • 文件保护
  • 월드 오브 워크래프트
  • 삼국지
  • 하이로우2