Environment… is variable

Posted on by

I love environmental variables. They are often post-worthy, and sometimes they are just simply cool.

Yet, many are still not known. Many are still not described.

Looking for ‘easy’ research targets inside the Windows directory one can scan executables and DLLs looking for either a string or an import reference to the functions that operate on Environment variables:

  • RtlSetEnvironmentVariable
  • setenv
  • SetEnvironmentVariable
  • GetEnv
  • GetEnvironmentVariable
  • ExpandEnvironment

These produce really interesting hits!

Looking at the code of puiobj.dll (PrintUI Objects DLL) we can find a weirdly named environment variable F2ED815E-5F18-4860-A8F2-16471D53C5CF that takes a integer value that seems to be a flag controlling how printer queue jobs are presented.

Looking at curl.exe we see the familiar CURL_HOME reference that can alter the way curl works (configuration file location).

The xcopy.exe takes into consideration the value of COPYCMD.

In 2022 no one remembers mswsock.dll, but it also uses environment variables:

  • SanTcpBypass
  • SanResizeDisable
  • SanRecvPollCount

The same goes for oleaut32.dll:

Many of environment variable tricks are known by now. Today I posted on Twitter and Mastodon about the use of environment variables inside the LNK files which — while not really being a proper evasion since the shell functions are processed within a context of executing process — may give some new opportunities to attackers too.

But there is always more…

Environment variables are very, very prevalent and all over the place. Many of them are kinda invisible, f.ex. many batch files and the aforementioned LNK files rely a lot them, and many of them are batch-file specific, often used internally and not very well documented.

Here’s a snapshot of various environment variables (many of which are not very well known, I think) present inside the LNK and BAT files on a win10 system with a Visual Studio, Bon Jour, NPCAP, Powershell and Python present:

  • %ARGS%
  • %AUT%
  • %AUTDIR%
  • %CABOUTPUT%
  • %CD%
  • %CLIENTPATH%
  • %CRT%
  • %CURRDIR%
  • %CabOutput%
  • %CommandPromptType%
  • %CommonProgramFiles%
  • %DEVENVDIR%
  • %DIR%
  • %DIRECTIVEFILE%
  • %DevEnvDir%
  • %DoDump%
  • %Dot11Support%
  • %ERRORLEVEL%
  • %ExtensionSDKDir%
  • %FSHARPINSTALLDIR%
  • %Framework40Version%
  • %FrameworkDIR32%
  • %FrameworkDIR64%
  • %FrameworkDir%
  • %FrameworkDir32%
  • %FrameworkDir64%
  • %FrameworkVersion%
  • %FrameworkVersion32%
  • %FrameworkVersion64%
  • %HOMEDRIVE%
  • %HOMEPATH%
  • %IFCPATH%
  • %INCLUDE%
  • %KEY_NAME%
  • %LEGACY_MACHINE_SETUP_LOGS_PATH%
  • %LIB%
  • %LIBPATH%
  • %LOCALAPPDATA%
  • %LoopbackAdapter%
  • %MACHINE_AMD64_SETUP_LOGS_PATH%
  • %MACHINE_I386_SETUP_LOGS_PATH%
  • %NETFXSDKDir%
  • %NPCAP_DIR%
  • %OUTPUTDIR%
  • %OutputDir%
  • %PATH%
  • %PERMACHINECLIENTPATH64%
  • %PERMACHINECLIENTPATH86%
  • %PERMACHINE_START_MENU_PATH%
  • %PERUSER_START_MENU_PATH%
  • %PROCESSOR_ARCHITECTURE%
  • %PROGRAMDATA%
  • %PROMPT%
  • %PYTHONHOME%
  • %ProgramFiles%
  • %ProgramW6432%
  • %RANDOM%
  • %RETURNCODE%
  • %SDK%
  • %SENDMAIL%
  • %SID%
  • %SQUISHRUNNER%
  • %SQUISHSERVER%
  • %START_TYPE%
  • %ScriptName%
  • %SendMail%
  • %SyncLogsExclude%
  • %SyncSettingsExclude%
  • %SystemRoot%
  • %TARGET%
  • %TEMP%
  • %TEMPFILE%
  • %TESTCASE%
  • %TESTSUITE%
  • %TEST_INCLUDE%
  • %TEST_LIB%
  • %TMP%
  • %UCRTVersion%
  • %USERPROFILE%
  • %UniversalCRTSdkDir%
  • %VCIDEInstallDir%
  • %VCINSTALLDIR%
  • %VCLIB_GENERAL_OVERRIDE%
  • %VCToolsInstallDir%
  • %VCToolsVersion%
  • %VCVARS_USER_VERSION%
  • %VC_ATLMFC_IncludePath%
  • %VC_ExecutablePath_ARM_ARM%
  • %VC_ExecutablePath_ARM_ARM64%
  • %VC_ExecutablePath_ARM_x64%
  • %VC_ExecutablePath_ARM_x86%
  • %VC_ExecutablePath_x64_ARM%
  • %VC_ExecutablePath_x64_ARM64%
  • %VC_ExecutablePath_x64_x64%
  • %VC_ExecutablePath_x64_x86%
  • %VC_ExecutablePath_x86_ARM%
  • %VC_ExecutablePath_x86_ARM64%
  • %VC_ExecutablePath_x86_x64%
  • %VC_ExecutablePath_x86_x86%
  • %VC_IFCPath%
  • %VC_LibraryPath_ATL_ARM%
  • %VC_LibraryPath_ATL_ARM64%
  • %VC_LibraryPath_ATL_ARM64EC%
  • %VC_LibraryPath_ATL_ARM64EC_spectre%
  • %VC_LibraryPath_ATL_ARM64_spectre%
  • %VC_LibraryPath_ATL_ARM_spectre%
  • %VC_LibraryPath_ATL_x64%
  • %VC_LibraryPath_ATL_x64_spectre%
  • %VC_LibraryPath_ATL_x86%
  • %VC_LibraryPath_ATL_x86_spectre%
  • %VC_LibraryPath_VC_ARM%
  • %VC_LibraryPath_VC_ARM64%
  • %VC_LibraryPath_VC_ARM64EC%
  • %VC_LibraryPath_VC_ARM64EC_Desktop%
  • %VC_LibraryPath_VC_ARM64EC_Desktop_spectre%
  • %VC_LibraryPath_VC_ARM64EC_OneCore%
  • %VC_LibraryPath_VC_ARM64EC_OneCore_spectre%
  • %VC_LibraryPath_VC_ARM64EC_Store%
  • %VC_LibraryPath_VC_ARM64_Desktop%
  • %VC_LibraryPath_VC_ARM64_Desktop_spectre%
  • %VC_LibraryPath_VC_ARM64_OneCore%
  • %VC_LibraryPath_VC_ARM64_OneCore_spectre%
  • %VC_LibraryPath_VC_ARM64_Store%
  • %VC_LibraryPath_VC_ARM_Desktop%
  • %VC_LibraryPath_VC_ARM_Desktop_spectre%
  • %VC_LibraryPath_VC_ARM_OneCore%
  • %VC_LibraryPath_VC_ARM_OneCore_spectre%
  • %VC_LibraryPath_VC_ARM_Store%
  • %VC_LibraryPath_VC_x64%
  • %VC_LibraryPath_VC_x64_Desktop%
  • %VC_LibraryPath_VC_x64_Desktop_spectre%
  • %VC_LibraryPath_VC_x64_OneCore%
  • %VC_LibraryPath_VC_x64_OneCore_spectre%
  • %VC_LibraryPath_VC_x64_Store%
  • %VC_LibraryPath_VC_x86%
  • %VC_LibraryPath_VC_x86_Desktop%
  • %VC_LibraryPath_VC_x86_Desktop_spectre%
  • %VC_LibraryPath_VC_x86_OneCore%
  • %VC_LibraryPath_VC_x86_OneCore_spectre%
  • %VC_LibraryPath_VC_x86_Store%
  • %VC_VC_IncludePath%
  • %VIRTUAL_ENV%
  • %VS160COMNTOOLS%
  • %VSCMD_ARG_APP_PLAT%
  • %VSCMD_ARG_CHAMELEON%
  • %VSCMD_ARG_CLEAN_ENV%
  • %VSCMD_ARG_HELP%
  • %VSCMD_ARG_HOST_ARCH%
  • %VSCMD_ARG_NO_EXT%
  • %VSCMD_ARG_STARTDIR%
  • %VSCMD_ARG_TGT_ARCH%
  • %VSCMD_ARG_VCVARS_SPECTRE%
  • %VSCMD_ARG_VCVARS_VER%
  • %VSCMD_ARG_WINSDK%
  • %VSCMD_ARG_no_logo%
  • %VSCMD_BANNER_SHELL_NAME_ALT%
  • %VSCMD_BANNER_TEXT_ALT%
  • %VSCMD_DEBUG%
  • %VSCMD_SKIP_SENDTELEMETRY%
  • %VSCMD_START_DIR%
  • %VSCMD_TEST%
  • %VSCMD_VCVARSALL_INIT%
  • %VSCMD_VER%
  • %VSINSTALLDIR%
  • %WORKINGDIR%
  • %WORKINGDIRONEDRIVE%
  • %WindowsLibPath%
  • %WindowsSDKDir%
  • %WindowsSDKLibVersion%
  • %WindowsSDKNotFound%
  • %WindowsSDKVersion%
  • %WindowsSDK_ExecutablePath_x64%
  • %WindowsSDK_ExecutablePath_x86%
  • %WindowsSdkBinPath%
  • %WindowsSdkDir%
  • %WindowsSdkVerBinPath%
  • %cmd%
  • %computername%
  • %comspec%
  • %dir%
  • %errorlevel%
  • %findSDK%
  • %match%
  • %originPolicy%
  • %result%
  • %returnValue%
  • %scriptPath%
  • %systemroot%
  • %temp%
  • %windir%

Cracking Zeppelin

Posted on by

A few days ago Brian Krebs published a piece about Zeppelin key cracking, so … since I was also involved in recovering files for some of the ransomware gang victims I thought I will add a few cents…

Back in 2020, I was approached by one of my clients to have a quick look at this particular piece of Zeppelin ransomware sample; and as you can imagine, I was immediately skeptical — it’s really unlikely to crack crypto of modern ransomware so I pretty much threw a towel, immediately, kinda by default.

BUT…

I was also aware of work of Lance Jones, and his UNIT221B on this particular malware strain and… that offered some hope…

I decided to try to factor these keys myself and what followed was a VERY intense week where I had to very quickly learn how to use and pay for AWS, how to allocate its resources, how to fix lots of other peoples’ bugs in a software that was — by that time — full of legacy assumptions, and – for the lack of a better word — in a need of a lot of troubleshooting and ‘code massaging’.

But the rewards were there, waiting…

The morning I saw the first cracked key I became ecstatic. I didn’t care about money this was earning me, I didn’t care what a bill I had to pay to AWS, here I was, breaking the damn ransomware! We were able to recover files for the client. Just like that!

Working in a cybersecurity space can be quite daunting, we often see ‘bad’ things, we live ‘failure’ every day. Yet, that moment I managed to crack the first key was a moment of triumph. Not all is lost. We are actually helping. We matter. it’s cheesy as hell, but there is no better satisfaction than disrupting the bad, for good.

And … it did happen again, I’ve spent a lot of time cracking other keys, but we did beat them. For a cost of a few hundred dollars on AWS, each time, we did beat them, every single time.