{"id":4003,"date":"2016-12-15T22:41:29","date_gmt":"2016-12-15T22:41:29","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4003"},"modified":"2016-12-15T22:43:16","modified_gmt":"2016-12-15T22:43:16","slug":"supporting-dynamic-malware-analysis-with-winhttp-library-debug-logs-tracing","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/12\/15\/supporting-dynamic-malware-analysis-with-winhttp-library-debug-logs-tracing\/","title":{"rendered":"Supporting dynamic Malware Analysis with WinHttp library debug logs (tracing)"},"content":{"rendered":"<p>Dynamic Malware Analysis is a tricky business. If you don&#8217;t use a dedicated sandbox, or an API monitor, it&#8217;s often hard to say what&#8217;s going on under the hood. Relying on differential analysis may not be enough and having multiple ways to get more information out of the session is always welcome. Process Monitor, DebugView, Performance\/EWT logging, etc. are really handy as a support for black-box analysis, and so it is (or may be) enabling of the NtGlobalFlag. In this post I will describe one more hidden flag that can help to trace what&#8217;s going on when malware runs.<\/p>\n<p>It turns out that WinHttp library has a built in debugging\/tracing mechanism that enables it to log a lot of interesting details and send it either to a file, or directly to a debugger (or both). Lo and behold &#8211; it actually has a built-in API monitoring for us! It would be handy if this feature could become an integral part of popular debuggers (or a OllyDbg\/Xdbg plug-in).<\/p>\n<p>To enable the logging, you can either add the tracing options directly to Registry under the following key:<\/p>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows\\<br \/>\nCurrentVersion\\Internet Settings\\WinHttp\\Tracing<\/li>\n<\/ul>\n<p>f.ex. by using a reg file:<\/p>\n<pre>Windows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing]\r\n\"Enabled\"=dword:00000001\r\n\"LogFilePrefix\"=\"winhttp\"\r\n\"ToFileOrDebugger\"=dword:00000000\r\n\"ShowBytes\"=dword:00000001\r\n\"ShowApiTrace\"=dword:00000001\r\n\"MaxFileSize\"=dword:01312d00<\/pre>\n<p>or use a winhttptracecfg tool which is a part of <a href=\"https:\/\/download.microsoft.com\/download\/8\/e\/c\/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057\/rktools.exe\">Windows Server 2003 Resource Kit Tools<\/a>.<\/p>\n<p>The tool is handy, and we can run it like this:<\/p>\n<ul>\n<li>winhttptracecfg -l winhttp -e 1 -d 0 -s 1 -t 1 -m 20000000<\/li>\n<\/ul>\n<p>Running the tool gives us the following output:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/winhttp.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4004\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/winhttp-300x96.png\" width=\"500\" height=\"160\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/winhttp-300x96.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/winhttp.png 645w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>The meaning of the options is as follows:<\/p>\n<ul>\n<li>-e : 1: enable tracing; 0: disable tracing<\/li>\n<li>-l : [trace-file-prefix], i.e., &#8220;C:\\Temp\\Test3&#8221;; or simply: &#8220;Test3&#8221;<\/li>\n<li>-d : 0: output to file; 1: output to debugger; 2: output to both<\/li>\n<li>-s : 0: show HTTP headers only; 1: ANSI output; 2: Hex output\u00a0 (note, this doesn&#8217;t seem to work on newer versions of Windows)<\/li>\n<li>-t : 1: enable top-level API traces; 0: disable top-level API traces<\/li>\n<li>-m : Maximum size the trace file can grow to<\/li>\n<\/ul>\n<p>and in our case:<\/p>\n<ul>\n<li>-e 1 &#8211;&gt; TracingEnabled: 1\u00a0 &#8211;&gt; enable tracing<\/li>\n<li>-d 0 &#8211;&gt; ToFileOrDebugger: 0 &#8211;&gt; save to file only<\/li>\n<li>-s 1 &#8211;&gt; ShowBytes: 1 &#8211;&gt; show ANSI output (test on Windows XP)<\/li>\n<li>-t 1 &#8211;&gt; ShowApiTrace: 1\u00a0 &#8211;&gt; enables API monitoring<\/li>\n<li>-m 20000000 &#8211;&gt; MaxFileSize: 20000000 &#8211;&gt; file should be large enough<\/li>\n<li>-l winhttp &#8211;&gt; FileNamePrefix: winhttp &#8211;&gt; prefix used for a file name<\/li>\n<\/ul>\n<p>Let&#8217;s run a test.<\/p>\n<p>One tool that uses WinHttp library is Autoruns. When you launch it with the tracing enabled you should see a log file immediately or almost immediately created f.ex.:<\/p>\n<ul>\n<li>winhttp-autoruns.exe-4020.22.11.42.035-12.15.2016.LOG<\/li>\n<\/ul>\n<p>where &#8216;winhttp&#8217; is a prefix we provided in the tracing options, followed by the process name &#8216;autoruns.exe&#8217;, then 4020 which is a PID of the process, then time and date.<\/p>\n<p>The example content looks as below, note that:<\/p>\n<ul>\n<li>API calls and their parameters are clearly visible<\/li>\n<li>Return values are provided<\/li>\n<li>Lots of internal state-related debug info is also provided<\/li>\n<\/ul>\n<p>(If you don&#8217;t see the .log file, check the file \/ process with VirusTotal)<\/p>\n<pre>22:11:42.035 ::&gt;&gt;&gt;&gt; WinHttp Version 6.0 Build 6.1.7601 &gt;&gt;&gt;&gt;Process autoruns.exe [4020 (0xfb4)] started at 22:11:42.035 12\/15\/2016\r\n22:11:42.035 ::WinHttpOpen(\"Microsoft-CryptoAPI\/6.1\", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY (0), \"\", \"\", 0x0)\r\n22:11:42.035 ::winhttp-dll added a reference to winhttp.dll (via LoadLibrary() call)\r\n22:11:42.035 ::thread-pool created\r\n22:11:42.035 ::thread pool initialized successfully\r\n22:11:42.035 ::_SvcsStartup() succeeded; async-count = 1\r\n22:11:42.035 ::WinHttpOpen() returning handle 0x38fcb98\r\n22:11:42.035 ::WinHttpSetTimeouts(0x38fcb98, 0, 60000, 60000, 60000)\r\n...\r\n22:15:26.005 ::WinHttpOpen() returning handle 0x39ef730\r\n22:15:26.005 ::WinHttpConnect(0x39ef730, \"www.virustotal.com\", 443, 0x0)\r\n22:15:26.005 ::Indicate Status 0x39efad0, 0x0, WINHTTP_CALLBACK_STATUS_HANDLE_CREATED (1024), 0x12edd4 [0x39efad0], 4\r\n22:15:26.005 ::WinHttpConnect() returning handle 0x39efad0\r\n22:15:27.066 ::WinHttpOpenRequest(0x39efad0, \"POST\", \"\/partners\/sysinternals\/file-reports?apikey=4e3202fdbe953d628f650229af5b3eb49cd46\", \"\", \"\", 0x0, 0x00800000)\r\n22:15:27.066 ::Indicate Status 0x395ebe8, 0x0, WINHTTP_CALLBACK_STATUS_HANDLE_CREATED (1024), 0x2cefc84 [0x395ebe8], 4\r\n22:15:27.066 ::WinHttpCreateUrl(0x2cefc20, 0x0, 0x0, 0x2cefc70)\r\n22:15:27.066 ::\u00a0\u00a0\u00a0 WinHttpCreateUrl(); URL = (null), URL Length = 0\r\n22:15:27.066 ::\u00a0\u00a0\u00a0 WinHttpCreateUrl: error 122 [ERROR_INSUFFICIENT_BUFFER]\r\n22:15:27.066 ::WinHttpCreateUrl() returning FALSE\r\n22:15:27.066 ::WinHttpCreateUrl(0x2cefc20, 0x0, 0x2af5b8, 0x2cefc70)\r\n22:15:27.066 ::\u00a0\u00a0\u00a0 WinHttpCreateUrl(); URL = https:\/\/www.virustotal.com\/partners\/sysinternals\/file-reports?apikey=4e3202fdbe9, URL Length = 133\r\n22:15:27.066 ::WinHttpCreateUrl() returning TRUE\r\n22:15:27.066 ::WinHttpOpenRequest() returning handle 0x395ebe8\r\n22:15:27.066 ::WinHttpGetProxyForUrl(0x39ef730, \"https:\/\/www.virustotal.com\", 0x2cefd9c, 0x2cefdb4)<\/pre>\n<p>On XP, the ShowBytes enables inclusions of the additional data dumps for headers f.ex.:<\/p>\n<pre>11:51:55.106 ::*0000001* :: sending data:\r\n11:51:55.106 ::*0000001* :: 177 (0xb1) bytes\r\n11:51:55.106 ::*0000001* :: &lt;&lt;&lt;&lt;-------- HTTP stream follows below -----------------------------------------------&gt;&gt;&gt;&gt;\r\n11:51:55.106 ::*0000001* :: GET \/wpad.dat HTTP\/1.1\r\n11:51:55.106 ::*0000001* :: Accept: *\/*\r\n11:51:55.106 ::*0000001* :: User-Agent: Mozilla\/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident\/5.0; .NET5.0C; .NET5.0E)\r\n11:51:55.106 ::*0000001* :: Host: 127.0.0.1\r\n11:51:55.106 ::*0000001* :: Connection: Keep-Alive\r\n11:51:55.122 ::*0000001* :: \r\n11:51:55.122 ::*0000001* :: \r\n11:51:55.122 ::*0000001* :: &lt;&lt;&lt;&lt;-------- End -----------------------------------------------&gt;&gt;&gt;&gt;\r\n11:51:55.122 ::*0000001* :: WinHttpSendRequest() returning TRUE\r\n11:51:55.122 ::*0000001* :: WinHttpReceiveResponse(0xaf2000, 0x0)\r\n11:51:55.122 ::*0000001* :: received data:\r\n11:51:55.122 ::*0000001* :: 67 (0x43) bytes\r\n11:51:55.122 ::*0000001* :: &lt;&lt;&lt;&lt;-------- HTTP stream follows below -----------------------------------------------&gt;&gt;&gt;&gt;\r\n11:51:55.122 ::*0000001* :: HTTP\/1.1 200 OK\r\n11:51:55.122 ::*0000001* :: Content-Length: 59745\r\n11:51:55.122 ::*0000001* :: Content-Type: text\/html\r\n11:51:55.122 ::*0000001* :: \r\n11:51:55.122 ::*0000001* :: \r\n11:51:55.122 ::*0000001* :: &lt;&lt;&lt;&lt;-------- End -----------------------------------------------&gt;&gt;&gt;&gt;<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Dynamic Malware Analysis is a tricky business. If you don&#8217;t use a dedicated sandbox, or an API monitor, it&#8217;s often hard to say what&#8217;s going on under the hood. Relying on differential analysis may not be enough and having multiple &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/12\/15\/supporting-dynamic-malware-analysis-with-winhttp-library-debug-logs-tracing\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4003"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4003"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4003\/revisions"}],"predecessor-version":[{"id":4007,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4003\/revisions\/4007"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}