{"id":4806,"date":"2018-04-23T22:35:28","date_gmt":"2018-04-23T22:35:28","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4806"},"modified":"2018-04-24T11:48:38","modified_gmt":"2018-04-24T11:48:38","slug":"monitoring-clipboard-a-quick-antisandbox-trick","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/04\/23\/monitoring-clipboard-a-quick-antisandbox-trick\/","title":{"rendered":"Monitoring clipboard &#8211; a quick antisandbox trick"},"content":{"rendered":"<p>Many existing anti-sandbox tricks rely on using timers, detecting mouse movement, checking the presence of the security tools, detecting virtualization, etc. While the list of existing tricks is long I don&#8217;t recall seeing clipboard monitoring being mentioned in this context and was curious if anyone discussed that before. Quick google search didn&#8217;t bring any results so I thought I will at least describe a high-level idea (<em>FWIW most of the stuff I found online refers to malware monitoring clipboard in order to steal data that is copied to it &#8211; this includes <a href=\"https:\/\/volatility-labs.blogspot.co.uk\/2012\/09\/movp-12-window-stations-and-clipboard.html\">an in-depth post by Michael Ligh<\/a> who discusses it in a context of Volatility framework.<\/em>)<\/p>\n<p>Btw. if you know any malware that is already using this trick it would be great if you could let me know. Thanks!<\/p>\n<p>As per <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms649016(v=vs.85).aspx#dataxchg_Monitoring_Clipboard_Contents\">Microsoft<\/a>, there are three ways to check if the clipboard content has changed; all of them rely on using dedicated APIs + in some cases require processing of window messages:<\/p>\n<ul>\n<li>Monitoring GetClipboardSequenceNumber return value changes<\/li>\n<li>AddClipboardFormatListener + WM_CLIPBOARDUPDATE message<\/li>\n<li>SetClipboardViewer + WM_DRAWCLIPBOARD message<\/li>\n<\/ul>\n<p>There are at least two ways to incorporate these functions in an anti-sandbox routine:<\/p>\n<ul>\n<li>One can use GetClipboardSequenceNumber API in a way similar to rdstc \/ GetTickCount trick and stall the code execution until a decent number of clipboard changes occurred (under assumption that the real person is actually using the system and CTRL+C\/CTRL+V will generate enough changes to trigger the payload)<\/li>\n<li>Using AddClipboardFormatListener \/ SetClipboardViewer will require creation of a worker window that will need to respond to the respective clipboard change window messages and when they arrive, the program can increase the internal counter until the threshold is met; only then execute the payload<\/li>\n<\/ul>\n<p>Both are very easy to implement, and I won&#8217;t be providing a PoC code as you can grab it from MSDN and\/or popular coding forums.<\/p>\n<p>So, if you write sandboxes you may consider monitoring use of these APIs and trigger appropriate playbook that will generate a sequence of clipboard changes to trigger the code execution.<\/p>\n<p>It&#8217;s good to mention that all of these APIs have their Nt equivalents that are processed by the win32u.dll\/win32kfull.sys:<\/p>\n<ul>\n<li>NtUserGetClipboardSequenceNumber<\/li>\n<li>NtUserAddClipboardFormatListener<\/li>\n<li>NtUserSetClipboardViewer<\/li>\n<\/ul>\n<p>So may be worth monitoring them on this level too.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many existing anti-sandbox tricks rely on using timers, detecting mouse movement, checking the presence of the security tools, detecting virtualization, etc. While the list of existing tricks is long I don&#8217;t recall seeing clipboard monitoring being mentioned in this context &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/04\/23\/monitoring-clipboard-a-quick-antisandbox-trick\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,9,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4806"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4806"}],"version-history":[{"count":8,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4806\/revisions"}],"predecessor-version":[{"id":4818,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4806\/revisions\/4818"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}