{"id":6810,"date":"2019-10-03T22:20:43","date_gmt":"2019-10-03T22:20:43","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6810"},"modified":"2019-10-04T08:28:53","modified_gmt":"2019-10-04T08:28:53","slug":"im-so-excited","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/10\/03\/im-so-excited\/","title":{"rendered":"I’M SO excited"},"content":{"rendered":"\n

MSO.DLL is a ‘magic’ Microsoft Library that is HUUUUUGE in size and does most of the Microsoft Office work. I have been massaging it for many years and always doing so with a feeling that I am not understanding anything at all. And I really do not even pretend to have any grasp of any piece of it, but I decided to describe what I found out so far, because it may lead us to some places new.<\/p>\n\n\n\n

Okay… Where do we start?<\/p>\n\n\n\n

MSO.DLL is literally 25MB+ long. It’s a HUUUUUGE DLL. It is crazy, it is loco, it exports 9K APIs last time I checked and many of them via ordinal only. IDA won’t help, and any attempts to analyze it in a conventional way end up with a big, giant, mix of who-knows-what. This code is doing lots of great work, but who knows how it works… I mean… really…<\/p>\n\n\n\n

In any case… Adding _any_ sense to such a big pile of code is useful. How? For starters, we can identify wrappers. What are these wrappers? It turns out that MSO.DLL exports a lot of functions that do nothing but wrapping common Windows API around. <\/p>\n\n\n\n

I know, we need an example…<\/p>\n\n\n\n

Take MSO #222. This function requires two arguments: address of a buffer, and its size. It then fills in that buffer with… yup… whatever a call to GetComputerNameW provides — it just passes the arguments to the final Windows API! Oh, wrappers are easy!<\/p>\n\n\n\n

When I spotted this the first time I started digging more and noticed that there is a clearly visible pattern inside mso.dll that tells us about many exported APIs being nothing more but wrappers. If we are patient enough we may effortlessly identify a meaning of many MSO exported functions by just looking at the wrapped APIs they encapsulate…!<\/p>\n\n\n\n

And to give a quick, although non-nonsensical demo…. when we run a following export API via rundll:<\/p>\n\n\n\n

rundll32 MSO.DLL, #2310<\/p><\/blockquote>\n\n\n\n

it gives us this message:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It’s just one of 9K APIs that we just understood at the most possible lowest level — it is not implemented and we can all move on!<\/p>\n\n\n\n

Divide and conquer approach apparently works. The below list summarizes the wrapper info I could gather so far; the arguments these functions take is a different story, but what’s interesting is that they do wrap lots of common APIs which could be abused in many way.<\/p>\n\n\n\n

For starters, imagine an .exe that instead of loading and using common advapi32 or user32.dll APIs to deliver some functionality, proxies it via an existing mso.dll. Ouch. Try to filter this stuff out Mr EDR Threat Hunter!<\/p>\n\n\n\n

Yup. Wrapping is condoming. And condoming is avoiding signatures. And to be clear and avoid any doubt: I can imagine a malware taking an advantage of MSO.DLL and delivering lots of its functionality via the wrapped API Calls. Try to sandbox or EDR it out. Good luck!<\/p>\n\n\n\n

In any case… here’s the list I gathered so far:<\/p>\n\n\n\n

MSO_4367 TlsGetValue
MSO_865 TlsSetValue
MSO_5901 _InterlockedIncrement
MSO_8719 _InterlockedIncrement
MSO_3166 _InterlockedIncrement
MSO_4565 _InterlockedIncrement
MSO_7857 _InterlockedIncrement
MSO_844 RegSetValueExW
MSO_8234 TlsFree
MSO_8768 _InterlockedIncrement
MSO_6388 GetSystemMetrics
MSO_3762 RegQueryInfoKeyW
MSO_3213 GetSysColor
MSO_2727 CreateFontIndirectW
MSO_3029 CompareFileTime
MSO_2833 RegQueryValueW
MSO_7454 GetFileSizeEx
MSO_5917 GetDriveTypeW
MSO_6874 GetTempPathW
MSO_8807 CreateSemaphoreExW
MSO_2466 ShowWindow
MSO_6184 EnumFontFamiliesExW
MSO_6682 UrlMkSetSessionOption
MSO_472 LoadCursorW
MSO_9153 GetKeyboardLayoutList
MSO_6866 GetKeyboardLayout
MSO_4285 AlphaBlend
MSO_1613 SetWindowTextW
MSO_9656 SetCursor
MSO_7047 pow
MSO_1322 SHGetSpecialFolderLocation
MSO_6104 GetFileVersionInfoSizeW
MSO_1029 GetFileVersionInfoW
MSO_1500 VerQueryValueW
MSO_2182 MsoFreePv
MSO_2790 GetWindowLongW
MSO_150 CoInternetGetSession
MSO_3646 SendMessageA
MSO_9800 CopyFileW
MSO_3854 GetComputerNameW
MSO_9474 CreateStdAccessibleObject
MSO_2772 GlobalFree
MSO_6086 CopyFileExW
MSO_6642 GlobalLock
MSO_5402 GlobalSize
MSO_7213 GlobalUnlock
MSO_2563 GetDateFormatEx
MSO_4787 MsoDwRegGetDw
MSO_1603 GetKeyState
MSO_2137 SetTimer
MSO_5880 KillTimer
MSO_4342 SystemParametersInfoW
MSO_3543 MsoPwchStripWtz
MSO_4298 FindMimeFromData
MSO_5716 PostMessageW
MSO_4008 GetVolumeInformationW
MSO_3230 ClosePrinter
MSO_8164 GetAsyncKeyState
MSO_6862 DefWindowProcW
MSO_3611 SetWindowLongW
MSO_2213 SetRect
MSO_8526 StartDocW
MSO_3668 GetTextMetricsA
MSO_6277 WTSUnRegisterSessionNotification
MSO_2998 WTSRegisterSessionNotification
MSO_3627 LresultFromObject
MSO_6992 LoadAcceleratorsW
MSO_1197 CopyAcceleratorTableW
MSO_1656 DestroyAcceleratorTable
MSO_1222 GetTimeFormatEx
MSO_222 GetComputerNameW
MSO_9746 GlobalAlloc
MSO_1645 GetObjectW
MSO_2208 HlinkOnNavigate
MSO_307 CoInternetCompareUrl
MSO_1769 SendMessageA
MSO_811 ShowWindow
MSO_5519 IpcFreeMemory
MSO_4234 IpcGetErrorMessageText
MSO_2310 MessageBoxW
MSO_8408 SendMessageA
MSO_392 SendMessageA
MSO_2497 SendMessageA
MSO_5559 SendMessageA
MSO_941 SendMessageA
MSO_9758 AppendMenuW
MSO_1938 InsertMenuW
MSO_9278 log
MSO_2662 exp
MSO_489 TransparentBlt
MSO_7070 AccessibleObjectFromWindow
MSO_8160 DragQueryPoint
MSO_626 ExtractIconExW
MSO_1501 DragQueryFileW
MSO_2695 ExtractIconW
MSO_9235 SHGetDesktopFolder
MSO_3353 ShellExecuteW
MSO_1363 PathQuoteSpacesW
MSO_879 PathFindFileNameW
MSO_441 PathUnquoteSpacesW
MSO_8683 PathRemoveFileSpecW
MSO_9005 CoInternetParseUrl
MSO_2388 CopyStgMedium
MSO_9793 CoInternetQueryInfo
MSO_3998 CreateURLMonikerEx
MSO_2397 InternetCloseHandle
MSO_7846 InternetReadFile
MSO_352 InternetQueryOptionW
MSO_401 InternetSetOptionW
MSO_1364 InternetOpenW
MSO_437 HttpQueryInfoW
MSO_7998 InternetCanonicalizeUrlW
MSO_4107 InternetCrackUrlW
MSO_4662 GetPrivateProfileIntW
MSO_5487 GetProfileIntW
MSO_614 FreeLibrary
MSO_4224 FormatMessageW
MSO_7302 CallWindowProcW
MSO_8062 GlobalFlags
MSO_9445 MapViewOfFileEx
MSO_33 CreateFileMappingW
MSO_6589 MsoFRegSetWz
MSO_2033 OleSetClipboard
MSO_4704 HlinkUpdateStackItem
MSO_9546 HlinkSetSpecialReference
MSO_3343 RegisterMediaTypeClass
MSO_7797 RegisterBindStatusCallback
MSO_9678 RevokeBindStatusCallback
MSO_8675 SetWindowPos
MSO_769_SEH _CxxFrameHandler3
MSO_6604_SEH _CxxFrameHandler3
MSO_7603_SEH _CxxFrameHandler3<\/p>\n","protected":false},"excerpt":{"rendered":"

MSO.DLL is a ‘magic’ Microsoft Library that is HUUUUUGE in size and does most of the Microsoft Office work. I have been massaging it for many years and always doing so with a feeling that I am not understanding anything … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,67],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6810"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6810"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6810\/revisions"}],"predecessor-version":[{"id":6817,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6810\/revisions\/6817"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}