- Write a program A that launches program B<\/li>
- Program A passes a very long command line to program B<\/li>
- Program B retrieves the command line and prints out last 5 characters only<\/li><\/ul>\n\n\n\n
The idea was to check if we can use the end of that long buffer as a covert channel for two processes to exchange some data (lame IPC)…<\/p>\n\n\n\n
After testing it with 4688 and Sysmon enabled I spotted two things:<\/p>\n\n\n\n
- 4688 completely missed the process B creation<\/li>
- Sysmon log truncated the last bits of the command line (these 5 characters!!!) with ellipsis.<\/li><\/ul>\n\n\n\n
The pic below shows how 4688 log looks like:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/event_log_1.png\")
<\/a><\/figure><\/div>\n\n\n\n- We can see the invocation of the program A (first event 4688), followed by conhost.exe and then Program B is not logged at all. <\/li>
- Then we see program termination – Program A, Program B, and conhost.exe.<\/li><\/ul>\n\n\n\n
Sysmon logged a long command line, but the last bits are truncated and replaced by the ellipsis:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/event_log_2.png\")
<\/a><\/figure><\/div>\n\n\n\nThis is the invocation of ProgramB that I used (via CreateProcess):<\/p>\n\n\n\n
buffer dw 'p','r','o','g','r','a','m','B',' '\n dw 32698 dup(0FABEh)\n dw 'h','e','l','l','o'\n dw 0<\/code><\/pre>\n\n\n\nand this is what ProgramB shows:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/event_log_3.png\")
<\/a><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"How long is the command line buffer? Depends on a program… How much of command line do Sysmon, 4688 events log? A finite amount. ‘Depends’ minus ‘finite’ == opportunity. Re-visiting my old Sysmon demo where I’ve shown how to hide … Continue reading