Special Condition Data Transmission Analysis

Special Condition Data Transmission Analysis

0x00 ask the restaurant

Is there anything you can't get? Open a brain hole.

The reason is that at the end of 2014, we saw Kingsoft's online malicious code analysis system "Fire eye" (https://fireeye.ijinshan.com /). I felt very fresh. I lost some samples I had collected, and the analysis result was okay. According to the analysis report, it is also a kind of sandbox detection tool that throws samples to virtual machines and then configures and controls internal and external virtual machines to monitor various behaviors of samples, finally, an analysis report is generated and a malicious sample is determined. The analysis report also contains the sample runtime.

0x01 Willow dark

So I began to be curious about what the sandbox was like, so I wrote some small detection programs and threw them in, read the environment variables, system information, network configuration, process list, services, and drivers on the form, so that the information can be read from the samples in the analysis report.

Well, let's talk about it first. I will not dig for vulnerabilities or reverse engineering. I am ashamed to say that the compilation in college is only done by retake. It's just a small. net code farmer.

Then I found something that is not found elsewhere in the system environment variable: % FEKERNEL %, pointing to the c: \ mon \ Folder. It should be "FIRE EYE KERNEL ", it is the core folder that contains the internal monitoring program of the sandbox.

With this discovery, we naturally won't let it go. In addition, we specially compiled a program to enumerate and read the items in FEKERNEL. However, we found that as long as the folder is touched, the sample analysis report will be hidden from most of the content, the content directly and indirectly related to the FEKERNEL folder (for example, the copied file is read after being copied) is deleted, and some self-protection is required. Only operations on reading the folder size are not blocked.

0x02 HUA MING

But now that you have a goal, you can find the path. I tried several times to find a way to bypass protection, and successfully read the file in FEKERNEL and gave the detailed information. The next step is how to get the content.

It contains about dozens of MB of binary files, including EXE, DLL, SYS, and PDB. It is estimated that the developer can easily debug the file and directly throw it together. How can we take out so many things? The original idea was to pass it through the network. However, the sandbox network and the Internet were not accessible, and the only output to users was limited to the sample analysis report.

Then I found that some people wrote samples to write HTML code content in the Registry a few years ago. The XSS was successfully implemented on the analysis report page, and I think this idea is feasible. However, even if dozens of MB of data is compressed into dozens of MB and then encoded in BASE64, it is impossible to take out all the information that the monitoring program will monitor, because there are too many items. Even on the form ............

...... Slow, draw on the form?

The head is shining. This is a good solution! I first thought of writing the BASE64 string in the form according to the minimum size that can be distinguished, and then I thought of simply using the pixels on the form, one pixel represents one byte, then, we thought of simply storing three bytes with an RGB component for a pixel, so that the output data volume would increase exponentially. After a slight calculation, based on the highest-density data transmission solution, the maximum area of a form can be "painted" to compress the complete target data.

With the idea, something is coming up directly. Since FE can only upload a single Executable File sample, it packs all the things used into a self-extracting RAR, and carries out the script after decompression, first, bypass protection to read all the content in FEKERNEL and copy it to another location, and then use the built-in WINRAR. EXE compresses the package by running the command line, opens the package in binary format, and draws the content on its own form.

In this way, I can get everything in FEKERNEL. Of course, thanks to FE for not doing any lossy compression when processing samples, although it is in JPEG format.

I submitted this vulnerability to wooyun last year: Binary leakage caused by self-protection mechanism bypass of the fireeye Malicious Code Analysis System

0x03 another village

Conclusion: If you know something, but you cannot directly obtain it, analyze it calmly:

What are the input factors you can control, what are the limiting factors that block your access to data, and how can I bypass them? What are the output data you can get, which of the following can be directly or indirectly controlled through input data, and which output data contains the largest amount of information.

Considering these three factors and analyzing them carefully, it is not difficult to achieve the goal.