Saturday, August 01, 2009

More Links

Picked up this site the other day, with a post about the MS Office Visualization Tool...looks pretty cool! Offvis allows you to graphically view data structures and records withing MSOffice documents...neat! If you need this kind of capability and need to be able to extract metadata from Office documents, then this is a good tool to have available. If you have your copy of WFA 2/e, be sure to check out wmd.pl and oledmp.pl on the DVD...and check out chapter 8 for an example of how I've used oledmp.pl!

Hey, the Illustrious Don Weber has posted about finding malware hiding in (that's right, I said "in") the Registry (Sophos post on the same sort of thing). This is actually pretty amazing when you think about it...so how do you go about finding this sort of thing, if you suspect it? Do you do what Don did and essentially stumble across an exported DLL function or handle to an odd Registry key during memory analysis, or can you find it another way? Remember my recent post where I mentioned least frequency of occurrence (props to Pete Silberman!)? Do something like that and parse through the entire hive file looking for values with binary (REG_BINARY) data types, and (a) map them based on size and (b) look for ones that start with "MZ". To get started on this, I wrote a RegRipper plugin (uploaded it to the Win4n6 Files section, and pasted it into a post on the RegRipper.net forums) that parses through any Registry hive file and looks for all values with binary data. For each of the values with binary data that if finds it keeps a count, and searches the binary data for "MZ", an indicator of a PE file. Here's what the output looks like when the plugin is run (via rip.exe) against the file that Don was looking at:

Launching findexes v.20090728
Key: Microsoft\SysMgr
LastWrite time: Fri Jun 26 08:18:27 2009

Value: ssdt Length: 2464 bytes
Value: hide Length: 3328 bytes

Value: door Length: 110592 bytes


Number of values w/ binary data types: 5103

Number of values w/ MZ in binary data: 3

Pretty neat, eh?

Speaking of neat tools (no, this is NOT a reference to Cory Althiede), I received this comment about ripXP over in the RegRipper.net forums this week:

This is a very slick tool, and, aside from the fact that it's free, should be a candidate for "tool of the year" if there's such a thing!

Thanks! I don't know if there is such an award, but I'm glad that someone has found the tool to be useful!

Addendum, 8/10: Symantec posted a write-up on the malware (Backdoor.Regdor) that findexes.pl was originally written to address. Something interesting about the Symantec write-up is the statement that the malware takes control of the system when the replaced version of mspmsnsv.dll is loaded by svchost.exe. Hey, wait a second...on my XP systems, mspmsnsv.dll is a file that's protected by WFP...so shouldn't the write-up be mentioning something about WFP being subverted? Yeah, yeah, I know that malware is doing this more and more, but this is still something that needs to be said.

No comments: