When USBVirusScan launches the program that was specified as argument upon insertion of a removable drive, it will provide debug information regarding the launching of this program.

In case of failure to launch the program, the debug info will include the error message from the Windows API:

If successfully launched, the debug info will include the process ID of the launched program:

USBVirusScan is a 32-bit application, but it works fine on 64-bit Windows. It can launch 64-bit programs without problems, except Windows’ own applications that come in 32-bit and 64-bit versions. For example, if you configure USBVirusScan to launch calc.exe on 64-bit Windows 7, it will launch the 32-bit version of calc.exe and not the 64-bit version. This is due to the WOW64 filesystem redirection mechanism. USBVirusScan has an option (-w) to disable this WOW64 filesystem redirection (only for USBVirusScan, not for your other programs). Disabling WOW64 filesystem redirection allows USBVirusScan to launch the 64-bit version of calc.exe.

I’ve added a couple of columns with info I need (the Filename, the process Creation time and a 32/64 bit indicator).

And this new version also enables the debug privilege to display info for processes of other users. Of course, you need the debug privilege in first place for this to work. So you have to be a local admin, and if you use an OS with UAC, you have to elevate the Excel application (run as administrator).

TaskManager.xls works on 64-bit Windows, provided you use 32-bit Excel. It doesn’t work on 64-bit Excel yet, I’ll release a new version that does later.

Download:

TaskManager_V0_0_3.zip (https)

MD5: BF40B4317C7E04E1F65B8CEE55ED3A7A

SHA256: 0D48C2E6986F1DD8FA3A0671A1A53F0FC489923701963031FDC4FA516603EEC1

You can get it from the Mozilla site.

For example, to load DLLs hook-createprocess.dll and EnforcePermanentDEP.dll inside process acrord32.exe, you configure this:

acrord32.exe    hook-createprocess.dll;EnforcePermanentDEP.dll

Download:

LoadDLLViaAppInit_V0_0_0_2.zip (https)

MD5: F458DAEAB1A3E68870EE0608E2A1FFFC

SHA256: 9C8BA52A68893F33E0019CC64264C24A7EEC09C5D0DAE6F43C110ACFD45E621F

Foxit Software has release a new version to issue a warning when using a /Launch action, like Adobe Reader does:

The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now!

This means that Foxit Software changed the way arguments are passed to the launched application (in the previous version, it didn’t work per the PDF standard, and that’s why I had to use a workaround). I draw some interesting conclusions from this:

1. Nobody used the /Launch action in Foxit Reader with arguments. It didn’t work, and I assume Foxit would have received bug reports about this and fixed it by now.
2. Nobody used the /Launch action in Foxit Reader with arguments via the workaround. Because this fix breaks the workaround, and I assume Foxit would not have broken a feature used by some of its users.
3. From 1. and 2., I can say nobody used the /Launch action in Foxit Reader with arguments.

Adobe Reader has a Trust Manager setting to disable opening non-PDF attachments with external applications.

This setting also disables the /Launch action:

For more details about the PoC, I refer to my interview on the Eurotrash Security podcast.

• searching for Unicode
• searching for Hex code
• printing of neighbouring bytes

Unicode support is rather simple: I consider Unicode as ASCII with 2 bytes per character, last byte always equals 0.

Usage case of hexcode search: search for embedded and encoded PE-file by searching for the PE-magic bytes MZ:

XORSearch -h malware.exe 50450000

Remember that XORSearch is not limited to win32, you can compile it on *nix too: cc -o XORSearch XORSearch.c

Download here.

You can download bpmtk version 0.1.6.0 here.

Hook-createprocess.dll is a DLL that patches the process into which it is loaded to prevent it from creating new processes. It does this by patching the Import Address Table of kernel32.dll for ntdll.dll to hook API functions NtCreateProcessEx, NtCreateProcess and NtCreateUserProcess.
Calls to these functions are intercepted and not passed on to the original functions. Instead, a code is returned indicating that the operation was blocked. The result is that functions in kernel32 used to create new processes fail (like WinExec) and hence that the patched process can’t create new processes.
This is all it takes to block most shellcode found in malicious documents like PDF malware. Shellcode like this does the following:

Of course, since this protective measure is taken by patching the process, shellcode could undo this patching and bypass our protection. Or it could use the ntdll API and not be hindered by our patch. But actual malware found in-the-wild doesn’t do this (not talking about targeted attacks) and is thus prevented from executing the trojan it just downloaded or extracted from the PDF document.

If you want better protection, you’ll have to use something that works at the level of the kernel, like sandboxing software.

However, this patch comes with some drawbacks, because it also blocks bening new processes. For example, the update function of Adobe Acrobat requires the creation of a new process. To reenable the creation of processes, you have to unload hook-createprocess.dll (unloading removes the hooks). bpmtk has a function to unload DLLs from a process (reject).

There are a couple of trick to load this DLL with the program you want to protect. I’ll describe a generic method in an upcoming post, but now I want to explain it for a specific program.
Programs have a list of DLLs they need for their execution. We will use a PE-file editor to add our hook-createprocess.dll to this list. hook-createprocess.dll exports a dummy function (_Dummy) just so you can add to the imports table of an executable. We will use LordPE to add hook-createprocess.dll with _Dummy to Adobe Reader:

Right-click the Import table:

And don’t forget to save…

You can download it here or get it from the Mozilla site. I’ve nominated it to leave the Sandbox. If you use it, please post a review on the Mozilla page to help it on its way out of the the Sandbox (or keep it there if it’s too buggy).