Running WinDbgX on Windows 7

kao

Motivation

Main reason for writing this blog-post is the extremely crappy article by Vallejo named "Installation and First Contact With the New WinDbg". I read it, cried for a few minutes and decided to fix it.

Mandatory XKCD reference:
Someone is wrong on the Internet

Having said that, let's go through some of the most "brilliant" Vallejo's statements!

Installation

We execute WinDbg from installation shortcut and we search the main process.

Dude, when your article is called "Installation and first steps..." shouldn't you start at the beginning and tell us where to get this app and how to install it?

You need to get the app from the Windows Store: https://www.microsoft.com/store/apps/9pgjgd53tn86.

No, there is no real technical reason for that, just another attempt of Microsoft to convert you to Windows 10 and make you use their Windows Store.

To make matters worse, you need to have installed the latest and greatest update of Windows 10 to do that. There is no technical reason for that, either.

After you've jumped through all those hoops, you get this nice and shiny Windows Store app. Windows Store apps get installed under "C:\Program Files\WindowsApps\" and this one is no different. At the moment of writing the application version was 1.0.16, so it got installed into "C:\Program Files\WindowsApps\Microsoft.WinDbg_1.0.16.0_x86__8wekyb3d8bbwe".

Reparse point

The installation creates another exe here: C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\WinDbgX.exe. It is zero bytes, and if you try, for example, to copy it, you can’t.

Because it's a reparse point, not an EXE file.

Windows 10 processes bundled Windows Store application's AppxManifest.xml and creates appropriate appExecutionAlias'es:

    
      
      
        
          
            
              .run
              .dmp
              .mdmp
              .hdmp
              .kdmp
              .ndmp
            
          
        
        
          
            
          
        
      
    

Same thing goes for all other applications Vallejo "found" under C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\, like dbgsrv64.exe:

    
      
      
        
          
            
          
        
      
    

You can read more about aliases on MSDN: Start your app by using an alias.

Fsutil

I have not found a tool or way to manage or get information about these files.

Ever tried fsutil? It's been part of Windows since Windows7.. πŸ˜€

Here's output of fsutil reparsepoint query WinDbgX.exe:

As you can see, it's a reparse point with a tag 0x8000001b (IO_REPARSE_TAG_APPEXECLINK).

Sure, you can Google for that - but it won't tell you much, except that it's not really documented and should be left alone.

Command-line

Old windbg.exe accepted parameters with β€œ-β€œ, for example -k. New Windbg needs /k parameter to pass the connection configuration

Bullshit! In fact, WinDbgX accepts any of 4 different delimiters: "-", "–", "β€”", "/" and combinations of those..

Ok, that was enough criticism for one day. Let's do something more constructive!

Running WinDbgX on Windows 7

Remember how I said that there is no technical reason why WinDbgX should be available only on Windows 10 and only as a store app? There really isn't. πŸ™‚

Here's WinDbgX running on my Windows 7 and debugging one of the FLARE2017 crackmes:

It's actually a really simple fix.

  1. You need to copy all the files from your Windows 10 machine to your other machine (Windows 7 in my case). It's as simple as selecting all files in "C:\Program Files\WindowsApps\Microsoft.WinDbg_1.0.16.0_x86__8wekyb3d8bbwe" and copy-pasting them. Don't worry about the reparse points in C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\, we'll fix that later.
  2. If you try to run DbgX.Shell.exe on Windows 7, it will fail with Exception:
    ***FATAL ERROR ENCOUNTERED***
    2017-11-21:20:01:12:504 : Error : DbgX.dll : (E) System.TypeLoadException: Could not find Windows Runtime type 'Windows.ApplicationModel.Package'. ---> System.PlatformNotSupportedException: Operation is not supported on this platform.
       --- End of inner exception stack trace ---
       at DbgX.DbgEngModule.SetDbgSrvOverridePathIfNeeded(Boolean use64Bit)
       at DbgX.DbgEngModule.DebugCreateOutOfProc(Boolean use64BitDebugger, Boolean shouldElevate)
       at DbgX.EngineThread.ThreadProc()
    System.TypeLoadException: Could not find Windows Runtime type 'Windows.ApplicationModel.Package'. ---> System.PlatformNotSupportedException: Operation is not supported on this platform.
       --- End of inner exception stack trace ---
       at DbgX.DbgEngModule.SetDbgSrvOverridePathIfNeeded(Boolean use64Bit)
       at DbgX.DbgEngModule.DebugCreateOutOfProc(Boolean use64BitDebugger, Boolean shouldElevate)
       at DbgX.EngineThread.ThreadProc()
    
  3. Let's look at that code in DbgX.dll using dnSpy:

    It's crashing on the Package.Current.Id.FamilyName, as this function is available only for Windows Store apps.

    As a simple hack, we can replace this call with an empty string. Better hack would be to use the proper folder based on the actual WinDbgX path. But the simple way will do for our demo..

  4. Using "Edit IL instructions" function in dnSpy, replace first 4 instructions with ldstr and nops:
  5. Save the module. If saving fails, remove read-only attribute from DbgX.dll and try again.
  6. Since we chose a simple hack, create folder C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\
  7. Depending on your OS (32- or 64-bit), copy files from WinDbgX\X86 or WinDbgX\amd64 folder to C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\. Rename dbgsrv.exe to dbgsrv32.exe or dbgsrv64.exe accordingly.
  8. Run the DbgX.Shell.exe shell now. It will work just fine!

There are 3 more places in DbgXUI.dll, DbgX.Util.dll and Extensions\DbgX.External.dll that might need similar fixes. But that's behind the scope of this article.

Conclusion

It is true that classic WinDbg looks really dated. So, I can totally understand why Microsoft would want to create a replacement with a better UI. However, WinDbgX falls short on everything - its installation via Windows Store is brain-dead stupid, its user interface is confusing (who would look at Model->Change Query to change debugger settings?!) and severely limited (no multiple Memory windows, seriously?). If it was a school project, it wouldn't get even a B-. But for some reason, Microsoft insists that this is the only way forward. Oh, well.. πŸ™

At least, the DLLs are not obfuscated, so someone can take them and make a much better UI.. πŸ˜‰

Have fun!
kao.

Complicated state machines – or how Unit42 “discovered” .NET Reactor

kao

While browsing through my RSS reader, I ran into article from 09-Oct-2017, called OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan.

One part in the article caught my attention:

The β€œRun” method calls functions that has a state machine that dictates the actions taken. At a high level, these state machines attempt to create a process and inject the constructed payload into the newly created process. The use of state machines complicates analysis efforts because it makes the flow of execution jump around in a non-sequential fashion.
...
The state values jump around dramatically, which requires an analyst to also jump around the code to determine its functionality. This is an interesting anti-analysis technique we have not seen the OilRig actors use in their other tools.

.NET? State machines? Complicated technique we haven't seen before? Show me, show me, show me! πŸ˜€

Finding the DLL was relatively easy, finding the method they were describing was much harder. In the end I had to search for the constant "19" they mentioned in the article.. So, here is the method, in all its beauty:

If you're screaming "Dude, that code is obfuscated!", you're right. It is obfuscated.

If you're screaming "It's .NET Reactor!", you've spent too much time reversing .NET applications.

But you're right. It's easy to recognize the .NET Reactor by first few instructions, method renaming pattern and plenty of other things.

Have you heard of de4dot?

Let's try to run de4dot on this dll:

F:\>F:\de4dot-appveyor\de4dot.exe d.dll --dont-rename

de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot

Detected .NET Reactor (F:\d.dll)
Cleaning F:\d.dll
ERROR:
ERROR:
ERROR:
ERROR: Hmmmm... something didn't work. Try the latest version.


Press any key to exit...

So, apparently, the latest versions of de4dot are buggy. Let's use an older version:

F:\>F:\de4dot-3.0.2\de4dot.exe d.dll --dont-rename

de4dot v3.0.2.3405 Copyright (C) 2011-2013 de4dot@gmail.com
Latest version and source code: https://bitbucket.org/0xd4d/de4dot

Detected .NET Reactor (F:\d.dll)
Cleaning F:\d.dll
Saving F:\d-cleaned.dll


Press any key to exit...

And let's look at the method again.

Strings are still unreadable, but where's the state machine? It's gone! Because it was never part of the OilRig actors toolkit, it was just a part of .NET Reactor control-flow obfuscation. πŸ™‚

Decode strings and rename few variables and you'll see a very ordinary RunPE (aka. process hollowing) code:

Lessons learned

The lesson is simple - you should know the subject you're writing about. And if you don't know something, ask your friends and colleagues. Otherwise you'll just embarrass yourself and your company.

Further reading

If you want to learn more about this malware, I would suggest reading analysis by DarkMatter. At least they can identify .NET Reactor correctly. πŸ˜‰