Debugging Explorer Icon loading

Discussion on reverse-engineering and debugging.

Debugging Explorer Icon loading

Postby benkow_ » Sat Jan 28, 2017 5:26 pm

Hello,
I work on a strange case,
during malware reversing (6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d) I've noticed a strange behaviour with explorer.exe.
The malware itself (spambot) is boring but I don't know if the malware author do this deliberately or not but each time you rename the malware, the icon change (not the hash only icon). Icon are "randomly" choose in the Icon cache. It seems to work from XP to 10 up to date.
https://i.imgur.com/S0vF11n.png
So, I've extract the ico itself and it's the same behaviour with explorer:
https://i.imgur.com/h3Xnuu7.png
The icon is verry small:
Code: Select all
00 00 01 00 01 00 01 02 00 00 01 00 01 00 38 00
00 00 16 00 00 00 28 00 00 00 01 00 00 00 02 00
00 00 01 00 01 00 00 00 00 00 04 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 FF FF FF 00 00 00 00 00 80 00 00 00

Code: Select all
typedef struct
{
    WORD           idReserved;   //0x0000
    WORD           idType;       // 0x0001 (icon)
    WORD           idCount;      // 0x0001
    ICONDIRENTRY   idEntries[1];
} ICONDIR, *LPICONDIR;
 
typedef struct
{
    BYTE        bWidth;          // 0x01
    BYTE        bHeight;         // 0x02
    BYTE        bColorCount;     // 0x00
    BYTE        bReserved;       // 0x00
    WORD        wPlanes;         // 0x0001
    WORD        wBitCount;       // 0x0001
    DWORD       dwBytesInRes;    // 0x00000038
    DWORD       dwImageOffset;   // 0x00000016
} ICONDIRENTRY, *LPICONDIRENTRY;

And I cannot found a relevant doc about the bitmap data :
00 00 00 00 FF FF FF 00 00 00 00 00 80 00 00 00

I've try to patch a legit icon with this data (header + data) and the legit icon change on each rename.

I want to understand this behaviour, so I've try to capture some procom traces and debug Explorer.exe around these functions:
CExtractIconBase::Extract
CFSFolderExtractIcon::Extract
SHGetIconIndexFromPIDL
etc... but I've not found something interesting.
It's my first time in shell32 and Windows UI and it's really paintfull^^.

Anyone has an idea of where can I look for understanding this bug ?

I've found this doc https://msdn.microsoft.com/en-us/library/ms997538.aspx but it's old (1995) and not really usefull for this case :/


thanks in advance
benkow_
 
Posts: 70
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 44

Re: Debugging Explorer Icon loading

Postby EP_X0FF » Sun Jan 29, 2017 4:36 am

I bet it is just a buffer overflow during parsing this crafted icon corrupting internal variables just as multiple bugs in Windows GUI unfixed for decades.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4753
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Debugging Explorer Icon loading

Postby benkow_ » Sun Aug 06, 2017 8:53 am

benkow_
 
Posts: 70
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 44


Return to Reverse Engineering and Debugging

Who is online

Users browsing this forum: No registered users and 2 guests