Hello,
I work on a strange case,
during malware reversing (6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d) I've noticed a strange behaviour with explorer.exe.
The malware itself (spambot) is boring but I don't know if the malware author do this deliberately or not but each time you rename the malware, the icon change (not the hash only icon). Icon are "randomly" choose in the Icon cache. It seems to work from XP to 10 up to date.
https://i.imgur.com/S0vF11n.png
So, I've extract the ico itself and it's the same behaviour with explorer:
https://i.imgur.com/h3Xnuu7.png
The icon is verry small:
00 00 00 00 FF FF FF 00 00 00 00 00 80 00 00 00
I've try to patch a legit icon with this data (header + data) and the legit icon change on each rename.
I want to understand this behaviour, so I've try to capture some procom traces and debug Explorer.exe around these functions:
CExtractIconBase::Extract
CFSFolderExtractIcon::Extract
SHGetIconIndexFromPIDL
etc... but I've not found something interesting.
It's my first time in shell32 and Windows UI and it's really paintfull^^.
Anyone has an idea of where can I look for understanding this bug ?
I've found this doc https://msdn.microsoft.com/en-us/library/ms997538.aspx but it's old (1995) and not really usefull for this case :/
thanks in advance
I work on a strange case,
during malware reversing (6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d) I've noticed a strange behaviour with explorer.exe.
The malware itself (spambot) is boring but I don't know if the malware author do this deliberately or not but each time you rename the malware, the icon change (not the hash only icon). Icon are "randomly" choose in the Icon cache. It seems to work from XP to 10 up to date.
https://i.imgur.com/S0vF11n.png
So, I've extract the ico itself and it's the same behaviour with explorer:
https://i.imgur.com/h3Xnuu7.png
The icon is verry small:
Code: Select all
00 00 01 00 01 00 01 02 00 00 01 00 01 00 38 00
00 00 16 00 00 00 28 00 00 00 01 00 00 00 02 00
00 00 01 00 01 00 00 00 00 00 04 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 FF FF FF 00 00 00 00 00 80 00 00 00
Code: Select all
And I cannot found a relevant doc about the bitmap data :typedef struct
{
WORD idReserved; //0x0000
WORD idType; // 0x0001 (icon)
WORD idCount; // 0x0001
ICONDIRENTRY idEntries[1];
} ICONDIR, *LPICONDIR;
typedef struct
{
BYTE bWidth; // 0x01
BYTE bHeight; // 0x02
BYTE bColorCount; // 0x00
BYTE bReserved; // 0x00
WORD wPlanes; // 0x0001
WORD wBitCount; // 0x0001
DWORD dwBytesInRes; // 0x00000038
DWORD dwImageOffset; // 0x00000016
} ICONDIRENTRY, *LPICONDIRENTRY;
00 00 00 00 FF FF FF 00 00 00 00 00 80 00 00 00
I've try to patch a legit icon with this data (header + data) and the legit icon change on each rename.
I want to understand this behaviour, so I've try to capture some procom traces and debug Explorer.exe around these functions:
CExtractIconBase::Extract
CFSFolderExtractIcon::Extract
SHGetIconIndexFromPIDL
etc... but I've not found something interesting.
It's my first time in shell32 and Windows UI and it's really paintfull^^.
Anyone has an idea of where can I look for understanding this bug ?
I've found this doc https://msdn.microsoft.com/en-us/library/ms997538.aspx but it's old (1995) and not really usefull for this case :/
thanks in advance
