Leveraging the command line for windows: malware analysis and forensics. Part I
cmd.exe – Leveraging the command line for windows: malware analysis and forensics. Part I Abstract : The command prompt for windows is a dark horse of sorts. Long time windows users appreciate it to a certain extent, though linux converts and other OS geeks tend to disregard it, owing to some really great features available on their shells. Windows has always supported the GUI paradigm and has long moved on from its early DOS days when the command line actually mattered. In modern workspaces full of interactive user interfaces and ever improving graphics hardware and software, where does cmd.exe fit in? Most users don’t really bother with it as even basic networking seems to be over their heads. However, as security professionals it’s just fine if we get more comfortable with this undervalued gem. In spite of WMIC and Powershell which will be delved upon as well, you might agree that the convenience of these power tools might not be evident on every system, considering that XP is still the most used OS. Here I aim to describe some of the useful commands that I use to get some better results during my own analysis sessions. I always follow the “streamlining your toolkit” agenda, wherein I make the maximum use with minimum effort required. The analogy for tech musicians (if you are one) would be paint by numbers music composition using building blocks as arrangement atoms. That surely beats the effort required to compose a ninth every now and then, I suppose. Further for us malware reversers are the lines between discriminating analysis and forensics. They are futile as the complexity is only going up with each new malware and exploit. Taking a memory dump of an infected system to get the malware bare and naked is the first step. Then you carve out the sections from the dump and thereafter proceed to static disassembly analysis to get more in depth data to do the network forensics on the debugged executable. How do you really differentiate which is which in terms of the workflow techniques? The more you know the better (more like all roads lead to Rome). Let’s get to it, it will be concise and fast. Discovering the commands. Realize that most of these commands are complete programs that are invoked from the terminal using their executable names (ipconfig/netstat). Of course quite a few are inbuilt (for/cd). To start cmd.exe type cmd at the run command box in XP/Windows 7 from the start menu. It helps to start the command prompt (hereafter referred to as cmd) in admin mode for better access to system resources (like firewall access) or the cmd will give ‘access denied’ error messages without the cool music and graphics in the movies. You will see the default banner message on cmd startup as well as the familiar command prompt defaulting on the root drive as configured in your OS installation (normally C:[Windows Directory]). To get a summary of the commands supported in cmd type help. You will get a listing as shown below. It certainly helps to paginate the list but default buffer size allows you to view it by scrolling the display up and down. To paginate use the more command after preceding with a pipe symbol on your keyboard | (with a single space before and after). Hereafter use /? After a command string get the list of switches and the command format if needed. Type cd .. repeatedly to get to the root directory. Here two levels are crossed back to get to C:. In case more levels are required in one shot, the use of .. repeatedly in one line as per the level of ascendance required. To illustrate: If the current directory is , C:Test1Test2> To get to C: using this method, you would type C:Test1Test2>cd …. Pagination.. C:help | more To do a headcount of the number of commands supported implicitly by cmd: C:help | find /c /v “” Notice the piping to the find command as well as passing the switches /c (count) and /v (inverse/avoid) and then “” as a dummy string. As it turns out, carriage return and line feeds (CR+LF) is not recognised by find. Another quirk is that a specific search string has to be limited to the ones not containing a r or n (environment newline) in text metadata. In order to circumvent this deficit and get the line count the “” string pair works fine. We will also use the findstr command to use regex like expressions to search strings or use wildcards (* is the most commonly used wildcard – “5*”, will search and find all strings beginning with 5). It essentially does a line count and accommodating for the line wrapping by the default count of 100 on Windows 7. Still manageable? These 100 or so commands provide the maximum leverage to get the most information from your system. To clear the screen as you will need to at some point type cls. There are some basics that need to be addressed regarding the standard output, input and error streams. These are default streams (bytes of data) supported by the cmd program and can be programmatically accessed as well using other utilities with cmd. Standard output provides the string display for the command(program) results on successful execution. Any error or software exception is put through to the error stream. All user inputs are handled in the input stream. Piping is a common use in terminals/shells like cmd and the pipe symbol | enables you to input or pipe the output of one command to the next one in linear sequence. Using Boolean logic like && (AND) and II (OR) during piping enables us to add a logical component to our rote list and certainly adds value to more complex command sequences. The thing to remember is that the command after the logical AND would be executed only if the preceding one has succeeded, whereas the OR would run only if the preceding one failed. We will see some instances this later in this article. C:> start <application.exe> && notepad.exe C:data.dat To append to or create a new file to store the command outputs, it requires you to use the >> or > signs respectively. For example, to store the output of tasklist default tabular text format to a text file named ‘process list.txt’, you type the following: C:>tasklist >> “process list.txt” Feeding and input in cmd would require you to use the < sign. As in C:>find /i “svchost” < “process list.txt” The /i switch for the find command is used for case insensitivity (a and A are equivalent). This is useful also in the case of the dir command as the outputs contain a mix of upper and lowercase, so the search will only be partial if not done while activating case insensitivity. Notice the use of quotations for a space in the name string. Extensions are definitely not mandatory, so save to ‘.dat’ also works as it’s just the string bytes in ASCII that are saved. Spaces are not supported by cmd for filenames unless wrapped around ” “. It’s really simple to verify what was stored in what using the simple type command. This command displays the contents of a file in the cmd std output (hereon std referring to standard). In order to visualize what was communicated and stored in the file you type the following code to get the relevant output: C:type “process list.txt” To use basic sorting to be done on any result use the sort command. More like pipe a prior command to sort sans any arguments as it has none related to sorting order (ascending by default). Use Tasklist | sort to sort the list alphabetically according to the image names (the first column). To navigate around and manipulate the directory tree use the dir family of commands and its other counterparts: rmdir, mkdir and cd. These are pretty well known and require just the directory path or file path and can actually identify which is which. Rmdir(rd also works) removes a folder. Mkdir creates or makes a new directory and cd changes the directory. Rename renames a file or folder. A few things to remember; the . or the dot symbol is used to denote the current directory. This is the directory where the filesystem related activities are executed in the context of the running command prompt. To run a file if it is present in the current directory as shown by the command prompt, just typing its name would be suffice or otherwise the explicit path will have to be provided if it’s not in the current path. A caveat though, there is a native affiliation with .com extension executables and cmd does a current directory search where the .com executable is executed first if a conflicting executable with the same filename but no extension is typed in the command line, even if there is a .exe extension executable of the same name. Try renaming a sampleApp to sampleApp.com in the same directory for this test. Say, sampleApp.com and the sampleApp.exe both are in the same folder. Navigate to that folder to make it the current directory. Typing ‘sampleApp.exe’ in full would certainly execute the sampleApp.exe in the system32 folder. But just type sampleApp and the .com renamed executable will execute instead. To verify the same use process explorer or the taskmgr.exe task manager. Go to the Processes tab view and to the View ->Select columns menu item and choose the Image Path Name checkbox to enable the image path column as well. See the difference between the two executions. This would also mean that a masquerading application could just rename itself to a .com one and launch itself earlier than the original executable in spite of being in the same folder. The use of the command cmd /c enables any application to use the command line environment to launch and run programs as well as commands without the cmd display coming up on any window. Cmd /k would enable the window to be visible for that command execution. This certainly enables covert installation of programs and is misused quite a bit, as it’s a simple but effective method. The use of the TAB key and the SHIFT+TAB modifiers enable you to complete fast searches like feature. To cycle around the directory names and files in a given path and to forward the searches press TAB and to go in reverse type SHIFT+TAB. This fills up the path of the file or folder present in the display and saves the user the detailed typing for long names. The dir command is very useful indeed with its various modes to filter out the names and filesystem characteristics. C:>dir /a/b This gives a basic listing of all directory and file attributes with even hidden and system files read into view. ‘Dir /a’ gives the detailed listing of every folder and files more than the default dir. The attribute switch takes H as a parameter to filter and display only hidden files. The D switch is used to filter only directory names. Use the /P switch to pause the screen so that it can be a handful and not a mouthful to deal with. To display only hidden directories in given path, type C:>Dir /aHD /b Apparently case sensitivity works for commands, though regarding path names and commands themselves they are case insensitive. Use – (minus) to negate a specific property. C:dir /a-H-D /b , would display only the non hidden files in bare format. The need for recursive searches might be useful and the /S switch gets it just right and parses all the underlying subdirectories in the parent folder. The options for file attributes like S for system files, A for archived files and R for read-only files get more specific for the /a switch. Further the use of application specific data format files or user data for an application can be stored using reparse point(s). These points are leveraged by Windows to find hardlinks for external media contained files and filesystem filters for the type of data format in question. There are certain conditions Windows requires to utilise reparse points. Look at the following, for example: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365503(v=vs.85).aspx The /T switch displays the timestamps for Creation, Last Access and Last Written. Another forensics related important data that can be revealed without any special 3rd party tool is the infamous alternate data stream for the NTFS filesystem. The /R switch displays any alternate stream in the final output. Hiding a malware in something as innocuous as a text file is done in a single line. Leveraging the use of cmd /c (no window), this is in fact used by malware creators as a very easy way to maintain stealth. Cmd /c type malware.exe > config.ini:malwarefile.dat Note the use of the : (colon operator) and the stream name thereafter. The type command does not display the stream so you will have to use another application like a hex editor or even Notepad, using commandline. C:>Notepad config.ini:malwarefile.dat The line above will open the file in notepad. Replace notepad with the application of your choice. Further multiple streams can exist within the same target carrier file as well. Directories can also be used to hide data streams. Knowing the owner of a specific file can help differentiate the ownership(s) of a certain filesystem entity, the /Q switch gives us that information. (Don’t use the /b switch or else the details will be excluded). Sorting features are also in provision by using the /O switch to sort by name (N), file size, date among others options; A very handy command. The DNS cache of recently accessed websites can be catalogued using the ipconfig command with the /displaydns switch. To view the list of commands typed in the cmd terminal, use: C:Doskey /history Notice that the output also includes this command. The default command buffer is about 50 commands and this can be increased to accommodate more or less (if required) by specifying the size at the /LISTSIZE=<size value> switch The find command is useful indeed in order to quickly filter out and extract the lines containing a particular string in another command output. Just append the string in quotes after the find command along with the associated switches as needed. C:dir /aH /b | find “<suspicious file name>” To type in special characters do use the ^ (SHIFT+6) to add the symbol to the string on terminal. To use the strings of modifiers as modifiers (if needed) precede the modifier string by the ^ symbol, such as ‘^CTRL’. Pressing ESC removes the current string typed or chosen giving a blank path to start with. Use the navigation keys in the keyboard UP, DOWN to cycle between the histories of previously typed commands. The Tree command displays the filesytem in a graphical-text mode. The /F switch displays the name of each file in a folder. Attrib is useful to reset the file or directory attribute to a new one. Often, the links and files downloaded or installed by malware hide them by making them system files and hidden at the same time. Provided you find such files, the folder options by itself will not be suffice and the use of attrib for that file/folder would be: C:>Attrib –H –S <path of file/folder> For a more recursive result, if you find that lots of files and folders are hidden within the target directory, use the /S /D switch to apply the command to all subfolders as well. Ftype provides a more detailed view of the type of file in question as well as the command strings enabled files in greater detail. By default it displays a lot of information so it’s best to pipe the command and see the details page by page or save the list to a new file. %1 and %* are used to denote the command strings for a specific file. SET can be used to view and add paths to the Windows environment variables and the SETEXT command can be used to set an extension in the environment. ASSOC (association) can be utilised to change or view the file type associations. FC is useful for quick comparison between two files. I use it to do a quick handle diffing using the handle.exe from Sysinternals and piping the output to fc in cmd /c mode and outputting the std output to a Windows form with graphics enabled in order to do a live interaction on the form itself and scroll down as it reads from the streams. Thus the first snapshot is taken plain on a clean system and the second one is taken when I want it, after the infection, to see if any handles have been created that persist. You could also take snapshots in burst mode to see if any transient handles were created during infection of the OS. Without getting to process explorer, the tasklist command is quite handy and resourceful to get a lot of info very quickly. Further, the support of filters enables us to drill down to exactly what we might be searching for. By default, it displays a long list in a tabular format of the processes and its various properties. Typing tasklist /? Gives us a plethora of command switches to extract information and filter it. Specifically, the /SVC switch and the /M <module name i.e. exe or dll> switch are particularly useful during a session. To search for a specific DLL module that may be loaded in the running processes type: C:>tasklist /m “suspicious.dll” C:>tasklist /im malware.exe To terminate a specific process use the /T (and /F or force if required) switch as C:>tasklist /pid 2390 /pid 1390 /T /F C:>tasklist /im “malware.exe” /T The /FI switch gives maximum leverage when used properly. To search for a specific windowtitle, services, imagename, pid, modules or status (running/not responding/unknown), you can use Boolean logic to be more decisive. They also can be chained. The following command will extract the relevant data from the process list and display it. C:>tasklist /fi “modules eq suspicious.dll” /fi “imagename eq malware.exe” /fi “windowtitle eq xthhryu_VUCLASS” /fi “imagename ne mtest.exe” Taskkill is the command to use to kill a running process or service. It utilizes the same filter format and switches to be more specific and detailed. If you require more cmd windows than the one open, type start to open another one. Optionally, if there is an application to run type the application name after start. SC specifies the services and a lot of info can be gleaned from this commands output. Sc query gives a comprehensive listing of all services status. Openfiles is used to view the files that are opened remotely from local shares. Easy and quick, it enumerates the open handles and their sources. SystemInfo has been used by many malware creators for documenting the system parameters and choosing to either activate specific functions or upload the data so. Conversely we can use it to quickly list out the relevant system information. The Driverquery /v command gives you a very detailed view of the installed and running attributes of device drivers on your system. The Driverquery /si command gives you information on signed drivers. Admin privilege is required to use these features. Netstat –ano and netstat –anb are 2 very useful commands to analyze network activity. The first gives a list of the owing processes for each network connection active, and the second can be used to locate the associated binary name as a triage to pinpoint the source of the offending or stealth connection(s). Higher port numbers in the ephemeral range and LISTENING/ESTABLISHED status are some of the things to monitor. Remember to double check them as legitimate apps also use the same mechanisms and channels. Netstat –ab –proto gives a brief of the kind of network protocol in use. Kind of like a quick and dirty wireshark. Netstat –s gives a per protocol statistics. Netstat <insert time value> allows the timing between each successive and repeated display of the netstat command. Eg. Netstat 1 runs netstat in cmd after every second. Netstat –f gives the fully qualified domain name for each connection. You basically get the site domain name as well as any mail exchange servers or name servers in use. Handy. Bcdedit Bootdebug /ON enables debugging on the current OS, if you want to connect Windbg later on. Requires a reboot. Conclusion : We have taken a tour de force of the battery of commands issued to us by our friendly cmd.exe and how its various quirks and nuances can be utilized to our full advantage, especially for malware analysis and associated forensics. In the next part we will delve into actual live scenarios and some interesting commands where I have utilized them to much advantage.