Log in

View Full Version : Extracting shellcode from office docs?

xtrm2008
March 26th, 2009, 21:12
Hello,

I am trying to figure out how to extract and/or locate shellcode that exists within MS office documents. I am pretty new to analyzing mal1c1ous office documents and trying to figure out the best way to go about it. Any tools, tips or suggestions on how everyone else is doing this would be very appreciated.

thanks!!
JMI
March 26th, 2009, 22:12
How about you satisfy the requirement of the FAQ, which you did read, didn't you, which tells you to SEARCH before you post.

Using:

shellcode MS documents

I got 90,400 hits, many, even on the first page, which appear to get you started in the right direction. There are many other combinations one could try.

http://www.google.com/search?hl=en&q=shellcode+MS+documents&aq=f&oq=

How about YOU start your own homework and then come back and tell us what you have found. This is supposed to be an adventure in "self-study" with the emphasis on "self." We ALL need a hand, now and then, but, so far, you have not indicated that you have done ANYTHING in the way of "self-help" and that is something we require here.

Regards,
binjo
March 27th, 2009, 05:06
I have the same feeling when you don't know where to start disassemling in the malicious office document, specifically when you don't know its format. What I usually do is load it into the IDA, and try to binary search 60/EB/33, coz most of the exploit have sort of decrypt layer, and try to convert it as code, and try again and again and again...
xtrm2008
March 27th, 2009, 07:31
Obviouly the first place I tried was google, but most of the stuff that I read and ran accross didn't go into how to go about extracting or finding the shellcode in the docs, which is what I was after.

Anyhow thanks for the "Useful" reply binjo. I'll give what you suggested a try.
JMI
March 27th, 2009, 10:30
Perhaps if you had considered actually stating you had attempted to search, you would not have had to hear from me.

However, there is so many references to the subject on the net, it is difficult to assume that you actually did very much looking into the subject matter.

Regards,
pmb
April 14th, 2009, 19:01
You can have a look at Bruce Dang's slide from Recon, he gave some tricks to analyze malicious office documents.

Presentation title: Methods for analyzing malicious Office documents.

http://www.recon.cx/2008/a/bruce_dang/recon08_final.zip

Cheers.
binjo
April 15th, 2009, 08:17
Really good stuff
Thanks a lot
binjo
June 2nd, 2009, 04:51
just came across this great tool, I think it's worth to share with you ;-p

Quote:

OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.
http://www.reconstructer.org/code/OfficeMalScanner.zip


the output
Code:


#OfficeMalScanner.exe 301d3e6dff463163c15e9a612048a001 scan debug



+------------------------------------------+

|           OfficeMalScanner v0.41         |

|  Frank Boldewin / www.reconstructer.org  |

+------------------------------------------+



  SCAN mode selected

  Opening file 301d3e6dff463163c15e9a612048a001

  Filesize is 838144 (0xcca00) Bytes

  Valid file format found.

  Scanning now...



FS:[30h] (Method 1) signature found at offset: 0xa07



64A130000000                       mov eax, fs:[30h]

8B400C                             mov eax, [eax+0Ch]

8B701C                             mov esi, [eax+1Ch]

AD                                 lodsd

8B4008                             mov eax, [eax+08h]

5E                                 pop esi

C3                                 ret

60                                 pushad

8B6C2424                           mov ebp, [esp+24h]

8B453C                             mov eax, [ebp+3Ch]

8B542878                           mov edx, [eax+ebp+78h]

03D5                               add edx, ebp

8B4A18                             mov ecx, [edx+18h]

8B5A20                             mov ebx, [edx+20h]

03DD                               add ebx, ebp

E334                               jecxz $+36h

--------------------------------------------------------------------------



API-Hashing signature found at offset: 0xa3f



7407                               jz $+09h

C1CF0D                             ror edi, 0Dh

03F8                               add edi, eax

EBF4                               jmp $-0Ah

3B7C2428                           cmp edi, [esp+28h]

75E1                               jnz $-1Dh

8B5A24                             mov ebx, [edx+24h]

03DD                               add ebx, ebp

668B0C4B                           mov cx, [ebx+ecx*2]

8B5A1C                             mov ebx, [edx+1Ch]

03DD                               add ebx, ebp

8B048B                             mov eax, [ebx+ecx*4]

03C5                               add eax, ebp

8944241C                           mov [esp+1Ch], eax

61                                 popad

C20800                             retn 0008h

--------------------------------------------------------------------------



API-Hashing signature found at offset: 0xae0



7408                               jz $+0Ah

C1CE0D                             ror esi, 0Dh

03F2                               add esi, edx

40                                 inc eax

EBF1                               jmp $-0Dh

3BFE                               cmp edi, esi

5E                                 pop esi

75E5                               jnz $-19h

5A                                 pop edx

8BEB                               mov ebp, ebx

8B5A24                             mov ebx, [edx+24h]

03DD                               add ebx, ebp

668B0C4B                           mov cx, [ebx+ecx*2]

8B5A1C                             mov ebx, [edx+1Ch]

03DD                               add ebx, ebp

8B048B                             mov eax, [ebx+ecx*4]

--------------------------------------------------------------------------



NOP slides signature found at offset: 0xad879



90                                 nop

90                                 nop

90                                 nop

EB2B                               jmp $+2Dh

33C0                               xor eax, eax

50                                 push eax

648920                             mov fs:[eax], esp

33FF                               xor edi, edi

81C700100000                       add edi, 00001000h

B8D0CF11E0                         mov eax, E011CFD0h

3B07                               cmp eax, [edi]

75F1                               jnz $-0Dh

40                                 inc eax

3B87000A0000                       cmp eax, [edi+00000A00h]

75E8                               jnz $-16h

81C7000A0000                       add edi, 00000A00h

--------------------------------------------------------------------------



LODSD/STOSD SUB decryption signature found at offset: 0x700f2



AD                                 lodsd

2DE49E3858                         sub eax, 58389EE4h

AB                                 stosd

843B                               test bh, [ebx]

98                                 cwde

1F                                 pop ds

5C                                 pop esp

7A57                               jpe $+59h

6BA3687696978B                     imul esp, [ebx-68698998h], 8Bh

A8DC                               test al, DCh

A0B8BA9CED                         mov al, [ED9CBAB8h]

823E40                             and byte ptr [esi], 40h

1C63                               sbb al, 63h

27                                 daa

D7                                 xlat

A5                                 movsd

--------------------------------------------------------------------------



JMP [0xEB]/CALL/POP signature found at offset: 0xa9a



EB6E                               jmp $+70h

5E                                 pop esi

FC                                 cld

F3A4                               rep movsb

C3                                 ret

41                                 inc ecx

5B                                 pop ebx

52                                 push edx

03E1                               add esp, ecx

03E1                               add esp, ecx

03E1                               add esp, ecx

03E1                               add esp, ecx

83EC04                             sub esp, 00000004h

5A                                 pop edx

53                                 push ebx

8BDA                               mov ebx, edx

--------------------------------------------------------------------------



JMP [0xEB]/CALL/POP signature found at offset: 0xb11



EB0F                               jmp $+11h

5A                                 pop edx

33C9                               xor ecx, ecx

66B9FA05                           mov cx, 05FAh

8032FC                             xor byte ptr [edx], FFFFFFFCh

42                                 inc edx

E2FA                               loop $-04h

EB05                               jmp $+07h

E8ECFFFFFF                         call $-0000000Fh

A97710AFAA                         test eax, AAAF1077h

AB                                 stosd

17                                 pop ss

9F                                 lahf

AA                                 stosb

98                                 cwde

5D                                 pop ebp

--------------------------------------------------------------------------







Analysis finished!



-----------------------------------------------------------------------------

301d3e6dff463163c15e9a612048a001 seems to be malicious! Malicious Index = 19

-----------------------------------------------------------------------------
disavowed
June 2nd, 2009, 23:12
some nice tools on that site! someone less lazy than me should add them to crcetl
Woodmann
June 3rd, 2009, 20:15
So umm......... disa......

You thinking of anyone we know to do this "tool" addition to the crcetl .

Woodmann
dELTA
June 4th, 2009, 15:20
Yeah, yeah, you lazy bastards...

http://www.woodmann.com/collaborative/tools/OfficeMalScanner

http://www.woodmann.com/collaborative/tools/VtablesStructuresFromPSDK2003R2

http://www.woodmann.com/collaborative/tools/ClassAndInterfaceToNames

http://www.woodmann.com/collaborative/tools/MFC42Ord2FuncNames

http://www.woodmann.com/collaborative/tools/IDAAPIHelp

http://www.woodmann.com/collaborative/tools/Superkill

But those of you who subscribe to the CRCETL RSS feed already knew about these additions by now of course.

Nice tools indeed anyway.