tinyapps.org / blog


Stop ransomware process and dump memory to extract key #

Anti Ransom v3 "creates a random decoy folder with many useless random documents (Excel, PDF) and then it monitors the folder waiting for changes. When a change is detected, AntiRansom tries to identify which process is the responsible of such change and then stops it and dump the memory process (hopefully the key or password that is being used by the ransomware is inside)".

/windows | Jul 09, 2016

Extract passwords and more from memory #

mimikittenz "is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes".

Basic usage:

  1. Run Windows PowerShell as administrator
  2. cd to directory containing Invoke-mimikittenz.ps1 (e.g., Downloads)
  3. PS C:\Users\user\Downloads> Set-ExecutionPolicy RemoteSigned
  4. PS C:\Users\user\Downloads> Import-Module $pwd\Invoke-mimikittenz.ps1
  5. PS C:\Users\user\Downloads> Invoke-mimikittenz

Sample result:

PatternName       PatternMatch
-----------       ------------
Gmail             &Email=tinyapps@gmail.com&Passwd=PASSWORD_IN_PLAINTEXT&Persiste...

See also:

/windows | Jul 08, 2016

Cloning a failing hard drive to a smaller drive #

Faced with a rapidly-worsening hard drive (and after backing up critical data), I hoped to clone the Windows install to a smaller drive (the only one on hand). Kanguru's Mobile Clone HD One-To-One Duplicator (KCLONE-1HD-MBC) has gotten me out of similar binds before, but cloning to smaller drives is not currently supported.

Here are the boot discs I tried in order and their results (for a similar list, see Windows won't boot (or boots only once) after SSD upgrade):
  1. Paragon Drive Copy 15 Professional - crashed
  2. Acronis True Image 2016 - crashed
  3. HDClone 6.1.5 Advanced Edition - produced a non-working clone with missing partitions
  4. Image for Windows 2.99-00 - produced a working clone!
I was happily surprised astounded that my version 2 license from 2008 was still valid for the current version (2.99-00), which was released as recently as February 25, 2016. Many thanks to TeraByte for a great product and the super-long term support!

/windows | Jun 16, 2016

Check Windows for spurious certs #

In light of malware and OEM CA shenanigans ("Who’s your Verisign?" - Malware faking digital signatures, Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish), be sure to check certificates regularly, especially immediately following acquisition or malware cleanup.

While you could comb through Certificate Manager (certmgr.msc), Sigcheck from Sysinternals speeds things up considerably. The following example is from a system with Superfish and Fiddler certs installed:
C:\>sigcheck.exe -tuv *

Sigcheck v2.51 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Listing valid certificates not rooted to the Microsoft Certificate Trust List:

User\MY:
   DO_NOT_TRUST_FiddlerRoot
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
User\Root:
   DO_NOT_TRUST_FiddlerRoot
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
   Superfish, Inc.
        Cert Status:    Valid
        Valid Usage:    All
        Cert Issuer:    Superfish, Inc.
        Serial Number:  00 D2 FC 13 87 A9 44 DC E7
        Thumbprint:     C864484869D41D2B0D32319C5A62F9315AAF2CBD
        Algorithm:      sha1RSA
        Valid from:     6:25 AM 5/12/2014
        Valid to:       6:25 AM 5/7/2034
   DO_NOT_TRUST_FiddlerRoot
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
From the documentation:
 -t[u][v] Dump contents of specified certificate store ('*' for all stores).
          Specify -tu to query the user store (machine store is the default).
          Append '-v' to have Sigcheck download the trusted Microsoft
          root certificate list and only output valid certificates not rooted to
          a certificate on that list. If the site is not accessible,
          authrootstl.cab or authroot.stl in the current directory are
          used instead, if present.

/windows | Jun 14, 2016

Block a specific program from accessing the Internet #

  1. Open Windows Firewall with Advanced Security (wf.msc)
  2. Click "Outbound Rules"
  3. Click "New Rule…​"
  4. Click "Program" > "Next"
  5. Click "This program path" > "Browse" > select program to block > "Next"
  6. Click "Block the connection" > "Next"
  7. Leave Domain, Private, and Public checked > "Next"
  8. Type desired name for rule and click "Finish"
If that seems too tedious, check out OneClickFirewall. It adds a context menu item to "Block Internet Access" and another to "Restore Internet Access", leveraging outbound rules in Windows Firewall with Advanced Security.

/windows | Jun 04, 2016

Tiny Unix Tools for Windows #

With the exception of the last two entries, these tools have been littered around the blog for years; this is an attempt to put them all in one place. In order of appearance:

/windows | Jun 04, 2016

Like having your very own Mangajin editor #

Back in the 90s, Mangajin revolutionized Japanese language studies by meticulously explaining comics, offering the original Japanese (kanji, hiragana, katakana), romanized Japanese, literal English meaning, idiomatic English meaning, politeness level (PL1-PL4), and loads of other details missing from textbooks:

Mangajin

(Some might argue that the co-worker's response should be labeled PL3 instead of PL2, since he uses 「でしょ」 instead of 「だろ」 or 「だろう」)

Long out of print, digitized archives of all 70 issues float around the Internet; one kind soul has been hosting the first 30 issues for ages.

However, these days, you can turn almost any Japanese source image into a Mangajin-like smorgasbord of information thanks to two open source, portable apps from Christopher Brochtrup:

Capture2Text "enables users to quickly OCR a portion of the screen using a keyboard shortcut. The resulting text will be saved to the clipboard by default. Supports 90+ languages including Chinese, English, French, German, Japanese, and Spanish. Portable and does not require installation. See http://capture2text.sourceforge.net for details."

capture2text

JGlossator "can create a gloss for Japanese text complete with de-inflected expressions, readings, audio pronunciation, example sentences, pitch accent, word frequency, kanji information, and grammar analysis. See http://jglossator.sourceforge.net/ for more information and screenshots. Inspired by Translation Aggregator, but aimed primarily at people learning Japanese."

jglossator

The two work seamlessly together; here is a video of them in action.

/windows | May 28, 2016

Slipstreaming the Windows 7 SP1 convenience rollup #

This guide ended up being a little long for a blog post, so I've added it to the document vault: Slipstream Windows 7 SP1 convenience rollup into a universal x86/x64 installer

/windows | May 21, 2016

Synchronize, backup, or copy files and folders #

with SyncFolders. Features include: versioning (including auto cleanup of old versions), filtering, previewing, scheduling (via Windows' Task Scheduler), verifying (via CRC32, MD5, or SHA-1 hash), launching via command line, support for long file names and UNC paths, and more. Does not natively support VSS, but can be paired with ShadowSpawn to copy in-use files after configuring and saving job rules in the GUI; e.g.,

shadowspawn.exe C:\Users\foo Q: "C:\Program Files\SyncFolders\SyncFolders.exe" /background /synchronize C:\Users\foo\Documents\backup.rls /log:C:\logs\backuplog.txt

which:
  1. Runs ShadowSpawn.
  2. Mounts shadowed version of C:\Users\foo to Q:.
  3. Runs SyncFolders
  4. in the background,
  5. executing (rather than previewing)
  6. the backup.rls rule file,
  7. and logging results to backuplog.txt.
(To prevent "You do not have write access to folder Q:." when using this procedure, uncheck "Use local database to track file changes" in the Advanced tab for the rule.)

SyncFolders is unrestricted freeware and requires the .NET Framework.

/windows | May 17, 2016

Change msconfig boot options from command prompt via boot disc #

During a malware cleanup, msconfig was used to change the boot method to Safe Mode with Networking (msconfig > Boot > Boot options > check Safe boot > check Network). On reboot, Windows would not load. Reverting the changes and returning to Normal Mode was done like so:
  1. Boot from Windows install disc and open command prompt (Shift+F10)

  2. Check the current boot mode:

    X:\>bcdedit
    ...
    Windows Boot Loader
    -------------------
    identifier {default}
    ...
    nx OptIn
    safeboot Network

  3. Remove the Safe Mode with Networking option:

    X:\>bcdedit /deletevalue {default} safeboot
    The operation completed successfully.

  4. Check boot mode again:

    X:\>bcdedit
    ...
    Windows Boot Loader
    -------------------
    identifier {default}
    ...
    nx OptIn

BCDEdit can be used on offline drives via the "store" command (the help documentation oddly refers to it as a command instead of a flag or switch), e.g., bcdedit /store E:\Boot\BCD /deletevalue {default} safeboot. (Found this handy for editing BCD on a DiskCryptor-encrypted drive mounted inside of a Windows PE session.)

Sources:

/windows | Apr 17, 2016


Subscribe or visit the archives