ethical.blue Magazine

// Cybersecurity clarified.

Detect Application Window in C++, C# and x64 Asm

2022-03-28   Dawid Farbaniec
...
This blueprint describes a simple and well-known method against reverse code engineering (RCE). The idea is to detect whether a window of a specific tool (e.g. debugger, disassembler, sandbox, hex editor, etc.) is running. If a given tool is detected, the analyzed application may change its execution flow, i.e. behave differently than usual. One can make the application to close unexpectedly (with or without a warning message) or simply cause it to malfunction to make reverse analysis of its code difficult. This method is by no means new, but I would like to present it on simple examples in three programming languages (C++, C#.NET and x64 Assembly) so that novice programmers who need it will have a strong anchor point.



Steps:
- Create an EnumWindowsProc callback that compares the retrieved title (GetWindowText) of the current window with the string searched.
- Calling the EnumDesktopWindows function that interacts with the windows of the current desktop (giving it the address of the callback function).
- A message is displayed when a desktop window with the specified title is detected.

The behavior on detection of a tool window must be programmed as desired.

Detect RCE Tool with Visual C++

/*

Coded in Visual C++ by ethical.blue

PL: Program sprawdza czy okno określonego
narzędzia jest uruchomione

EN: Application iterates through all
desktop windows to check specified window title
*/

#include <Windows.h>
#include <string>

BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
    WCHAR titleText[255] = { '\0' };
    std::wstring title;

    if (GetWindowTextLength(hwnd) == 0)
    return TRUE;

    GetWindowText(hwnd, titleText, 255+1);

    title = titleText;

    if (title.find((LPCWSTR)lParam) == 0)
    {
        MessageBox(0, (std::wstring(L"Znaleziono okno o nazwie: ") + title).c_str(), L"Informacja", MB_ICONINFORMATION);
        return FALSE;
    }

    return TRUE;
}

int wmain()
{
    std::wstring targetTitle = L"Kalkulator";

    EnumDesktopWindows(0, &EnumWindowsProc, (LPARAM)targetTitle.c_str());

    return EXIT_SUCCESS;
}

Detect RCE Tool with Visual C#.NET

/*

Coded in C#.NET by ethical.blue

PL: Program sprawdza czy okno określonego
narzędzia jest uruchomione

EN: Application iterates through all
desktop windows to check specified window title
*/

using System;
using System.Text;
using System.Runtime.InteropServices;

namespace ConsoleApp1
{
    class Program
    {
        [DllImport("user32.dll")]
        static extern bool EnumDesktopWindows(IntPtr hDesktop, EnumDesktopWindowsDelegate lpfn, IntPtr lParam);

        [DllImport("user32.dll", EntryPoint = "GetWindowText", ExactSpelling = false, CharSet = CharSet.Auto)]
        static extern int GetWindowText(IntPtr hWnd, StringBuilder lpWindowText, int nMaxCount);

        [DllImport("user32.dll", CharSet = CharSet.Unicode)]
        static extern int MessageBox(int hWnd, string text, string caption, uint type);

        const int MB_ICONINFORMATION = 0x00000040;

        delegate bool EnumDesktopWindowsDelegate(IntPtr hWnd, int lParam);

        static void Main(string[] args)
        {
            string targetTitle = "Kalkulator";

            EnumDesktopWindowsDelegate EnumWindowsProc = (IntPtr hWnd, int lParam) =>
            {
                var title = new StringBuilder(255);
                GetWindowText(hWnd, title, title.Capacity + 1);

                if (string.IsNullOrEmpty(title.ToString()))
                    return true;

                if (title.ToString().Contains(targetTitle))
                {
                    MessageBox(0, "Znaleziono okno o nazwie: " + title, "Informacja", MB_ICONINFORMATION);
                    return false;
                }

                return true;
            };

            EnumDesktopWindows(IntPtr.Zero, EnumWindowsProc, IntPtr.Zero);
        }
    }
}

Detect RCE Tool with x64 Assembly (MASM)

;---------------------------------------------------------+

; Coded in Win64asm (MASM x64 / ML64.EXE) by ethical.blue |
;                                                         |
; PL: Program sprawdza czy okno określonego               |
;       narzędzia jest uruchomione (Unicode!)             |
;                                                         |
; EN: Application iterates through all                    |
;       desktop windows to check specified window title   |
;---------------------------------------------------------+

extrn EnumDesktopWindows : proc
extrn GetWindowTextW : proc
extrn GetWindowTextLengthW : proc
extrn MessageBoxW : proc
extrn lstrcmpW : proc
extrn ExitProcess : proc

.data
;unicode string "Kalkulator"
szTargetTitle dw "K","a","l","k","u","l","a","t","o","r", 0

;bufor na aktualnie pobrany tytuł
szCurrentWindow dw 4096 dup(0)

;unicode string "Znaleziono!"
szMessageText dw "Z","n","a","l","e","z","i","o","n","o","!",0

.code

;funkcja zwrotna (callback) pobierająca uchwyty okien pulpitu

EnumWindowsProc proc hWnd : qword, lparam : qword

;pobierz tytuł bieżącego okna
sub rsp, 30h
xor r9,r9
mov r8, 255
mov rdx, offset szCurrentWindow
call GetWindowTextW
add rsp, 30h

;jeśli napis jest pusty zwróć TRUE (szukaj dalej)
test rax, rax
jz _true

;porównaj bieżący tytuł okna z szukanym napisem
sub rsp, 30h
xor r9,r9
xor r8, r8
mov rdx, offset szTargetTitle
mov rcx, offset szCurrentWindow
call lstrcmpW
add rsp, 30h

;jeśli to nie ten tytuł to zwróć TRUE (szukaj dalej)
test rax, rax
jnz _true

;w przeciwnym wypadku wyświetl komunikat, że znaleziono :)
sub rsp, 30h
xor r9,r9
mov r8, offset szMessageText
mov rdx, offset szMessageText
xor rcx, rcx
call MessageBoxW
add rsp, 30h
jmp _false

_true:
mov rax, 01h
ret

_false:
mov rax, 0h
ret

EnumWindowsProc endp

;funkcja główna
Main proc

;wywołanie funkcji wyliczającej okna bieżącego pulpitu
sub rsp, 28h
xor r9, r9
mov r8, offset szTargetTitle
mov rdx, EnumWindowsProc
xor rcx, rcx
call EnumDesktopWindows
add rsp, 28h

;zakończ program
sub rsp, 28h
xor rcx, rcx
call ExitProcess
Main endp

end

Summary

This technique should not be used alone. When used properly this method successfully can be misleading for blue teams when analyzing malware sample. Have fun!

Bibliography

//digged from old code archives

ethical.blue Appz

Categories

Archives


Donate to ethical.blue Magazine website maintenance with cryptocurrency or PayPal.

aspnet
Connections: 6

bitcoin diesel