CMD.EXE – Leveraging the the commandline for windows malware analysis and forensics. Part I

Abstract : The command prompt for windows is a sort of dark horse of sorts. Long time windows users appreciate it to certain extent, though linux converts and other OS geeks tend to disregard this utility owing to some really great features available on their shells. Windows has always supported the GUI paradigm and has long moved on from its early DOS days when commandline actually mattered. In modern workspaces full of interactive UI and ever improving graphics hardware and software, where does the cmd.exe fit in? Most lay users don’t really bother about it as even basic networking seems to be over their heads, but as security professionals it’s just fine if we get more comfortable with this hidden gem of sorts. Inspite of WMIC and Powershell which will be delved upon as well, you might agree that convenience of these powertools might not be evident on every system considering that XP is still the most used OS. Here I aim to describe some of the useful commands that I have gleaned to get some better use of during my own analysis sessions. I always follow the streamlining your toolkit agenda, wherein I make the maximum use with minimum effort required. The analogy for tech musicians (if you are one) would be paint by numbers music composition using building blocks as arrangement atoms. Surely beats the effort required to compose a ninth every now and then, I suppose. Further for us malware reversers the line between discriminating analysis and forensics is futile as the complexity is only going up with each new malware and exploit. Taking a memory dump of an infected system to get the malware bare and naked and then carve out the sections from the dump and thereafter proceed to static disassembly analysis to get more indepth data to doing network forensics on the debugged executable….how do you really differentiate which is which in terms of the workflow techniques? The more you know the better (more like all roads lead to Rome). Let’s get to it, it will be concise and fast.

Discovering the commands.

You do realize that most of these commands are complete programs that are invoked from the terminal using their executable names (ipconfig/netstat). Of course quite a few are inbuilt (for/cd).

To invoke cmd.exe type cmd at the run command box in XP/Windows 7 from the start menu. It helps to start the cmd(hereafter referred to as cmd) in admin mode for better access to system resources (like firewall access) or the cmd will give ‘access denied’ error messages without the cool music and graphics in movies. You will see the default banner message on cmd startup as well as the familiar command prompt defaulting on the root drive as configured in your OS installation (ostensibly C:\[Windows Directory]).

To get a summary of the commands supported in cmd type help. You will get a listing as below. It certainly helps to paginate the list but default buffer size allow you to view it by scrolling the display up and down. To paginate use the more command after preceeding with a pipe symbol on your keyboard | (with a single space before and after). Hereafter use /? After a command string get the list of switches and the command format if needed. Type cd .. repeatedly to get to the root directory., where the depth of the current directory will be denoted as the number of dots following a cd command. Here two levels are crossed back to get to C:\.

C:\help | more

To do a headcount of the number of commands type supported implicitly by cmd.exe.

C:\help | find /c /v “”

Notice the piping to the find command as well as passing the switches /c (count) and /v (inverse/avoid) and then “” meaning empty lines. Also we will use the findstr command to use regex like expressions to search strings or use wildcards.

It essentially does a line count and accommodating for the line wrapping by default the approximate count is 100 on Windows 7. Still manageable eh? These 100 or so commands provide the maximum leverage to get the most information from your system.

To clear the screen as you will need to at some point type cls.

There are some basics that need to be addressed regarding the standard output, input and error streams. These are default streams (bytes of data) supported by the cmd program and can be programmatically accessed as well on using other utilities with cmd. Standard output provides the string display for the command(program) results on successful execution. Any error or software exception is throughput to the error stream. All user inputs are handled in the input stream.

Piping is a common use in terminals/shells like cmd and the pipe symbol | enables you to input or pipe the output of one command to the next one in linear sequence.

Using Boolean logic like && (AND) and II (OR) during piping enables us to add a logical component to our rote list and certainly adds value to more complex command sequences. The thing to remember is that the command after the logical AND would be only executed if the preceding one has succeeded, whereas the OR would run only if the preceding one failed. We will see some instances of the use of this later in this article.

C:\> start <application.exe> && notepad.exe C:\data.dat

To append to or create a new file to store the command outputs, require you to use the >> or > signs respectively. To illustrate, to store the output of tasklist default tabular text format to a textfile named ‘process list.txt’, you type the following :

C:\tasklist >> “process list.txt”

Notice the use of quotations for a space in the name string. Extensions are definitely not mandatory, so save to ‘.dat’ also works as its just the string bytes in ascii that are saved. Spaces are not supported by cmd for filenames unless wrapped around “ ”.

It’s really simple to verify what was stored in what using the simple type command. This command displays the contents of a file in the cmd std output (hereon std referring to standard). So to visualize what was communicated to and stored in the file you type,

C:\type “process list.txt”

to get the relevant output.

To use a basic sorting to be done on any result use the sort command. More like pipe a prior command to sort sans any arguments as it has none related to sorting order (ascending by default).

Tasklist | sort to sort the list alphabetically according to the imagename (the first column).

To navigate around and manipulate the directory tree use the dir family of commands and its other counterparts rmdir, mkdir and cd. These are pretty well known and require just the directory path or file path and can actually identify which is which. Rmdir(rd also works) removes a folder. Mkdir creates or makes a new directory and cd changes the directory. Rename renames a file or folder.

A few things to remember, the . or the dot symbol is used to denote the current directory. This is the directory where the filesystem related activities are executed in the context of the running cmd.exe. To run a file if it is present in the current directory as shown by the command prompt, just typing its name would be suffice or otherwise the explicit path will have to be provided if it’s not in the current path. A caveat though, there is a native affiliation with .com extension executables and cmd does a current directory search where the .com executable is executed first if a conflicting executable with the same filename but no extension is typed at the commandline, even if there is a .exe extension executable of the same name.

Try renaming a sampleApp to sampleApp.com in the same directory for this test. Say,

sampleApp.com and the sampleApp.exe both are in the same folder.

Navigate to that folder to make it the current directory. Typing ‘sampleApp.exe’ in full would certainly execute the sampleApp.exe in the system32 folder. But just type sampleApp and the .com renamed executable will execute instead. To verify the same use process explorer or the taskmgr.exe task manager. Go to the Processes tab view and to the View ->Select columns menu item and choose the Image Path Name checkbox to enable the image path column as well. See the difference between the two executions. This would also mean that a masquerading application could just rename itself to a .com one and launch itself earlier than the original executable in spite of being in the same folder. The use of the command cmd /c enables any application to use the command line environment to launch and run programs as well as cmd commands without the cmd display coming up on any window. Cmd /k would enable the window to be visible for that command execution. This certainly enables covert installation of programs is misued quite a bit, as it’s a simple but effective method.

The use of TAB key and the SHIFT+TAB modifiers enable you to give fast searches like feature. To cycle round the directory names and files in a given path, to forward the searches press TAB and to go in reverse type SHIFT+TAB. This fills up the path of the file or folder present in the display and saves the user the detailed typing for long names.

The dir command is very useful indeed with its various modes to filter out the names and filesystem characteristics.

C:\>dir /a/b

Gives a basic listing of all directory and file attributes with even hidden and system files read into view.

Dir /a gives the detailed listing of every folder and file more than the default dir.

The attribute switch takes H as a parameter to filter and display only hidden files. The D switch is used to filter only directory names.

Use the /P switch to pause the screen so that it can be a handful and not a mouthful to deal with.

To display only hidden directories in given path, type

C:\>Dir /aHD /b

Apparently case sensitivity works for commands though regarding path names and commands themselves they are case insensitive. Use – (minus) to negate a specific property.

C:\dir /a-H-D /b , would display only the non hidden files in bare format.

The need for recursive searches might be useful and the /S switch gets it just right and parses all the underlying subdirectories in the parent folder. The options for file attributes like S for system files, A for archived files and R for readonly files get more specific for the /a switch. Further the use of application specific data format files or user data for an application can be stored using a reparse point(s). These points are leveraged by Windows to find hardlinks for external media contained files and filesystem filters for the type of data format in question. There are certain conditions Windows requires to utilise reparse points. More info on this :

http://msdn.microsoft.com/en-us/library/windows/desktop/aa365503(v=vs.85).aspx

The /T switch displays the timestamps for Creation, Last Access and Last Written.

Another forensics related important data that can be revealed without any special 3rd party tool is the infamous alternate data stream for the NTFS filesystem.

The /R switch displays any alternate stream in the final output.

Knowing the owner of a specific file can help differentiate the ownership(s) of a certain filesystem entity, the /Q switch gives us that information. (Don’t use the /b switch or else the details will be excluded).

Sorting features are also in provision by using the /O switch to sort by name (N), filesize or date among others. Very handy indeed.

The DNS cache of recently accessed websites can be catalogued using the ipconfig command with the /displaydns switch.

To view the list of commands typed in the cmd terminal, use

C:\Doskey /history

Notice that the output also includes this command. The default command buffer is about 50 commands and this can be increased to accommodate more or less (if required) by specifying the size at the /LISTSIZE=<size value> switch

The find command is useful indeed to quickly filter out and extract the lines containing a particular string in another commands output. Just append the string in quotes after the find command along with associated switches as needed.

C:\dir /aH /b | find “<suspicious file name>”

To type in special characters do use the ^ (SHIFT+6) to add the symbol to the string on terminal. To use the strings of modifiers as modifiers if needed precede the modifier string by the ^, like ^CTRL.

Pressing ESC removes the current string typed or chosen giving a blank path to start with. Use the navigation keys in the keyboard UP, DOWN to cycle between the history typed commands.

Tree command diplays the filesytem in a graphical-text mode.

/F switch displays the name of each file in a folder.

Attrib is useful indeed to reset the file or directory attribute to a new one. Often the links and files downloaded or installed by malware hide them by making them system files and hidden at the same time. Provided you find such files, the folder options by itself will not be suffice and the use of attrib for that file/folder would be :

C:\>Attrib –H –S <path of file/folder>

Ftype provides a more detailed view of the type of file in question as well as the command strings enabled files in better detail. By default it displays a lot of information so it’s best to pipe the command to more and see the details page by page or save the list to a new file.

%1 and %* are used to denote the command strings for a specific file.

SET can be used to view and add paths to the Windows environment variables and the SETEXT command can be used to set an extension in the environment.

ASSOC (association) can be utilised to change or view the file type associations.

FC is useful for quick comparison between two files. I use it to do quick handle doffing using the handle.exe from Sysinternals and piping the output to fc in cmd /c mode and outputting the std output to a Windows form with graphics enabled to do live interaction on the form itself and scroll down as it reads from the streams. Thus the first snapshot is taken plain on a clean system and the second one is taken when I want it after infection to see if any handles have been created that persist. You could also take snapshots in burst mode to see if any transient handles were created during infection of the OS.

Without getting to process explorer the tasklist command is quite handy and resourceful to get a lot of info very quickly. Further the support of filters enable us to drill down to exactly what we might be searching for. By default it displays a long list in a tabular format of the processes and its various properties. Typing tasklist /? gives us a plethora of command switches to extract information and filter it. Specially the /SVC switch and the /M <module name i.e. exe or dll> are particularly useful during a session. To seach for a specific dll module that may be loaded in the running processes type

C:\>tasklist /m “suspicious.dll”

C:\>tasklist /im malware.exe

To terminate a specific process use the /T (and /F or force if required)switch as

C:\>tasklist /pid 2390 /pid 1390 /T /F

C:\>tasklist /im “malware.exe” /T

The /FI switch gives maximum leverage when used properly. To search for a specific windowtitle, or services, or imagename , or pid or modules or status (running/not responding/unknown) you can use Boolean logic to be more decisive. They also can be chained.

C:\>tasklist /fi “modules eq suspicious.dll” /fi “imagename eq malware.exe” /fi “windowtitle eq xthhryu_VUCLASS” /fi “imagename ne mtest.exe”

will extract the relevant data from the process list and display it.

Taskkill is command to use to kill a running process or service. It utilizes the same filter format and switches to be more specific.

If you require more cmd windows than the one open, type start. Optionally if there is an application to run type the application name after start.

SC specifies the services and a lot of info can be gleaned from this commands output.

Sc query gives a comprehensive listing of all services status.

Openfiles is used to view the files that are opened remotely from local shares. Easy and quick it enumerates the open handles and their sources.

SystemInfo has been used by many a malware for documenting the system parameters and choosing to either activate specific functions or upload the data to the malware authors. Conversely we can use it to quickly list out the relevant system information.

Driverquery /v gives a very detailed view of the installed and running attributes of device drivers on your system.

Driverquery /si gives information on signed drivers. Admin privilege is required to use these features.

Netstat –ano and netstat –anb are 2 very useful commands to analyse network activity. The first gives a list of the owing processes for each network connection active and the second can be used to locate the associated binary name as a triage to pinpoint the source of the offending or stealth connection(s). Higher port numbers in the ephemeral range and LISTENING/ESTABLISHED status are some of the things to monitor but do double check them as legitimate apps also use the same mechanisms and channels.

Netstat –ab –proto gives a brief of the kind of network protocol in use. Kind of like a quick and dirty wireshark.

Netstat –s gives a per protocol statistics.

Netstat <insert time value> allows the timing between each successive and repeated display of the netstat command. Eg. Netstat 1 runs netstat in cmd after every second.

Netstat –f gives the fully qualified domain name for each connection. You basically get the site domain name as well as any mail exchange servers or name servers in use. Handy.

Bcdedit Bootdebug /ON enables debugging on the current OS, if you want to connect Windbg later on. Required a reboot.

Conclusion : We have taken a tour de force or the battery of commands issued to us by our friendly cmd.exe and how its various quirks and nuances can be utilised to our advantages especially for malware analysis and associated forensics. In the next part we will delve into actual live scenarios and some more interesting commands where I have utilised them to much advantage.

Advertisements

2 thoughts on “CMD.EXE – Leveraging the the commandline for windows malware analysis and forensics. Part I

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s