Samir is my hero aka colab on browserexport
2020-10-02 06:43:44 Author: www.hexacorn.com(查看原文) 阅读量:332 收藏

October 1, 2020 in Archaeology, Living off the land

Samir pinged me about his research into c:\Windows\System32\browserexport.exe, and after few back and forth we cracked some of the command line arguments this program accepts. I then promised Samir that I won’t publish a blog post about it. So this his me keeping my promise. Not.

Luckily to us, browserexport.exe is an easy read in Ida Pro. We also found good references to this .exe inside the btrowserbroker.dll file that helped us to guess what is required for the program invocation. After some quick code eyeballing we have extracted a number of interesting command line wannabe arguments:

  • ALL
  • COOKIES
  • FAVICONS
  • FORMDATA
  • HEURISTIC
  • HISTORY
  • LOGINS
  • LOWCOOKIES
  • SETTINGS

Analysis of code confirmed that the program requires at least 4 arguments so after some more digging we came up with command line arguments that actually worked:

browserexport.exe "" ie11 all foo4

where:

  • “” is a GUID which we don’t exactly know what it is, but it’s only used for exports from IE11; could be related to the GUID of the IE user profile (?),
  • IE11 is just one of the browsers supported by the tool; all the supported browsers are
    • CHROME
    • IE11
    • QIHOO360SE
    • QQBROWSER
  • all – one of the options listed above and below (we have not tried other options assuming that ALL means, well… all)
    • ALL
    • COOKIES
    • FAVICONS
    • FORMDATA
    • HEURISTIC
    • HISTORY
    • LOGINS
    • LOWCOOKIES
    • SETTINGS
  • foo4 — output file name

Have a go and run this command. You will be surprised how much data is saved to foo4. it’s a nice JSON file that includes something along these lines (and I don’t use IE11 too much):

{
"MigrationData": {
"browser": "IE11",
"history": [
{
"title": "…",
"url": "…",
"LastAccessed": …
},
{
"title": "….",
"url": "…",
"LastAccessed": …
},
],
"logins": [

],
"cookies": [
{
"name": "…",
"value": "…",
"domain": "…",
"path": "…",
"dwFlags": …,
"ftExpires": …,
"fExpiresSet": …
},
]
}
}

We feel that BrowserExport.exe is a close cousin of ExtExport.exe. In fact, both are referenced by btrowserbroker.dll. Neither of them can be considered a Lolbin, but then again.. that’s a lot of exportable value they both present w/o any effort from malware authors.


文章来源: https://www.hexacorn.com/blog/2020/10/01/samir-is-my-hero-aka-colab-on-browserexport/
如有侵权请联系:admin#unsafe.sh