Tuesday, January 14, 2020

One of these VBNs is not like the other

In a previous post Symantec Endpoint Protection VBN files, I described the file structure of VBN files that contained quarantined files and the process to extract them. It turns out, there is another VBN file with a different structure, that can contain quarantined files. These files reside in the Quarantine file folder, but not in a sub directory. The easiest way to tell that they hold quarantined files is by there size compared to the other VBNs in the folder. In the screenshot below, we can see that something is not quite right with 1C980000.VBN.

These VBN files start off like any other VBN. We can grab the first four bytes to find the offset to the Quarantine File Meta header (QFM). Instead of finding the QFM header, we find a different structure instead. This structure is also xored with 5A. (Note. This is one example. I have other files that do not follow this format. Further investigation is needed)

Examining the structure, we can see that there is another offset that leads to the beginning of the quarantined file and another offset showing the end of the file. With this information, we can extract the quarantined file for further examination. All we need to do is take the QFM offset and add our new offset to it. This will be the beginning of the file. To find the size of the file, we subtract the QFM offset form the file offset and subtract that from the EOF offset. Now that we know where the file starts and ends, we can extract the contents and XOR it with 5A.

I have also updated DeXRAY to handle these files.

No comments:

Post a Comment