From the previous post, we learned that there are three VBN record types. I want to start with record type 2 because this is what people think of when examining VBN's. Record type 2 VBN's consist of the following structures:
- VBN Metadata
- Quarantine Metadata (XORed with 0x5A)
- Quarantine Hash (XORED with 0x5A)
- Quarantine SDDL (XORed with 0x5A) *Optional
- Unknown (XORed with 0xA5) *Optional
- Quarantine Data (XORed with 0xA5) *Optional
- Quarantine Attribute (XORed with 0xA5) *Optional
Quarantine Metadata
The Quarantine Metadata starts out with a header that contains the size of the Quarantine Metadata and the size from the end of the Quarantine Metadata to the end of the VBN.
The Quarantine Metadata itself, appears to be in ASN.1 format. A series of tags are used to differentiate the size and type of data.
If we add together the Quarantine Metadata Header offset (from the VBN Metadata) and the QM Size Header Size together, we find ourselves at the next structure. What structure comes next depends on the tag. If it is 0x03, the Quarantine Hash structure is present. If it is 0x06, there is an unknown structure that appears to be a continuation of the Quarantine Metadata.
0x03 Quarantine Hash
The Quarantine Hash structure can contain the SHA1 hash and size of the quarantine data. This is all depends on the value of the second tag. If the value is 0x00, the hash will not be present and the VBN will end here. If it is 0x01, the hash and the rest of the fields will be present. If all fields are present in this structure, the next tag will either be 0x08 or 0x09. If the tag is 0x08, the Quarantine SDDL structure is present.
No hash data |
Hash data |
Quarantine SDDL
The Quarantine SDDL contains the security descriptor for the data that was quarantined and the size of the quarantine data.
Unknown
If the Quarantine SDDL is not present, this structure will prepended the the quarantine data. I am unsure of what this structure represents at this time. The structure consists of a header, size of the unknown data, and the size of the data to follow.
Quarantine Data
If the Quarantine SDDL is present, the Quarantine Data will come next, without the unknown data prepended to it. The Quarantine Data is broken into chunks of data XORed with A5 until there are no chunks left. If the unknown data was prepended to the Quarantine Data, the Attribute structure may follow.
Quarantine Attribute
The Quarantine Attribute structure holds any attributes associated with the data. I have come across $EA_INFORMATION, $OBJECT_ID, and $DATA stored in this structure so far.
$OBJECT_ID example |
Record Type 2
Quarantine Metadata
Offset | Length | Field | Description |
---|---|---|---|
0 | 8 | QM Header | Header is always 0000000000000000 |
8 | 8 | QM Header Size | Size, in bytes, of the QM header |
16 | 8 | QM Size | Size, in bytes, of the QM |
24 | 8 | QM Size + Header Size | Size, in bytes, of the QM and header |
32 | 8 | End of QM to End of VBN | Size, in bytes, from end of QM to end of VBN |
40 | QM Size | Quarntine Metadata | Quarantine Metadata |
The quarantine metadata appears to be in ASN.1 format. It is comprised of a series of tags.
ASN.1 Tags
Code | Value Length | Extra Data |
---|---|---|
0x01 | 1 | None |
0x0A | 1 | None |
0x03 | 4 | None |
0x06 | 4 | None |
0x04 | 8 | None |
0x07 | 4 | NUL-terminated ASCII String (of length controlled by dword following 0x07 code) |
0x08 | 4 | NUL-terminated Unicode String (of length controlled by dword following 0x08 code) |
0x09 | 4 | Container (of length controlled by dword following 0x09 code) |
0x0F | 16 | None |
0x10 | 16 | None |
The Tag determines what comes next.
0x03 Quarantine Hash |
0x06 Unknown |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Quarantine Hash
Quarantine SDDL (Optional)(may not be present)
If the Quarantine SDDL tag is not present, there can be two additional structures included with the quarantine data. Unknown (Optional)If the Quarantine Data Size in VBN Metadata is Smaller than the Quarantine Data Size in Quarantine Info, this structure will be present.
Quarantine Data (Optional)The quarantine data is broken into chunks of data XORed with 0xA5. This continues until the last chunk divider.
Attribute (Optional)The followinf data is XORed with A5
|
The Unknown appears to be in ASN.1 format. It is comprised of a series of tags. ASN.1 Tags
|
No comments:
Post a Comment