Friday, December 7, 2007

I've lost my mojo!

Kidding...I'm kidding.

I was reading through some stuff today and started to get inspired by portable virtual computing environments.

One such environment is MojoPac.

I installed Mojopac freedom on my windows xp virtual machine while running Inctrl5. Other than the insane amount of changes to the system, the major change is the creation of HKLM\RINGTHREE\VM1\REGISTRYMACHINE\SOFTWARE. There's simply too much to post here so suffice it to say it looks like it takes a veritable snapshot of your computer's most important components and copies them to a USB key (in my case my Corsair Voyager GT).

During install I was asked to register with mojopac/ringcube, which I did.


When mojopac actually starts up it looks exactly like an embedded XP configuration would - just the basics. The fun begins when you install software. I proceeded to install two programs in to my new mojopac: metasploit and firefox.

I'll obviously need to do some more work on this but so far...


It leaves traces such as this:

Prefetch files for any application executed from within mojopac:

These are particularly interesting because they blatantly indicate that mojopac was used.

Strings output from the firefox prefetch:
FIREFOX.EXE
@\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UNICODE.NLS
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SORTTBLS.NLS
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\RINGTHREE\BIN\MOJOPAC.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\JS3250.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\NSPR4.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WSOCK32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WS2_32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WS2HELP.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\XPCOM_CORE.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\PLC4.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\PLDS4.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\SMIME3.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\NSS3.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\SOFTOKN3.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\SSL3.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\XPCOM_COMPAT.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\COMDLG32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\COMCTL32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSPOOL.DRV
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CTYPE.NLS
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SORTKEY.NLS
\DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\FRAMEWORK\LIB\REX\PROTO\HTTP\PACKET.RB
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\FRAMEWORK\LIB\REX\PROTO\HTTP\REQUEST.RB
\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NXULDVV7.DEFAULT\COMPATIBILITY.INI
\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NXULDVV7.DEFAULT\EXTENSIONS.INI
MEP
M\\DEVICE\HARDDISK1\DP(1)0-0+5
\DEVICE\HARDDISK1\DP(1)0-0+5\
4\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\
<\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\
M\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\APPLICATION DATA\
U\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\APPLICATION DATA\MOZILLA\
]\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\APPLICATION DATA\MOZILLA\FIREFOX\
f\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\
w\DEVICE\HARDDISK1\DP(1)0-0+5\DOCUMENTS AND SETTINGS\EVILMAN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NXULDVV7.DEFAULT\
+\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\
6\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\
A\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\
K\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\FRAMEWORK\
O\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\FRAMEWORK\LIB\
S\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\FRAMEWORK\LIB\REX\
Y\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\FRAMEWORK\LIB\REX\PROTO\
^\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\METASPLOIT\FRAMEWORK3\FRAMEWORK\LIB\REX\PROTO\HTTP\
;\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\MOZILLA FIREFOX\
5\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\RINGTHREE\
9\DEVICE\HARDDISK1\DP(1)0-0+5\PROGRAM FILES\RINGTHREE\BIN\
\DEVICE\HARDDISKVOLUME1
\DEVICE\HARDDISKVOLUME1\
\DEVICE\HARDDISKVOLUME1\WINDOWS\
)\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\
'\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\
z\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\
EVICE
SCCA
Pz8!
`q{
#'
@#'
`#'
$'
`0W
It appears that mojopac uses some linking to system binaries and makes some use of side by side assemblies but when it uses an application installed in a mojopac device it runs from this location: \DEVICE|HARDDISKVOLUME1\DP(1)0-0+5\[...]
I haven't devised what the significance of the DP(1)... is yet other than it being the volume. Anyone know?

It also leaves autorun traces in:
HKU\SID\Software\microsoft\windows\currentversion\mountpoints2
MRU


The easiest way to identify the use of mojopac is looking for signs of the following:
RingThreeSynchronizer
RingThreeMainWin32

Prefetch files exist for both.


In addition you must be administrator of the machine to use mojopac unless an add on is installed..


More on this later.

0 comments: