The Case of the Persistent Executable

This is the first of the 2 case studies which won me a signed copy of Windows Internals, 4th Edition, by Mark Russinovich, Microsoft last year.

I woke up last Saturday around 11:00 in the morning to find my friend sitting at the computer typing some document in MSWord, he then minimized the document and proceeded to open the D: drive from My Computer. My usually fast Windows responded extremely slowly to the double click. I sat bolt upright in my bed and asked him to repeat the procedure with the other drives. The same delay was noticed on the other drives too. I then asked him to right click on any drive expecting a change in the context menu due to the presence of an autorun file. The menu was intact. I then got down and sat at the chair and used the attrib command at the prompt for each drive. This is what I got.

Certainly signs of malicious presence. I used the type command to read the contents of autorun.inf although I knew what it would point at.

I then immediately fired Process Explorer to see if the process was running. Failing to find the process or a handle to it, I then used the attrib –s –h –r fppg1.exe to reset attributes and proceeded to delete it using del fppg1.exe. I repeated the same procedure with the autorun.inf file. Since I have 6 partitions on my hard drive, I wrote a bat file, named it clean.bat and saved it in %systemroot% with the following contents.

@echo off
attrib -s -h -r fppg1.exe
del fppg1.exe
attrib -s -h -r autorun.inf
del autorun.inf
echo All done
echo.

I then ran clean.bat from the console on each partition. Happy that my system was back to normal, I restarted explorer to remove the effects of the autorun.inf file on the default open option on the drives. I then proceeded to open F: drive using the double click through My Computer. I was surprised to see the delay occurring again. The attrib command confirmed my doubts. The two files were back. I decided to dump the strings from the fppg1.exe file to see if I could find any clues. I ran the strings utility and piped the output to a text file called fppg1.text.

The file contained loads of ASCII characters and just three APIs that I recognized. That didn’t help much.

I then fired up Process Monitor to see what process was writing these files to disk. I used two filters with Path contains autorun.inf then include and Path contains fppg1.exe then include. I was surprised to see which process was writing, setting attributes and querying information.

It wasn’t only explorer.exe that drained my happiness out of me.

I then right clicked on Explorer to view its stack when IRP_MJ_CREATE Operation was performed. The stack had one unfamiliar entry.

I used the find handle or dll feature of Process Explorer to search for amvo0.dll. The returned results didn’t raise my spirits.

The dll had attached itself to other processes I had opened after restarting explorer. I then opened up cmd, changed to C:\Windows\System32\ and used the attrib command to confirm my suspicions about the attributes of amvo0.dll. I wasn’t disappointed.

I suspected that there could be an associated executable also present in the same directory and hence used attrib amv*. With my suspicions confirmed, I used strings.exe to dump strings from amvo.exe and did a file compare with fppg1.txt. Bingo! They were the same files in essence. The dll amvo0.dll was making explorer.exe and the system process to recreate the files fppg1.exe and autorun.inf whenever they were not found in the root of the drives. I used attrib again to remove the system and hidden attribute from amvo.exe and amvo0.dll and deleted amvo.exe through the command prompt. The file amvo0.dll was in memory and hence could not be deleted. One shortcoming of Process Explorer, I found would have really helped me, was to unload dlls which would have allowed me to delete the file immediately. I used autoruns.exe, another of Sysinternals creations, and found that amvo.exe created a registry entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run that caused it to be run at system startup. With the file gone, I restarted my system and then deleted amvo0.dll manually, fppg1.exe and the autorun.inf file using the bat file.

Case closed. I then went on to start my morning.

My Dream Phone


It appears that the time to switch my phone has finally come. I use a Sony Ericcson Z555i with Gesture Control for my daily communication with the outside world. I also use a LG RD3500 Reliance Handset to speak to my girlfriend. As every phone enthusiast and feature loving geek would do, I set about to do some research to get my Sony Ericcson Z555i with Gesture Control replaced.

Finding a new phone is never hard if you know what you want in it. I have switched 3 phones over the past 2 years. The best being my current phone. But I recently noticed that it does not suit my persona. It does not have loads of features that would improve my life. Hell, I can’t even check my email on it. I have a list of things my phone should be able to do. Being a Windows fanatic, a Windows Mobile device would be ideal where I could write and test .NET applications. Internet and wifi connectivity with push email functionality would be mandatory and throw in some looks, sleek interface and respectable battery life. Not much, one would agree, in terms of features but hey I never said I wanted an IPhone.

I googled for smartphones and scrolled down the result page to see if anything was worth pursuing. It was then that I saw a news result that said Acer had launched three new phones. Acer? I thought Acer was into laptops. I know because I own a sleek Aspire 5920G [http://www.notebookreview.com/default.asp?newsID=3897] with 2.2 Ghz of Intel T7300, 4 GB RAM and a 360 GB hard drive. Apart from the curiosity, I happen to be pro Acer (now where have I heard that before, pro Google, pro Microsoft and now pro Acer? I need to delineate my loyalties.) and hence thought taking a look at the phone would not bulge my intentions.

The minute I checked the Acer website for the smartphone, I fell in love with the m900. It’s a sleek and stylish Windows Mobile device with several other features that I had always dreamt of having. I promised the deepest desires within me that I would someday proudly own this phone and flaunt it across the company where I work. I know that could be disadvantageous since doing that would brand me as a satisfied and well earning employee which would cause a sharp decline in my appraisals which obiviously I would not want.

I have yet to find out the prices which im sure will hinder the progress of my quest to own this baby. I can wait another month, and the month after that, and the month after that and the month after…

Convert normal folders to Windows Shell Folders

I normally store all data in separate logical drives on my computer. My movie collection goes to a drive called Multimedia, so does the music. My code and office work goes to another drive called Office and my OS silently resides in my C drive. I have seen many people, and not just the technology illiterates, but even the tech savvy store sensitive data right on their desktop and in My Documents.

Nothing wrong with it, but if your system is used by multiple people; nosy in essesnce, you wouldn’t want your privacy to be breached.

The NTFS filesystem provides adequate protection to data via Access Control Lists, but that is another topic altogether. Playing around with System folders in Windows, I found that you could convert any folder to a system folder with the right desktop.ini file. Although later research showd me that this is an old trick, I was still fascinated by the sheer simplicity of it.

Shell folders are special Windows folders like My Computer, Recycle Bin and My Network Places. I wouldn’t go in to the math of why it works the way it works, but rather just show you how you could keep all your data inside a folder, convert it to the Recycle Bin and keep it on your Desktop and nobody would suspect there was data in it.

Here’s how:
1. Create a folder called “Secret” on your desktop and copy some files to it.

2. Open notepad [Start > Run > notepad] and type the following exactly as shown:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

3. Save the file as desktop.ini in the Secret folder on the desktop. Select “All Files” under “Save as type” in the Save As dialog of notepad and type the name of the file as desktop.ini

4. Open command prompt by going to Start > Run > cmd

5. Navigate to the directory containing your “Secret” folder, this would be the desktop in this example, using the cd command.

6. Type “attrib +S Secret” at the prompt and press Enter.

7. Navigate to your desktop and find your folder containing your precious cargo converted to the Recycle Bin. View the properties of the folder to find the Recycle Bin properties pop up.

8. Open it to find the contents of the Recycle Bin instead of your data.


This happens because Windows finds the desktop.ini file in the folder and the System attribute on the folder. Windows then reads the desktop.ini file to find the Class Identifier [CLSID] for Recycle Bin, which is {645FF040-5081-101B-9F08-00AA002F954E}. Your data is present in the folder but not accessible to Windows because the Windows Directory Enumeration APIs detect the folder as the Recycle Bin and not a file folder.

To get your data back, just open command prompt and enter the attrib –S Secret folder after navigating to the Desktop to remove the System attribute on the folder.

There are plenty of shell folders around Windows, but the most frequent ones that I use are the following with their CLSID values, just replace the CLSID values in the desktop.ini file:
My Computer: {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Recycle Bin: {645FF040-5081-101B-9F08-00AA002F954E}
My Network Places: {208D2C60-3AEA-1069-A2D7-08002B30309D}

To automate the entire process, I wrote a simple tool called FolderCloak that just allows you to do the above with a nice GUI interface. You can download FolderCloak [and my other tools] at http://riyazahemed.webng.com

The Sound of Music at Central Station Antwerp (Belgium)

Picture this: Around 200 people on a railway station, seemingly in their own worlds, laughing, walking, squatting, talking and all the other things that being humans we do. And then the “Do Re Mi song” (Maria’s Song from the Sound of Music) starts playing on the station’s speakers which causes these seemingly common people, utterly unbeknownst to each other, completely oblivious to their thoughts come together and perform a four minute dance completely synchronized to the last step.

I don’t care if it was shot as a publicity stunt for a reality show in Belgium, I don’t care if the people on the Antwerp Station were all paid to dance nor do I care if they had just 2 well choreographed rehearsals. Hell Its awesome!!

What I care about is how I managed to smile after having a tough day at office, about how I connected with the people, with the glow on their faces, with the sheer elation that the twinkling eyes expressed (although I couldn’t see them, I felt them) and the child in every single soul in that building..

I was amazed that there are things like swine flu, nuclear weapons, global warming, spontaneous human combustion, the lochness monster, cancers, my shady neighbors and drugs on this planet. Well these things can wait for 4 minutes.. I say go ahead and watch the video.. I’ll just hum along..


Doe, a deer, a female deer
Ray, a drop of golden sun
Me, a name I call myself
Far, a long, long way to run
Sew, a needle pulling thread
La, a note to follow Sew
Tea, a drink with jam and bread
That will bring us back to Do (oh-oh-oh)


My first post!!

#inlcude
#include

int main()
{
clrscr();
printf(“My first post!!”);
getch();
return 0;
}

Well I finally jumped the bandwagon… Was wondering how long I would be able to escape the blob.. oh.. ah.. typo there.. the blog effect. Its 2:42 AM here in Bangalore, the 17th of June 2009 (oh is it already huh??), nice time to begin blogging.. Its weird though that when I powered on my laptop an hour ago, I had never thought I would be writing.. Such is Life..


I stare at my laptop screen with shrivelled eyes, my pupils constricting under the strain of my day’s work.. I go on.. Come on! Its my first post I say.. Need to write something meaningful so that my kids (when I have them and when they are able to blog) can proudly show their friends what their super-dad had written this fateful night..

I thought there were other things in life people cared about..

Feeling too sleepy, should retire before my fingers start typing gibberish.. I cant bear that on my blog.. atleast not on my first post..

Good night..