Dump password from exe(2)
This article is actually part two of “Extract/Dump password from exe” series. In part one, we focused on unpacking executable generated by script converter such as PyInstaller, Py2exe and AutoIt. In short, we will focus on executable compiled by Visual Studio and Delphi in this article. Basically, we will try to understand what information is available in the executable file via strings.exe. Although more and more developers are moving to Visual Studio today, but we still saw some applications and malware written by Delphi. Therefore, we will also cover Delphi in our discussion.
Why is it important?
If you are red team player, this article gives you an expectation what information (e.g. credential) is available in the executable file. In addition, traditional anti-virus relies on recognize the signature (keyword). If we have better understand of the relationship between source code and compiled executable, this certainly enhance the ability to evade the defense technology.
On the other hand, if you are blue team player, you may review with the developer before the credential information leak to wrong hand. Moreover, when performing initial malware analysis, you may also have correct expectation to evaluate the executable file.
Lab environment
In order to facilitate our discussion, some simple client applications directly connecting to database were designed. In general, the database connection between client application and databases requires a “connection string”. This connection string includes information such as IP address of database server and even user name and password. If “Integrated Security” is used for database connection, then the user name and password information is not available inside the executable file.
In our experiment, all programs written in Delphi (XE 2 and XE 10) were designed specifically connect to MySQL database. On the other hand, applications written in VB .Net, C#, C++ (Visual Studio 2013, 2017 and 2019) were designed to use MSSQL database. Below list the connection string information used by both MySQL and MSSQL database in our source code.
Server hostname | localhost |
Database Name | mytestdb |
User Name | mytestuser1 |
Password | AAAAABB_2 |
Source code used in lab
Firstly, we will give you a high-level overview of ALL source code used in our this experiment:
- A database connection component with connection string defined, and it is implemented either via “drag-and-drop” using IDE or runtime source code.
- A data source binding component which connecting the database connection component and data grid component, which is implemented either via “drag-and-drop” using IDE or runtime source code.
- A data grid component responsible to display information in database, and it is implemented either via “drag-and-drop” using IDE or runtime source code.
- A remark contains the string RemarkAAAAA was explicitly defined for our test cases. Later, we will see if remark is available after compiled the program.
- Multiple private and public variables and values with suffix AAAAA also defined.
All the source code using in our testing are also available download via our github repository here. We are not going to discuss every source code used in this testing because we do not want to make it a programming article. Therefore, instead of discuss the source code of each language, we will only discuss one example. Below is code snippet of VB .Net:
Public Class Form1
Dim MyClassVarAAA As String ' This variable name will be available via strings.exe
Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
' RemarkAAAAA Me.Tbl_personTableAdapter.Fill(Me.MytestdbDataSet.tbl_person)
Dim MyFunctionVarAAAAA As String
MyClassVarAAAAA = "MyClassValueAAAAA"
MyFunctionVarAAAAA = "MyFunctionValueAAAAA"
MsgBox("Static_MsgBox_MessageAAAAA")
MsgBox(MyClassVarAAAAA)
MsgBox(MyFunctionVarAAAAA)
End Sub
End Class
As shown above example, we have defined multiple variable and values using the keyword “AAAAA”. Later on, we will grep the keyword “AAAAA” and see what is included inside the executable file.
Detect it Easy
Before we move on to grep the keyword, let’s explore each executable file using amazing tool detect it easy.
As you may also aware, there are not much fruitful information from Detect it Easy at this stage. However, I prefer to use it as the first step to understand and evaluate the executable file.
Dump password from exe via strings.exe
So, we will move on to explore what information are available inside the executable file via the strings.exe. As I have said, we will try to grep the keyword “AAAAA” using findstr command.
Delphi
Visual Studio 2013
Visual Studio 2017
Visual Studio 2019
Summary
As shown above, we can see some key observation from our experiment.
- Firstly, remarks inside the source code is always not available
- Secondly, many of the results show “Password=AAAAABB_2”. If we try to grep keyword such as Password from the executable file, then credential information may be available.
- Thirdly, all the results show the password “AAAAABB_2”. Even though some of them do not contains the keyword “Password=” in a single line, it is still possible to build a dictionary for brute force attack.
- Fourthly, name of variable and value of variable may also available. It is also important to notice that traditional Anti-Virus relies on keyword inside the malware executable file. These keywords may also include variable name, values or debug messages. In fact, we have evade those traditional Anti-Virus many times by removing those keywords from the source code and re-compiled the executable file again.
To conclude, do not assume an executable file can help to keep your secrets, and attacker may be able to dump password from exe file. For instance, I saw some organization reasonably protect scripts containing credential, but wrongly left executable file with embedded credential unprotected. Moreover, executable packer such as upx can hide those credential information but the information still can be extracted. We will further explore Anti-Debugging techniques to protect an executable in the future.