VS2019 VC# MSSQL x64 strings

Dump password from exe(2)

| |

This article is actually part two of “Extract/Dump password from exe” series. In part one, we focused on unpacking executable generated by script converter such as PyInstaller, Py2exe and AutoIt. In short, we will focus on executable compiled by Visual Studio and Delphi in this article. Basically, we will try to understand what information is available in the executable file via strings.exe. Although more and more developers are moving to Visual Studio today, but we still saw some applications and malware written by Delphi. Therefore, we will also cover Delphi in our discussion.

Why is it important?

If you are red team player, this article gives you an expectation what information (e.g. credential) is available in the executable file. In addition, traditional anti-virus relies on recognize the signature (keyword). If we have better understand of the relationship between source code and compiled executable, this certainly enhance the ability to evade the defense technology.

On the other hand, if you are blue team player, you may review with the developer before the credential information leak to wrong hand. Moreover, when performing initial malware analysis, you may also have correct expectation to evaluate the executable file.

Lab environment

In order to facilitate our discussion, some simple client applications directly connecting to database were designed. In general, the database connection between client application and databases requires a “connection string”. This connection string includes information such as IP address of database server and even user name and password. If “Integrated Security” is used for database connection, then the user name and password information is not available inside the executable file.

In our experiment, all programs written in Delphi (XE 2 and XE 10) were designed specifically connect to MySQL database. On the other hand, applications written in VB .Net, C#, C++ (Visual Studio 2013, 2017 and 2019) were designed to use MSSQL database. Below list the connection string information used by both MySQL and MSSQL database in our source code.

Server hostnamelocalhost
Database Namemytestdb
User Namemytestuser1
PasswordAAAAABB_2
Database connection information used specifically in our lab

Source code used in lab

Firstly, we will give you a high-level overview of ALL source code used in our this experiment:

  • A database connection component with connection string defined, and it is implemented either via “drag-and-drop” using IDE or runtime source code.
  • A data source binding component which connecting the database connection component and data grid component, which is implemented either via “drag-and-drop” using IDE or runtime source code.
  • A data grid component responsible to display information in database, and it is implemented either via “drag-and-drop” using IDE or runtime source code.
  • A remark contains the string RemarkAAAAA was explicitly defined for our test cases. Later, we will see if remark is available after compiled the program.
  • Multiple private and public variables and values with suffix AAAAA also defined.

All the source code using in our testing are also available download via our github repository here. We are not going to discuss every source code used in this testing because we do not want to make it a programming article. Therefore, instead of discuss the source code of each language, we will only discuss one example. Below is code snippet of VB .Net:

Public Class Form1
    Dim MyClassVarAAA As String ' This variable name will be available via strings.exe

    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load        
        ' RemarkAAAAA                    Me.Tbl_personTableAdapter.Fill(Me.MytestdbDataSet.tbl_person)
        Dim MyFunctionVarAAAAA As String
        MyClassVarAAAAA = "MyClassValueAAAAA"
        MyFunctionVarAAAAA = "MyFunctionValueAAAAA"
        MsgBox("Static_MsgBox_MessageAAAAA")
        MsgBox(MyClassVarAAAAA)
        MsgBox(MyFunctionVarAAAAA)

    End Sub
End Class

As shown above example, we have defined multiple variable and values using the keyword “AAAAA”. Later on, we will grep the keyword “AAAAA” and see what is included inside the executable file.

Detect it Easy

Before we move on to grep the keyword, let’s explore each executable file using amazing tool detect it easy.

Delphi XE2 Win64 DIE
1) Delphi XE 2 (x64) compiled executable
Delphi XE2 Win32 DIE
2) Delphi XE 2 (x86) compiled executable
Delphi XE10 Win64 DIE
3) Delphi XE 10 Seattle (x64)
Delphi XE10 Win32 DIE
4) Delphi XE 10 Seattle (x86)
VS2013 VB x64 DIE
5) VB .NET 2013 (x64) + .NET Framework 4.5
VS2013 VB x86 DIE
6) VB .NET 2013 (x86) + .NET Framework 4.5
VS2013 VC++ x64 DIE
7) Visual C++ 2013 (x64) + .NET Framework 4.5
VS2013 VC++ x86 DIE
8) Visual C++ 2013 (x86) + .NET Framework 4.5
VS2013_VC# x64 DIE
9) C# 2013 (x64) + .NET Framework 4.5
VS2013_VC# x86 DIE
10) C# 2013 (x86) + .NET Framework 4.5
VS2017_VB_x64_DIE
11) VB .NET 2017 (x64) + .NET Framework 4.6.1
VS2017 VB x86 DIE
12) VB .NET 2017 (x86) + .NET Framework 4.6.1
VS2017 VC++ x64 DIE
13) Visual C++ 2017 (x64) + .NET Framework 4.6.1
VS2017 VC++ x86 DIE
14) Visual C++ 2017 (x86) + .NET Framework 4.6.1
VS2017 VC# x64 DIE
15) C# 2017 (x64) + .NET Framework 4.6.1
VS2017 VC# x86 DIE
16) C# 2017 (x86) + .NET Framework 4.6.1
VS2019 VB x64 DIE
17) VB .NET 2019 (x64) + .NET Framework 4.7.2
VS2019 VB x86 DIE
18) VB .NET 2019 (x86) + .NET Framework 4.7.2
VS2019 VC++ x64 DIE
19) Visual C++ 2019 (x64) + .NET Framework 4.7.2
VS2019 VC++ x86 DIE
20) Visual C++ 2019 (x86) + .NET Framework 4.7.2
VS2019 VC# x64 DIE
21) C# 2019 (x64) + .NET Framework 4.7.2
VS2019 VC# x86 DIE
22) C# 2019 (x86) + .NET Framework 4.7.2

As you may also aware, there are not much fruitful information from Detect it Easy at this stage. However, I prefer to use it as the first step to understand and evaluate the executable file.

Dump password from exe via strings.exe

So, we will move on to explore what information are available inside the executable file via the strings.exe. As I have said, we will try to grep the keyword “AAAAA” using findstr command.

Delphi

Delphi XE2 CDS MySQL x64 strings
1) Delphi XE2 x64 +MySQL connection via CDS component
Delphi XE2 CDS MySQL x86 strings
2) Delphi XE2 x86 +MySQL connection via CDS component
Delphi XE2 unidac MySQL x64 strings
3) Delphi XE2 x64 +MySQL connection via unidac component
Delphi XE2 unidac MySQL x86 strings
4) Delphi XE2 x86 +MySQL connection via unidac component
Delphi XE2 zeoslib MySQL x64 strings
5) Delphi XE2 x64 +MySQL connection via zeoslib component
Delphi XE2 zeoslib MySQL x86 strings
6) Delphi XE2 x86 +MySQL connection via zeoslib component
Delphi XE10 CDS MySQL x64 strings
7) Delphi XE10 x64 +MySQL connection via CDS component
Delphi XE10 CDS MySQL x86 strings
8) Delphi XE10 x86 +MySQL connection via CDS component
Delphi XE10 unidac MySQL x64 strings
9) Delphi XE10 x64 +MySQL connection via unidac component
Delphi XE10Delphi XE10 unidac MySQL x86 strings
10) Delphi XE10 x86 +MySQL connection via unidac component
Delphi XE10 zeoslib MySQL x64 strings
11) Delphi XE10 x64 +MySQL connection via zeoslib component
Delphi XE10 zeoslib MySQL x86 strings
12) Delphi XE10 x86 +MySQL connection via zeoslib component
Delphi XE10 firedac MySQL x64 strings
13) Delphi XE10 x64 +MySQL connection via firedac component
Delphi XE10 firedac MySQL x86 strings
14) Delphi XE10 x86 +MySQL connection via firedac component
Delphi XE10 firemonkey firedac MySQL x64 strings
15) Delphi XE10 x64 FireMonkey GUI+MySQL connection via firedac component
Delphi XE10 firemonkey firedac MySQL x86 strings
16) Delphi XE10 x86 FireMonkey GUI+MySQL connection via firedac component

Visual Studio 2013

VS2013 VB MSSQL x64 strings
1) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via datagrid datasource creation
VS2013 VB MSSQL x86 strings
2) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via datagrid datasource creation
VS2013 VB MSSQL ConnectionString by appconf x64 strings
3) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via App.config
VS2013 VB MSSQL ConnectionString by App.config x86 strings
4) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via App.config
VS2013 VB MSSQL ConnectionString by Code x64 strings
5) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 1
VS2013 VB MSSQL ConnectionString by Code x86 strings
6) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 1
VS2013 VB MSSQL ConnectionString by code Method 2 x64 strings
7) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 2
VS2013 VB MSSQL ConnectionString by Code Method 2 x86 strings
8) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 2
VS2013 VC++ MSSQL x64 strings
9) Visual C++ 2013 x64 + .NET Framework 4.5 + MSSQL connection via code to define datasource
VS2013 VC++ MSSQL x86 strings
10) Visual C++ 2013 x86 + .NET Framework 4.5 + MSSQL connection via code to define datasource
VS2013 VC# MSSQL x64 strings
11) C# 2013 x64 + .NET Framework 4.5 + MSSQL connection via datagrid datasource creation
VS2013 VC# MSSQL x86 strings
12) C# 2013 x86 + .NET Framework 4.5 + MSSQL connection via datagrid datasource creation

Visual Studio 2017

VS2017 VB MSSQL x64 strings
13) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via datagrid datasource creation
VS2017 VB MSSQL x86 strings
14) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via datagrid datasource creation
VS2017 VB MSSQL ConnectionString by App.config x64 strings
15) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via App.config
VS2017 VB MSSQL ConnectionString by App.config x86 strings
16) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via App.config
VS2017 VB MSSQL ConnectionString by code x64 strings
17) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 1
VS2017 VB MSSQL ConnectionString by code x86 strings
18) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 1
VS2017 VB MSSQL ConnectionString by code method 2 x64 strings
19) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 2
VS2017 VB MSSQL ConnectionString by code Method 2 x86 strings
20) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 2
VS2017 VC++ MSSQL x64_strings
21) Visual C++ 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource
VS2017 VC++ MSSQL x86 strings
22) Visual C++ 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource
VS2017 VC# MSSQL x64 strings
23) C# 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via datagrid datasource creation
VS2017 VC# MSSQL x86 strings
24) C# 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via datagrid datasource creation

Visual Studio 2019

VS2019 VB MSSQL x64 strings
25) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via datagrid datasource creation
VS2019 VB MSSQL x86 strings
26) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via datagrid datasource creation
VS2019 VB MSSQL ConnectionString by App.config x64 strings
27) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via App.config
VS2019 VB MSSQL ConnectionString by App.config x86 strings
28) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via App.config
VS2019 VB MSSQL ConnectionString by code x64 strings
29) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 1
VS2019 VB MSSQL ConnectionString by code x86 strings
30) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 1
VS2019 VB MSSQL ConnectionString by code method 2 x64 strings
31) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 2
VS2019 VB MSSQL ConnectionString by code method 2 x86 strings
32) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 2
VS2019 VC++ MSSQL x64 strings
33) Visual C++ 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource
VS2019 VC++ MSSQL x86 strings
34) Visual C++ 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource
VS2019 VC# MSSQL x64 strings
35) C# 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via datagrid datasource creation
VS2019 VCSharp MSSQL x86 strings
36) C# 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via datagrid datasource creation

Summary

As shown above, we can see some key observation from our experiment.

  • Firstly, remarks inside the source code is always not available
  • Secondly, many of the results show “Password=AAAAABB_2”. If we try to grep keyword such as Password from the executable file, then credential information may be available.
  • Thirdly, all the results show the password “AAAAABB_2”. Even though some of them do not contains the keyword “Password=” in a single line, it is still possible to build a dictionary for brute force attack.
  • Fourthly, name of variable and value of variable may also available. It is also important to notice that traditional Anti-Virus relies on keyword inside the malware executable file. These keywords may also include variable name, values or debug messages. In fact, we have evade those traditional Anti-Virus many times by removing those keywords from the source code and re-compiled the executable file again.

To conclude, do not assume an executable file can help to keep your secrets, and attacker may be able to dump password from exe file. For instance, I saw some organization reasonably protect scripts containing credential, but wrongly left executable file with embedded credential unprotected. Moreover, executable packer such as upx can hide those credential information but the information still can be extracted. We will further explore Anti-Debugging techniques to protect an executable in the future.

Similar Posts

發佈留言

Your email address will not be published. Required fields are marked *