PureBasic Forums - English

for the second time Windows 10 tried to install a strange device, the icon in the task bar was a rectangular box that reminded me of some kind of compression.
in both instances I aborted the installation, but I would like to know what it is, anybody knows what it might be?

Take a screenshot for us?

unfortunately I did not think of that and I have no idea what triggers the install, if it happens again then I will take a screenshot.

run something like Sysinternals Filemon or Process Monitor to log the file accesses, the logs can be a pain to wade through but should have the answer

Keya wrote:run something like Sysinternals Filemon or Process Monitor to log the file accesses, the logs can be a pain to wade through but should have the answer

Definitely a lot easier than PrntScr. It's not as easy as using WinDBG and dumping SSDT tables and looking for DKOM though.

My Advice: Look in Event Viewer>Software or just post the screen-shot or cropped bitmap. Serious threats don't use high-level registration.

Those infinite win10 problems... any serious reasons to not just delete it, send some "the finger" picture to MS email, and go back to Win7? ^^

I generally don't like to waste my time and brain resources to learn and dig into some new OS, if it is not enough good comparing to previous (and Win10 obviously is not, it is better to waste efforts on Linux, if waste them at all). The worst thing is that Win10 is kind of blackhole which sucks such efforts without any results [because as it is visible for last year trends, MS will anyway find something new to make you a fool, and your PC will continue to live its own life regardless of what you want], unlike XP, Win7 or even 8.

btw when you insert a new USB thumb drive for the first time and it installs a driver whats a good way to extract that driver from it? so i can upload it to virustotal etc. All the ones i've seen dont seem to have the driver as a part of the filesystem (i guess that makes sense so it can still be compatible after a full format) so im guessing its in the firmware, but clearly an OS like Windows knows how to extract it. I could use a file monitor but im wondering if anyone has some more specific tricks/software for the task

Keya wrote:All the ones i've seen dont seem to have the driver as a part of the filesystem (i guess that makes sense so it can still be compatible after a full format) so im guessing its in the firmware

Drivers inside of USB-drive firmware? :3 Never heard about and it is hard to believe in so (except maybe something related with UEFI: there might be special hidden GPT partitions, use non-windows disk management utils to get them).

Typically Windows uses one standard driver for all USB drives, it is built-in from MS, the file can be get from windows ISO or system folders.
And forget about virustotal, this site is completely useless in such things (and almost in every other things). It's too naive in 2016 to trust any AV vendor, none of them will treat any driver signed by MS as malicious [and if some driver can run on win10, it is obviously signed].

Also can't tell about win10, but at least in 7 you can still just go to a device manager, open your device properties and see drivers which it uses (then go to a system folders and get driver files).

The second nice way is using tools like Process Hacker (again, not even sure it works under that win10), or Autoruns utility to look at all drivers loaded in system, as well as disabling/controlling them. I'm pretty sure you will get greatly surprised and then greatly paranoid, if take a look at all drivers win10 uses for something ^^

The other precious way is to use "hack tools" like RkUnhooker. Those tools clearly showing what is going on at system core, displaying all SSTD hooks + usual code/winapi hooks + allowing to remove them, revealing drivers/processes which are hidden using low-level methods and so on. Generally they are like kernel debuggers, but simpler and more functional, they can easily break any known AV software and make it defenseless, as well as disarm any kernel-mode rootkit not saying about user-mode stuff. But it works only for XP, I still don't know such good tools for Win7 or higher (but would like to know, it is really cool to have such tools of god :3)

The only class of USB device that can automate malware delivery is HID and only if Windows driver store has a driver with a qualifying descriptor. Autorun was disabled on storage devices a long time ago, and USB doesn't have DMA for DKOM type attacks like eSATA, Thunderbolt, ePCIe etc..

Driver part of file system? You mean drives with the firmware that has a mode or routine to put software on the USB mounted volumes? Like encrypted thumb drive do?

Even registered USB HID devices can't create any kind of process, they just automate input to do it.

https://www.wired.com/2014/07/usb-security/[quote]Most USB devices have a fundamental security weakness that can be exploited to infect computers with malware in a way that cannot easily be prevented or detected, security researchers found.

The problem is that the majority of USB thumb drives, and likely other USB peripherals available on the market, do not protect their firmware—the software that runs on the microcontroller inside them, said Karsten Nohl, the founder and chief scientist of Berlin-based Security Research Labs.

This means that a malware program can replace the firmware on a USB device like a thumb drive by using secret SCSI (Small Computer System Interface) commands and make it act like some other type of device, for example, a keyboard, Nohl said.[/quote]^ great, sending SCSI commands directly ...
btw to satisify my own curiosity i found a simple example of using SCSI commands directly via ASPI from Purebasic at first post here - http://purebasic.info/phpBB3ex/viewtopic.php?f=5&t=114

http://www.pcworld.com/article/2460540/ ... uters.html

Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

Sounds very difficult to get at this firmware especially if the vendor has disabled comms for it...
http://reverseengineering.stackexchange ... are-device

The reason i was wondering is because i have a very suspect ebay $10 USB stick (has a controller that lies to trick Windows Explorer etc into saying "This is a 1TB drive", when really its just a ~1-10GB with lying controller. I've set up a VM to properly look at it, but haven't had much time yet. But when i put it into the VM for the first time, and I open the drive in Explorer, i notice a file quickly appear and then disappear (in the root folder of the usb drive). This only happens the very first time - i have to revert the VM snapshot (ie. "restore to previous state") to have it happen again. That happens when you see the "Windows is installing drivers for this device" -- no i don't know if it's installing something from its firmware (as opposed to Windows just searching its local stash of drivers), but that's what made me wonder!:)

Good thing 99.9% of malware authors are too lazy to work on a stable cross-chip solution and the 0.1% don't care about botnets.

Two attacks:

• USB modem packet inspector.
• HID that uses hotkey attacks

Both wait for idle state messages so they can only work when there is no user looking?

*after* custom firmware changes class descriptor and finds a way to handle it all with the small SDRAM the flash controller has.