Non-Existent File Paths

This writeup will discuss the use of non-existent file paths and present a use case

Part One: Introduction

I personally enjoy reading older computing books, forums, and articles. There's a host of weird and goofy backward compatibility that remains in modern systems that is sometimes forgotten about. I came upon this particular technique while reading VX-Underground's archives of The Old New Thing. We will look again at weird Windows functionality and some potential use cases for offensive security practitioners. In this case, we're going to look at how we can use Non-Existent file path traversal to obfuscate program functionality against scanners that rely on known strings to detect malicious programs. In this article, we'll be using Loki, a Yara signature scanner developed by @Neo23x0.

Part Two: Getting Started

The concept behind this manipulation is simple, the Windows API will handle resolving final directories from relative paths without accessing the intermediate directories themselves. Because of this, the intermediate directories are never checked for validity; and because the intermediate directories do not have to be valid, we're free to use non-existent references in relative paths to traverse the Windows operating system.

Part Three: Doing More

Another interesting component of this functionality is that we are not limited to traversal. We can initiate programs using false directories, and the programs will retain these false directories in the command line information visible from System Informer.

It's important to remember here that the directory does not exist so any name can be used. Additionally, because Windows supports ".exe" names, we can combine this technique with other spoofing techniques (cmdline buffer size reduction) to further obfuscate our program's functionality.

https://github.com/plackyhacker/CmdLineSpoofer/blob/master/CmdLineSpoofer/Program.cs

Part Four: Hiding from Yara Rules

Another thing we can do with this technique is generate file paths that resolve to the same directory location, but are stored in our binary as different strings. For example, we can use this Yara rule to simulate a malicious program implementing this technique.

https://github.com/Yara-Rules/rules/blob/master/webshells/WShell_THOR_Webshells.yar

Our sample program can look something like this:

And we see that Loki does indeed find the malicious string in our executable.

But with one simple change, we're able to break the signature and maintain the reference to the same directory path.

Part Five: Conclusion

In this writeup, we saw some of the interesting things we can do using non-existent file paths, and how we could even use this capability to circumvent Yara signatures. This technique does not require significant technical overhead and can be quickly adapted into existing TTPs. However, the use of relative file paths in legitimate executables, particularly the use of the requisite "..\DIRECTORY\.." format, can be a signature in itself. We'll continue to explore other weird Windows functionality in future writeups.

References:

GitHub - Neo23x0/Loki: Loki - Simple IOC and Incident Response ScannerGitHub

rules/WShell_THOR_Webshells.yar at master · Yara-Rules/rulesGitHub

CmdLineSpoofer/Program.cs at master · plackyhacker/CmdLineSpooferGitHub

https://papers.vx-underground.org/papers/The%20Old%20New%20Thing/The%20Old%20New%20Thing%20-%202018%2006/2018-06-05%20-%20Stupid%20cmdexe%20tricks%20Changing%20directories%20with%20forward%20slashes%20instead%20of%20backslashes.pdf https://papers.vx-underground.org/papers/The%20Old%20New%20Thing/The%20Old%20New%20Thing%20-%202018%2006/2018-06-12%20-%20Stupid%20cmdexe%20tricks%20Entering%20a%20directory%20that%20doesnt%20exist%20then%20immediately%20leaving.pdf