(SF)X Gonna Give It To Ya
Jun 15, 2024
Self Extracting Archives
Simply put, SFX files are PEs that can be generated from a number of file archiving programs. Their most basic functionality is being able to execute and extract files to a custom location.
Basic Usage
We will do everything in WinRAR as an example. Right click on your target file (calc.exe here), and click "Add to archive". You'll be greeted with a lovely interface:
This interface is the one we all know and love, but to use the SFX format, click a couple options on the right:
You can see it obviously appends the "exe" extension to the file. At its most simple level, if we create the file and then run the resulting binary, we get standard results:
Hitting Extract gives the most obvious result you can think of — it just extracts it to the target directory. All in all, pretty cool but nothing useful for penetration testing or any sort of offensive operation/campaign. So where can we begin?
Gettin' Busy With It
The meat and potatoes of using an SFX for an operation is in the advanced settings:
Heading in, we get the Advanced menu:
Let's touch on each of these modules.
General
Allows you specify the destination to extract to.
Setup
Allows you to run arbitrary commands both before and after extraction takes place. We will come back to this later :)
Modes
Allows you to put files in a temporary folder before heading to the final destination directory. Alternatively, allows you to hide the extraction dialog menu.
Advanced
Allows you to delete files at the target location, create shortcuts in arbitrary locations, or request administrative access.
Module
Allows you to specify the SFX module to be used.
License
License text would go here.
Text and Icon
Allows you to specify icons and such used in the GUI for extraction if you decide to have it.
Update
Specify whether or not you'd like extraction to ask before overwriting files.
Well that's all well and good, but how can we use it? Obviously, as many other articles have pointed out, you can throw your favorite LOLBIN in the Setup section and off you go.
(SF)X Gon' Deliver To Ya
Let's make a basic payload prior to moving onto any sort of standard evasions.
General
Let's extract to the user's roaming folder:
Setup
Let's just run our EXE (I'll let you figure out a better idea yourself ;) ):
Modes
Let's hit "Hide All" here so the victim doesn't get prompted:
Advanced
We will leave this with no changes.
Module
Also unchanged.
License
So, nothing needs to be put here, but feel free to add a Title and Text as it will still appear in the binary.
Update
Set the overwrite mode to "Overwrite all files":
Text and Icon
We can also leave this unchanged, as we are hiding the dialog menu anyway.
With all this, we have our generic SFX file. You probably won't get past too much stuff with this, but hey, you never know.
Talk Too Much For Too Long
All of this won't get you far into an engagement, especially if you are looking for a dropper or loader with a bit of stealth. Let's start by inspecting the file.
Heading over to the "Comment" section lets us see a bit more juice:
Hmm, a long static string that's at the top of every SFX archive? We don't like that at all. Digging through some old forum posts has us find a thread:
However, altering this in HxD shows we can still successfully run our post-install commands: (Ctrl + F you silly goose):
And it runs still:
An easy fix, but we can do better. Opening up Resource Hacker, let's remove some indicators from the file. You can remove every resource except "Dialog":
Now, add a resource that fits your pretext. Perhaps our payload is in conjunction with some sort of pretext that involved the victim playing a video. The uninitiated and laymen in the corporate world might fall for this quite easily. So, let's add resources from Windows Media Player:
Then, simply change it to a "SCR" extension (still executes as normal, as the PE hasn't changed):
Now obviously, this isn't too advanced, but it should help jog some thoughts on what you could execute or load here.
As a bit of a summary, here is a SFX Archive with the same post-extract command being run from the user's roaming folder, with a default Havoc Demon inside:
And here is the SFX Archive with our obfuscations:
(SF)X Don' Gave It To Ya
While nothing here is earth shattering, the entire point of this thread was to show how minor obfuscations can greatly increase your operational capability, and sometimes you just need to tinker around a little or put some modest elbow-grease in. There are many more changes you can make to an SFX, and coupled with your implants (or a modified Demon, which will be a future blog ;) ), you can easily get this through Top 5 commercial EDRs.
Thanks for reading!