Artifacts

Posts Tagged ‘DVDs’


Dissecting VLC – Windows 7 x32

Posted by:  /  Tags: , , , , , , , ,  /  Comments: 1

Author Name
Carlos A. Amorocho Acosta

Artifact Name
VLC media player 2.2.1 for win32

Artifact/Program Version
VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols.

vlc-2.2.1-win32.exe [1] -> SHA-1 checksum: 4cbcea9764b6b657d2147645eeb5b973b642530e (verified with sha1sum)

Value “CompanyName”, “VideoLAN”
Value “ProductName”, “VLC media player”
Value “ProductVersion”, vlc-2.2.1-win32.exe”
Value “FileVersion”, ” VLC 2.2.1″
Value “FileDescription”, “VLC media player”
Value “LegalCopyright”, “Copyright \251 @COPYRIGHT_YEARS@ VideoLAN and VLC Authors”
Value “LegalTrademarks”, “VLC media player, VideoLAN and x264 are registered trademarks from VideoLAN”

Description
Text

Registry Keys
Keys added: 1272 -> Obtained from Regshot
Values modified: 46 -> Obtained from Regshot

Summary
HKLM\SOFTWARE\Classes\Applications\vlc.exe
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithVLC
HKLM\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}
HKLM\SOFTWARE\Classes\CLSID\{E23FE9C6-778E-49D4-B537-38FCDE4887D8}
HKLM\SOFTWARE\Classes\Directory\shell\AddToPlaylistVLC
HKLM\SOFTWARE\Classes\Directory\shell\PlayWithVLC
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithVLC
HKLM\SOFTWARE\Classes\Interface\{0AAEDF0B-D333-4B27-A0C6-BBF31413A42E}
HKLM\SOFTWARE\Classes\Interface\{465E787A-0556-452F-9477-954E4A940003}
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vlc-plugin
HKLM\SOFTWARE\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}
HKLM\SOFTWARE\VideoLAN\VLC\

The rest is the file Regshoot.txt

Also try to get the proxy server address from Windows internet settings

/* Open the key */
if( RegOpenKeyEx( HKEY_CURRENT_USER, “Software\\Microsoft”
“\\Windows\\CurrentVersion\\Internet Settings”,
0, KEY_READ, &h_key ) == ERROR_SUCCESS )
return NULL;

DWORD len = sizeof( DWORD );
BYTE proxyEnable;

/* Get the proxy enable value */
if( RegQueryValueEx( h_key, “ProxyEnable”, NULL, NULL,
&proxyEnable, &len ) != ERROR_SUCCESS
|| !proxyEnable )
goto out;

/* Proxy is enabled */
/* Get the proxy URL :
Proxy server value in the registry can be something like “address:port”
or “ftp=address1:port1;http=address2:port2 …”
depending of the configuration. */

This code is an fragment of VLC media player source code [2]

File Locations
During the installation download the files in temp user profile, immediately ends execution of the current process this folder is cleaned.

C:\Users\\AppData\Local\Temp\

Filename + Modified Count + Created Count + Deleted Count + Full Path + Extension
metachannels.luac + 1 + 1 + 0 + C:\Program Files\VideoLAN\VLC\lua\sd\metachannels.luac + luac (end process)
ns92A1.tmp + 4 + 1 + 1 + C:\Users\\AppData\Local\Temp\nsn9E1.tmp\ns92A1.tmp + tmp (clean folder)

C:\Program Files\VideoLAN\ (main folder: view root folders in tree.txt)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN (direct access)
C:\Users\Public\Desktop (direct access)
C:\Users\\AppData\Roaming\vlc (configuration files for user: playlist,screen sizes, etc.)

Research Links
[1] http://get.videolan.org/vlc/2.2.1/win32/vlc-2.2.1-win32.exe
[2] http://get.videolan.org/vlc/2.2.0/vlc-2.2.0.tar.xz
[3] ftp://ftp.videolan.org/pub/videolan/
[4] http://www.videolan.org/
[5] http://ganesh.videolan.org
[6] http://update.videolan.org
[7] http://www.piriform.com/ccleaner
[8] https://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000184.html
[9] https://code.google.com/p/regshot/
[10] http://processhacker.sourceforge.net/
[11] https://notepad-plus-plus.org/
[12] https://technet.microsoft.com/en-us/library/bb896645.aspx
[13] https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
[14] https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
[15] http://www.nirsoft.net/utils/folder_changes_view.html
[16] https://www.cert.at/downloads/software/procdot_en.html
[17] https://github.com/Crypt0s/FakeDns
[18] http://portswigger.net/burp/
[20] https://remnux.org/

Forensic Programs of Use
VMware ( Windows 7 x32 & Remnux)
ccleaner burp suite
without AV tcpdump
sha1sum fakedns
regshot procdot
processHacker
notepad++
process Explorer
process Monitor
autoruns
folderChangesView

Other Info
Update process: program sends requests data (get) from a update.videolan.org (server) and then sends responses back “status-win-x86” to the client

Request Method: GET
Request URI: /vlc/status-win-x86
Request Version: HTTP/1.0
Host: update.videolan.org:80\r\n
User-Agent: NSPlayer/7.10.0.3059\r\n
Full request URI: http://update.videolan.org:80/vlc/status-win-x86
Expert Info (Chat/Sequence): GET /vlc/status-win-x86 HTTP/1.0\r\n

File for review.zip contains: Please rename File for review.ioc to File for review.zip
* imports dll.txt
* modules.txt
* regshot.txt
* root folders in tree.txt
* systeminfo.txt
* threads.txt
* status-win-x86
* dump.pcap
* process Monitor dump.csv
* graphics for update process.png
* graphics run with update process.png
* graphics run withou update process
* vlc512x512.png

  • No related posts found