Today we examine a quick malware analysis "life hack" to retrieve text from non-selectable windows. This is an essential skill when dealing with obfuscated error messages or foreign language alerts that hinder your investigation.
Video Walkthrough
The Challenge
Often when examining a piece of malware, it will display non-selectable text boxes. These "dead" windows can appear for various reasons: program crashes, invalid parameters, or even intentional anti-analysis checks like virtual machine, debugger, or sandbox detection.
Whatever the reason, these strings often contain the "smoking gun"—API names, file paths, or specific error codes that provide valuable insight into the underlying code. However, if the text is in a different language or uses a specific character set, it becomes difficult for non-native speakers to manually type into a search engine or translation tool.
The "Ctrl+C" Secret
While many analysts reach for API monitors, OCR tools, or complex window-handle sniffers, there is a built-in Windows feature that is often overlooked. In almost all standard Windows MessageBox implementations, you can simply click the window to make it active and press CTRL + C.
Windows will automatically copy the title bar text, the message body, and the button labels into a formatted string on your clipboard. For example:
[Window Title]
Error
[Content]
The instruction at 0x00401234 referenced memory at 0x00000000. The memory could not be read.
[OK]
This is extremely powerful for foreign language malware. You can grab the text instantly, paste it into a translator, and identify the exact nature of the error or the demand being made by the malware authors.
Conclusion
You don't always need specialized software for string extraction. By utilizing the native clipboard behavior of Windows dialogs, you can bypass non-selectable text restrictions and speed up your analysis of crash reports and anti-analysis notifications. It’s simple, effective, and requires zero extra tools.
Happy hunting.