Thegrideon Software. One less reason to worry.
About
FAQ
Help
Map
Home » QuickBooks Forensics » QB Internals 2017

QuickBooks Internals | QuickBooks 2017

QuickBooks Desktop 2017 is still based on SQL Anywhere 16 database engine and almost all basic procedures are equal to QB 2016: logins, keys, SQL Anywhere logins as well as implementation bugs. With the exception of some cosmetic changes (new views and forms) there are two important updates: Scheduled Backup and Search functions and Integrated Applications management.

Scheduled Backups and Search:
For years QuickBooks allowed external libraries to be executed from SQL code making it possible to lunch arbitrary code from modified QBW files. This functionality was used to lunch Auto-Backup and Search Indexer with the code like:

create function "QBAdminGroup"."LaunchAutoBackup"( in "companyFileName" long varchar )
returns integer
external name 'QBADRHelper.dll::QBADRHelper.QBADRHelperClass.StartAutoBackupExe(string) int' language "CLR"

In QuickBooks 2017 Auto-Backup and Search Indexer are back and now are based on SQL Anywhere MESSAGE (callback) system. This is a way more secure way, but for some reason LaunchAutoBackup and LaunchSearchIndexer are now hidden with SET HIDDEN clause obfuscation. Here is it "unhidden":

create function "QBAdminGroup"."LaunchAutoBackup"()
returns integer
begin
  declare "connId" integer;
  declare "outputString" varchar(1024);
  select "GetConnectionIdWithMsgCallback"() into "connId";
  if("connId" <> -1) then
    select "String"('MESSAGE ''DOADR'' TO CLIENT FOR CONNECTION ',"connId",' IMMEDIATE') into "outputString";
    execute immediate "outPutString"
 else
    message 'No connection with callback found' to console
  end if;
  return 0
end

Integrated Applications, SDK, Apps:
Unattended access is the main security risk in QuickBooks Integrated Applications infrastructure: it is necessary to store user credentials in order to grant unattended application access to database content. And there is always a way to read/recover/access such credentials (if SDK can access it - any third-party tool can access it as well).
Prior to QB version 2017 .LGB files were used to store Apps, access rights and login details. In QuickBooks 2017 pairs of .sds/.sdu files are used instead.
.SDS files are stored alongside QBW and basically they are just a pointers to .SDU.
.SDU files are stored in one location: "C:\Users\‹username›\Intuit\QuickBooks\‹hash based subfolder name›\‹qbw file name›.sdu".
.SDU files are very similar to .LGB with the exception of extra layer of easily reversible encryption.
In contrast to prior versions QuickBooks 2017 .sdu files are easy to locate and to make thing worse App named "ScheduledReports" is added to .QBW/.SDU records with full Admin data access on every .QBW startup. As far as R4 update there is no way to permanently remove or disable it.

Thus in QuickBooks 2017 US or CA (upto R4 so far) database "Admin" level credentials are available by default to anyone with current Windows login details.

QuickBooks Forensics is now set to scan for .sdu files and extract details necessary to access database content including encrypted sensitive data.

© 2003-2024 | Privacy | Terms of use.
All trademarks are the property of their respective holders.