Squirrel as a Lolbin

August 16, 2018 in Living off the land, LOLBins

Squirrel is an installation and update framework for Windows desktop apps. It is used by many applications (e.g. slack) and as a result can be found on many systems. Like other installers I described previously Squirrel includes a bunch of components / routines that can be used to simplify typical installation tasks. This makes it a good candidate for a lolbin.

The simplest way to use Squirrel component as a lolbin is to copy a test file to the application directory of the installed application, and then run update.exe with a ‘processStart’ command line argument.

I will use Slack as an example, but it can be any application really.

  • Go to c:\Users\<user>\AppData\Local\slack\
  • Find the folder where application files are e.g. app-3.3.0\
  • Drop your test.exe there
  • Now run ‘Update.exe –processStart test.exe’

That’s it. The test.exe should be executed.

There are alternatives: one could prepare a nuget installation package and use the update process to download it from the internet and run it.

Below is a full list of arguments that the tool supports (including the semi-documented ones i.e. these that are not listed when –help is used as a command line argument):

--install=VALUE - Install the app whose package is in the specified directory
--uninstall - Uninstall the app the same dir as Update.exe 
--download=VALUE - Download the releases specified by the URL and write new results to stdout as JSON
--checkForUpdate=VALUE - Check for one available update and writes new results to stdout as JSON
--update=VALUE - Update the application to the latest remote version specified by URL
--releasify=VALUE - Update or generate a releases directory with a given NuGet package
--createShortcut=VALUE - Create a shortcut for the given executable name 
--removeShortcut=VALUE - Remove a shortcut for the given executable name
--updateSelf=VALUE - Copy the currently executing Update.exe into the default location
--processStart=VALUE - Start an executable in the latest version of the app package
--processStartAndWait=VALUE - Start an executable in the latest version of the app package
-h, -?, --help - Display Help and exit
-r, --releaseDir=VALUE- Path to a release directory to use with releasify
-p, --packagesDir=VALUE - Path to the NuGet Packages directory for C# apps
--bootstrapperExe=VALUE - Path to the Setup.exe to use as a template
-g, --loadingGif=VALUE - Path to an animated GIF to be displayed during installation
-i, --icon=VALUE - Path to an ICO file that will be used for icon shortcuts
--setupIcon=VALUE - Path to an ICO file that will be used for the Setup executable's icon
-n, --signWithParams=VALUE - Sign the installer via SignTool.exe with the parameters given
-b, --baseUrl=VALUE - Provides a base URL to prefix the RELEASES file packages with
-a, --process-start-args=VALUE - Arguments that will be used when starting executable
-s, --silent - Silent install
-l, --shortcut-locations=VALUE - Comma-separated string of shortcut locations, e.g. 'Desktop,StartMenu'
--no-msi - Don't generate an MSI package

SystemSettings.exe – yet another Lolbin for loading DLLs

August 12, 2018 in Living off the land, LOLBins

This is another quickie. Only noticed this one after posting the previous post (hint: look for .exe files that include ‘StartApplication’ in their strings).

\WINDOWS\ImmersiveControlPanel\SystemSettings.exe uses LoadLibrary to load SystemSettings.dll, so if you copy it to a different folder and drop your own SystemSettings.dll there you will be able to load it via a signed .exe once you execute SystemSettings.exe.