Sitting on the Lolbins, 4

August 23, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

I have always looked at my reverse engineering adventures as a way to become a better programmer. What I couldn’t understand from MSDN, or example code snippets I could almost certainly understand at the basic assembly level.

Sometimes though, when I look at some code, I do scratch my head a bit. The case I am going to describe below is one where I am left with a slightly worried state of mind. Is my programming craft better after seeing all this?

You decide.

A few years ago ASUSTeK produced a very interesting executable called Batch Caller Exe. As the name suggests it does run batch files. If we put aside the obvious but why, we still have to deal with the how.

The way it works is that you run it with one of the options described below:

file.exe /Install test

OR

file.exe /Uninstall test

The interesting bit is that the test in that syntax is a prefix for a batch file name. And the expected file name is actuall called <prefix>install_all.bat, or <prefix>uninstall_all.bat.

Using test as an example, you need to create either testinstall_all.bat or testuninstall_all.bat. They will be executed as per the command line arguments.

So, it of course gives us an option to disturb the process tree, maybe even bypass some filters, but… it feels odd, doesn’t it?

Sample: 035E9CC2FFC4D60581CA975FF73CD92FC93C0CDFCE57D3F7368781E95B907FBE

Share this :)

Comments are closed.