Sitting on the Lolbins, 6

August 25, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

So many lolbins…

There is a class of Dell-written launchers that are very demanding. In order to use any of them to launch a program we need to use a 6-level directory traversal.


Because it relies on GetPrinterDriverDirectory API to retrieve a path where the file it expects to see will be launched from (the path resolves to C:\Windows\system32\spool\DRIVERS\W32X86 on 32-bit Windows). And then, depending on the OS major version (5 or 6), it appends additional subfolder path (2 or 3) to it.

In other words, to run c:\windows\system32\notepad.exe, one has to run the following:

<sample> ..\..\..\..\..\..\windows\system32\notepad.exe


