Sitting on the Lolbins, 6

August 25, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

So many lolbins…

There is a class of Dell-written launchers that are very demanding. In order to use any of them to launch a program we need to use a 6-level directory traversal.

Why?

Because it relies on GetPrinterDriverDirectory API to retrieve a path where the file it expects to see will be launched from (the path resolves to C:\Windows\system32\spool\DRIVERS\W32X86 on 32-bit Windows). And then, depending on the OS major version (5 or 6), it appends additional subfolder path (2 or 3) to it.

In other words, to run c:\windows\system32\notepad.exe, one has to run the following:

<sample> ..\..\..\..\..\..\windows\system32\notepad.exe

Samples:
0B7F97EC4792A65D5DFA596F2693E8ADBFBDBA340BF300BDB761B483D6922FF9
E11DFC77E4B9570425FAAAC65B26070448E83EB7B9451AA5A9B0B61F1E8FBCA6

Share this :)

Comments are closed.