Sitting on the Lolbins, 9

August 30, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

This is not really a proper LOLBIN category, but is interesting for many reasons. How often do we see libraries that are written by A, sometimes even open source, but then they are signed by B?

I mentioned 7z a while ago, but there is more…

Examples:

Debugging Tools for Windows signed by NVIDIA Corporation:

Verified:       Signed
Signing date:   03:13 2014-07-04
Publisher:      NVIDIA Corporation
Company:        Microsoft Corporation
Description:    Windows Image Helper
Product:        Debugging Tools for Windows(R)
Prod version:   6.12.0002.633
File version:   6.12.0002.633 (debuggers(dbg).100201-1203)
MachineType:    32-bit

Sample: 70FBA09DEDCDDCA02C38785071745C50CDB8C532BDB0C5A632F79EE5873C9405

OpenSSL Shared Library, signed by Intel Corporation-Mobile Wireless Group

Verified:       Signed
Signing date:   02:13 2012-09-13
Publisher:      Intel Corporation-Mobile Wireless Group
Company:        The OpenSSL Project, http://www.openssl.org/
Description:    OpenSSL Shared Library
Product:        The OpenSSL Toolkit
Prod version:   1.0.0b
File version:   1.0.0b
MachineType:    64-bit

Sample: 00471424438D68AE3F7E734808562A529D563243D156380A487C2D92D8EE4446

What are the benefits of using these?

  • They are signed
  • They are often not up to date –> vulnerable
  • Their sigs are probably quite hard to be revoked
  • They are whitelisted by hash by many security solutions, including forensic suites, AV, EDR, etc.
Share this :)

Comments are closed.