Sitting on the Lolbins, 10

August 31, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

Executing unsigned code is very easy when you have a signed .exe loading a DLL with a predetermined file name.

This is a case of a Dell’s Viewer Executable that expects to see a DLL named <file>retv.dll in the same directory where it is placed. Launching the .exe loads and executes the DLL immediately, e.g. using a pair of signed test.exe + unsigned testretv.dll.

Verified:       Signed
Signing date:   10:42 2008-03-04
Publisher:      Dell Inc.
Company:        n/a
Description:    Viewer Executable
Product:        n/a
Prod version:   1.86.0.0
File version:   1.86.0.0
MachineType:    64-bit

Sample:

001494D4BC994C453F5055D01FB39B1BFA6738AA31E3DE4DD32D3850946ACA4A

Share this :)

Comments are closed.