Sitting on the Lolbins, 12

September 6, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

What is a LOLBIN? Does it need to be signed?

These questions are not important really. If you can find a clean executable and make it run another program then it is already a… lolwin.

The unsigned SetupProxy.exe program does exactly that. All you have to do is to provide a setup.ini file that the setup program expects to see. Inside this .ini file you have to specify what programs to run for 32- and 64- bit systems e.g.:

[SETUP]
InstallPath=..\..\windows\system32\notepad.exe
InstallPath64=..\..\windows\system32\notepad.exe

You need to use a directory traversal trick as the program expects paths relative to the one it is ran from.

That’s it really.

Okay, one more thing… the program stores a verbose info about the setup progress inside a %TEMP%\LxProxy.log file:

/———————————————————————–\
| Friday, September 06, 2019 14:31:42
| Setup.exe
| Version:
|
| SetupProxy: to Launch Install GUI.
———————————————————————–/
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy::read registry for the language: Software\inkjet\install
SetupProxy::language from the regstry:
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy:: the setup.ini exists; Launch InstallGUI: C:\foo\bar….\windows\system32\notepad.exe
Finished SetupProxy : Friday, September 06, 2019 14:31:44

Sample:

1DFFF3F5934AB61C861620CF2C6BC81FF8AF9A1E5F6A3D31B3315F8BE8BC3360

Share this :)

Comments are closed.