Lolbin Ltd

May 23, 2020 in Living off the land, LOLBins

This is a lolbin trick that forces programmer to use constrained programming style, hence ‘limited’ in title.

LaunchTM.exe is a small executable that launches taskmgr.exe. It does so, using a flawed approach as it relies on an environment variable-based path:

%WINDIR%\System32\Taskmgr.exe 

We can change this variable to whatever path we want and as such, LaunchTM.exe will execute <ourpath>\system32\taskmgr.exe program.

The only caveat is that some common DLLs (e.g. responsible for GUI) rely internally on %WINDIR% being set properly. To ensure the program doesn’t crash the best course of action is to write taskmgr.exe to be statically independent from too many libraries i.e. relying on ntdll.dll, and perhaps kernel32.dll only. Once program starts it can fix the environment variable be able to load other libraries.

Example in action:

and taskmgr.exe in action:

Share this :)

Comments are closed.