You are browsing the archive for Living off the land.

Bring your own lolbas?

July 5, 2019 in Living off the land, LOLBins, Reusigned Binaries

Recently, I was wondering what is the best term for binaries/scripts that are signed, can do the Lolbas thing, but are not necessarily installed on the system.

So far I have been covering many of these using a generic term ‘Re-usigned binaries’ (portmanteau of ‘reuse’ and ‘signed’). But it’s not catchy enough. Could a better term be ‘Bring your own lolbas/lolbin’? BYOL? Kinda similar to Bring Your Own Vulnerability (BYOV)? In fact a BYOL is a subset of BYOV.

I have covered many BYOL examples before. And I believe there will be a lot more in the future. After a very fertile research period lolbin fans explored most of the native OS executables, DLLs, scripts. It’s a natural course of events that their eyes will eventually turn to the other stuff.

The other stuff can be e.g. 7Zip program signed by legitimate companies. @Oddvarmoe posted about it on Twitter in April:

It triggered my interest and I set on a path to discover more instances of various 7zip components signed by legitimate companies. The results of a very basic research are very promising: there are plenty of these:

  • ASUSTeK Computer Inc.
  • HUAWEI Technologies Co., Ltd.
  • NVIDIA Corporation
  • Samsung Electronics CO., LTD.
  • Trend Micro, Inc.

I won’t be posting hashes, because… well… why burning them… The other less obvious bit is that these signed components are often old and could contain unpatched vulnerabilities as well.

…and the most 1337 #lolbin is…

July 4, 2019 in IDA/Hex-Rays, Living off the land, LOLBins

idaX.exe -Otest:

  • test – DLL inside Ida’s plugins directory (with the appropriate filext DLL, PLW, P64)
  • idaX – ida[wtq](64)? depending on the version

btw. Ida says:

Loading plugin C:\ida\plugins\test.plw… C:\ida\plugins\test.plw: incompatible plugin version, skipped

for my malformed IDA Plugin test dll but the DLL is loaded nevertheless.