You are browsing the archive for Living off the land.

Beyond good ol’ Run key, Part 107

June 7, 2019 in Anti-Forensics, Autostart (Persistence), Code Injection, Living off the land, LOLBins

This is a persistence, and a code injection trick in one. It affects only environments where NVIDIA CUDA Toolkit is present. If it is the case, the system will have these two environment variables present:


They typically point to legitimate NVIDIA DLLs, but one could replace them with anything. The DLLs are loaded via LoadLibrary.

This is not a backdoor of any sort – just a legitimate profiler interface.

Re-usigned binaries: NVFBC Screen & Video Capture library

June 7, 2019 in Living off the land, LOLBins, Malware Analysis, Reusigned Binaries, Silly

Traditional screen grabbing malware uses a bunch of GDI APIs: CreateDC, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt. It may also use GDI+ to save screenshots as JPEG, GIF, PNG, etc. There are plenty of code examples online that demonstrate how to do it. Now, it turns out that the very same functionality can be programmed via existing and pretty convenient wrapper libraries that are offered by some of the GFX card vendors.

While poking around NVIDIA files I came across a very intriguing document NVIDIA Capture SDK Programming Guide [PDF Warning]. It describes a set of functions that help to capture screen/video snapshots using a NVIDIA helper library called NVFBC (or NVFBC64 on 64-bit systems). There is also an accompanying document called NVIDIA Capture Sdk Sample Descriptions [PDF Warning] that introduces samples that utilize NVIDIA SDK to do some screen/video capture work.

For instance, NvFBCToSys demonstrates how to use the NvFBCToSys interface to copy the desktop into a system memory buffer and save it as a file. The DX9/DX10/DX11/GL IFR SimpleSample targets DirectX 9, 10, 11, and OpenGL to capture and render target to a file. The DX9IFRSimpleHWEncode
captures a renders target, compresses it, and write it to a video file. Googling around it’s easy to find more samples with a similar code.

So, again, by introducing a signed proxy library one can deliver a desired functionality and potentially evade some of the security tools. Imagine reading and writing files via Java library, taking screenshots via NVFBC library, and utilizing other legitimate libraries for other purposes. You end up with a Frankenstein’s monster, but one that may be harder and harder to distinguish from a legitimate software.