You are browsing the archive for LOLBins.

Beyond good ol’ Run key, Part 79

June 10, 2018 in Autostart (Persistence), Living off the land, LOLBins

This persistence post targets users of Total Commander (TC).

I love TC and have been using it for many years. Quite frankly… I really can’t imagine working on Windows w/o using this tool, and I really pity anyone who is using Windows Explorer either by choice or by force. The other good alternative to TC is FAR, but its far (unintended pun) less popular, and definitely not present in the corporate environment as much as TC…

Anyway…

Being so popular makes TC an obvious target and since it has such a rich functionality it’s very easy to abuse these features to stay on the system persistently.

There are many ways to do it… I doubt I can cover all of them, but let’s jot down some notes:

  • The system of plug-ins is an easy target, so I will skip its description as it’s boring (okay, you just drop a DLL into TC’s plug-in directory and ensure it’s registered to handle some filetypes, of viewer, etc.). These are officially supported plug-in types:
    • Packer Plug-ins
    • File-system Plug-ins
    • Lister Plug-ins
    • Content Plug-ins
    • (note that existing plugins can be swapped, or be a subject to side-loading issues, etc.)
  • Not many people know about it, but the TC accepts command line arguments, including:
    • /i=name.ini – a different location of wincmd.ini file; a changed .ini file may include some extras
    • /INSTALLDRIVERQ- installs ‘cglptnt’ service pointing to C:\WINDOWS\system32\DRIVERS\cglptnt.sys that is copied there by TC – this file could be swapped
  • The next one is one that I kinda like as an idea as it’s quite subtle
    • TC offers a really cool functionality that allows you to quickly ‘jump to the directory’ from the menu
    • The function is activated by the CTRL+D keyboard shortcut
    • The actual ‘jump’ is implemented via a ‘cd’ command, so every new directory added to the menu will have a Command set to ‘cd <directory’:
    • You can change this ‘cd’ command to e.g. c:\windows\system32\calc.exe
    • Next time someone attempts to change the directory to Windows, the calculator will be spawn:
    • The caveat is that the directory itself is not changed in such case – I guess malware could send that sequence of keys to TC to force the directory change or simply modify the entry back to its original content and user would be none the wiser – the command would work the second time they try; since it’s not a typical persistence (it only works when the menu is used), it could be used as a ‘backup’
  • The TC can handle some UAC kinda graciously
    • For example, if you want to enter c:\Windows\CSC directory, you will get this message box:
    • Hitting ‘As Administrator’ will engage Tcmadmin.exe program that is located in the TC program directory; swapping this program with your own will make TC launch your own program anytime it handles UAC business

There are probably many other ways… and as a side note, since TC includes a native client for (S)FTP, it can be used to download/upload stuff as well…

So, in a way, TC is an ultimate… LOLBIN.

There you have it… but want to emphasize one thing – this post is not to scaremonger  you – TC is awesome and consider purchasing it, and… keeping an eye on its config files…

wab.exe as a LOLBin

May 1, 2018 in Living off the land, LOLBins

WAB stands for Windows Address Book. It’s also a name of a tool typically located inside these two file paths:

  • c:\Program Files (x86)\Windows Mail\wab.exe
  • c:\Program Files\Windows Mail\wab.exe

In the past the program was used to manipulate .wab files, but  nowadays it is a legacy tool and is not used that much anymore.

Still, we can use it to do one more thing for us…

When launched, it tries to load a wab32.dll library. The actual location and the name of a DLL is determined by the following Registry key:

  • HKLM\Software\Microsoft\WAB\DLLPath

which typically points to:

  • %CommonProgramFiles%\System\wab32.dll

By changing this path you can load any DLL of your choice.

Only if the DLLPath Registry path is not resolved the tool will try to load the wab32.dll from a current directory. So yet another opportunity for side-loading…