You are browsing the archive for LOLBins.

Beyond good ol’ Run key, Part 101

February 2, 2019 in Anti-Forensics, Autostart (Persistence), Living off the land, LOLBins

This is a bit unusual way of establishing persistence.

We don’t add any Registry entries. We also don’t really drop any malicious executable files, unless we have to (fileless malware could establish a persistence this way).

How?

By leveraging the omnipresent files: unins000.dat and unins000.exe that are dropped by any setup program that is built using the InnoSetup installer.

One can build a small InnoSetup script e.g. like this:

[Setup]
AppName=test
AppVersion=1
DefaultDirName=.
DefaultGroupName=test
[Run]
Filename: "c:\windows\system32\calc.exe"
[UninstallRun]
Filename: "c:\windows\system32\notepad.exe"

After installing the .exe, we can collect the unins000.dat and unins000.exe that are generated during this session. They ensure that Notepad is executed when the application is uninstalled. Attacker could simply ‘borrow’ these and place these in a folder where there are already existing files unins000.dat and unins000.exe (typically under c:\Program Files, or c:\Program Files (x86) subfolders).

We need to replace unins000.exe too, because the custom-made unins000.exe files that are dropped by installer may have dependencies that our unins000.dat doesn’t resolve.

Once the user tries to uninstall the program that relies on InnoSetup uninstall process, the unins000.exe will process the content of the unins000.dat and will run the Notepad.

Since the unins000.exe is clean, and only the unins000.dat is really the bad guy here, it is a sort of Lolbin, or Lobinstaller. Security companies are forced to either detect the malicious content inside the .dat file, or rely on behavioral analysis.

Obviously, another trivial persistence method that is related to Uninstallation process, and one I believe I have not discussed before here, and one which is actually not related to InnoSetup per se, is to modify the Uninstall/QuietUninstall strings for the programs installed on the system.

While they typically point to the native uninstallers, there is no problem in replacing them with commands that can run any other program:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<program name>=<string>

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QuietUninstallString\<program name>=<string>

Anytime someone runs the uninstaller, they will run the command of attacker’s choice. Again, the good news is that one needs rights to mod these entries since they are under HKLM key.

advpack.dll ! DelNodeRunDLL32 and its flags

November 24, 2018 in Archaeology, Living off the land, LOLBins

It’s one of these “I was looking at something else, and as usual, came across something else” cases. In this particular instance it was the good ol’ DelNodeRunDLL32 function exported by the advpack.dll.

A quick search followed, and I soon discovered that @bohops twitted about it a while ago, so there was not that much to add…

However…

Looking closer at the DelNodeRunDLL32W function I noticed that it tries to take two arguments, not one, as originally assumed. If the second argument is not present, it is assumed to be 0.

Why not checking what the second argument is all about though? And here we are…

A few more Google searches later we can (re-)discover that DelNodeRunDLL32 function can delete both individual files, and whole directories + change its behavior if we ask it too.

How?

Via its flags. Ones that we can choose to pass via a command line argument (the second one, as you guessed by now).

Again, googling around I came across this header file that lists all the flags that are documented:

// FLAGS:
#define ADN_DEL_IF_EMPTY 0x00000001 // delete the directory only if it's empty
#define ADN_DONT_DEL_SUBDIRS 0x00000002 // don't delete any sub-dirs; delete only the files
#define ADN_DONT_DEL_DIR 0x00000004 // don't delete the dir itself
#define ADN_DEL_UNC_PATHS 0x00000008 // delete UNC paths

Running

  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test” – will wipe out the whole ‘test’ directory
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test\file” – will delete the ‘file’ only
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test”,4 – will wipe out the whole ‘test’ directory except the ‘test’ directory itself
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test”,1 – will wipe out the whole ‘test’ directory only if it is empty

Little trivia, but always…