You are browsing the archive for LOLBins.

Sitting on the Lolbins, 10

August 31, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

Executing unsigned code is very easy when you have a signed .exe loading a DLL with a predetermined file name.

This is a case of a Dell’s Viewer Executable that expects to see a DLL named <file>retv.dll in the same directory where it is placed. Launching the .exe loads and executes the DLL immediately, e.g. using a pair of signed test.exe + unsigned testretv.dll.

Verified:       Signed
Signing date:   10:42 2008-03-04
Publisher:      Dell Inc.
Company:        n/a
Description:    Viewer Executable
Product:        n/a
Prod version:   1.86.0.0
File version:   1.86.0.0
MachineType:    64-bit

Sample:

001494D4BC994C453F5055D01FB39B1BFA6738AA31E3DE4DD32D3850946ACA4A

Sitting on the Lolbins, 9

August 30, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

This is not really a proper LOLBIN category, but is interesting for many reasons. How often do we see libraries that are written by A, sometimes even open source, but then they are signed by B?

I mentioned 7z a while ago, but there is more…

Examples:

Debugging Tools for Windows signed by NVIDIA Corporation:

Verified:       Signed
Signing date:   03:13 2014-07-04
Publisher:      NVIDIA Corporation
Company:        Microsoft Corporation
Description:    Windows Image Helper
Product:        Debugging Tools for Windows(R)
Prod version:   6.12.0002.633
File version:   6.12.0002.633 (debuggers(dbg).100201-1203)
MachineType:    32-bit

Sample: 70FBA09DEDCDDCA02C38785071745C50CDB8C532BDB0C5A632F79EE5873C9405

OpenSSL Shared Library, signed by Intel Corporation-Mobile Wireless Group

Verified:       Signed
Signing date:   02:13 2012-09-13
Publisher:      Intel Corporation-Mobile Wireless Group
Company:        The OpenSSL Project, http://www.openssl.org/
Description:    OpenSSL Shared Library
Product:        The OpenSSL Toolkit
Prod version:   1.0.0b
File version:   1.0.0b
MachineType:    64-bit

Sample: 00471424438D68AE3F7E734808562A529D563243D156380A487C2D92D8EE4446

What are the benefits of using these?

  • They are signed
  • They are often not up to date –> vulnerable
  • Their sigs are probably quite hard to be revoked
  • They are whitelisted by hash by many security solutions, including forensic suites, AV, EDR, etc.