You are browsing the archive for Living off the land.

Lolbin WOW Ltd

May 23, 2020 in Living off the land, LOLBins

It turns out there is one more lolbin one can create that is subject to constrains described previously. And not only that — there is one more extra limitation in this case: only the 32-bit version of this executable exhibits lolbin properties.

When you run 64-bit msra.exe on a 64-bit system, it just starts as it should. But if you run a 32-bit version, it will detect that it runs on a 64-bit system and will immediately launch the 64-bit version. So, same as in the previous example, we just change the windir to our own path, and c:\test\system32\msra.exe will be executed. Note that we enforce the 32-bit msra.exe to be ran by using a full path pointing to SysWOW64 directory:

set windir=c:\test & c:\windows\syswow64\msra.exe

Lolbin Ltd

May 23, 2020 in Living off the land, LOLBins

This is a lolbin trick that forces programmer to use constrained programming style, hence ‘limited’ in title.

LaunchTM.exe is a small executable that launches taskmgr.exe. It does so, using a flawed approach as it relies on an environment variable-based path:

%WINDIR%\System32\Taskmgr.exe 

We can change this variable to whatever path we want and as such, LaunchTM.exe will execute <ourpath>\system32\taskmgr.exe program.

The only caveat is that some common DLLs (e.g. responsible for GUI) rely internally on %WINDIR% being set properly. To ensure the program doesn’t crash the best course of action is to write taskmgr.exe to be statically independent from too many libraries i.e. relying on ntdll.dll, and perhaps kernel32.dll only. Once program starts it can fix the environment variable be able to load other libraries.

Example in action:

and taskmgr.exe in action: