Sitting on the Lolbins, 10

August 31, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

Executing unsigned code is very easy when you have a signed .exe loading a DLL with a predetermined file name.

This is a case of a Dell’s Viewer Executable that expects to see a DLL named <file>retv.dll in the same directory where it is placed. Launching the .exe loads and executes the DLL immediately, e.g. using a pair of signed test.exe + unsigned testretv.dll.

Verified:       Signed
Signing date:   10:42 2008-03-04
Publisher:      Dell Inc.
Company:        n/a
Description:    Viewer Executable
Product:        n/a
Prod version:
File version:
MachineType:    64-bit



Comments are closed.