Lolbins for connoisseurs… Part 3

I love exploring unexplored software paths. And not necessarily on the assembly level – and that’s because often… it’s not even necessary. They often lead me to some really weird places f.ex. discovering a software that reads a memory address from a specific environmental variable to execute code from that location, or learning that some unhappy devs at AMD or Microsoft sometimes get a bit annoyed, or that many people do stackoverflow when they code, and that many ‘secrets’ can be found in binaries, if you know what to look for….

It’s the simple findings like this that led me to coining what I called The law of a threat hunter, which states:

For every two most distant technologies there exist a developer that will bring them together.

Developers out there do lots of very weird stuff, and more often than not – they make some really hard-to-explain choices – in the end producing monsters that we (‘the cyber folk’) need to deal with (aka ‘assess their maliciousness’), on regular basis.

This post is about yet another case like this…

There is a software called DepthAI. When you install it, you will obviously get all the files required for the software to run, plus a bonus – a full blown copy of PortableGit installed in %LOCALAPPDATA%\Programs\DepthAI\PortableGit directory.

The binaries installed include the whoami, yay! And this is where you will find it:

  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\usr\bin\whoami.exe

plus, there are lots of other useful lolbinish tools, too:

  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\mingw64\bin\curl.exe
  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\mingw64\bin\openssl.exe
  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\mingw64\bin\xz.exe

plus many others…

Dependencies is what matters these days and we have seen their power with log4j vulnerability, as well as in a cases of many other supply chain attacks, backdoored npm packages and python libraries.

Anytime we think that we are installing a trusted, often single-vendor, even single-vendor and monolith application, in reality… we don’t know what we are doing… We actually apply less and less scrutiny to this process. It’s really terrifying. And mind you, this is not an inflammatory post — it’s a sad realization that the control of what is running on our devices has been taken from us away long time ago, same as the notion of ‘owning anything’, let it be hardware or software.

And here’s the thing… Fravia did say one thing before he died:

Two other possible parachutes are knowing how to reverse engineer software (whose role in our societies and their petty censorships and sniffing attempts is bound to increase dramatically), and a sound learning of more than “just that one” foreign language. These “parachutes” could allow many readers to (maybe) fall on their feet.
Good luck anyway. I do wish all the best to anyone with a brain.

Be curious about the software you run. Be curious about the hardware you run that software on. Break it all apart. And share. Remember that trivial things like lolbin discoveries are just a side effect of your actions. You are pursuing not only the knowledge, but even moreso – the knowing…