Matlab persistent lolbin – 2 years too late, but always…

I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of our choice when we use its feature that is both Matlab-user friendly, and … unbelievable.

Using the following command line invocation:

MATLAB.exe -nosplash -nodesktop -r "run('c:\test\test.m'); exit;"

we can instruct matlab to load the matlab file named ‘test.m’ in a batch-like fashion.

The ‘test.m’ in this example include a short piece of code shown below:

x = foo();

When matlab loads the ‘test.m’, it tries to resolve the function ‘foo’ that it will eventually recognize as unknown; as a result, it will look for locally present Matlab executable files (*.mex32 on 32-, and *.mexw64 on 64-bit Windows), and will try to find that function there. In our case (on 64-bit version of OS/matlab) it will look for a ‘foo.mexw64’ file, load it (it is a DLL), and then call a function mexFunction acting as an interface between matlab and the matlab executable.

The example session is shown in this animation:

It’s obvious there are at least two scenarios where this ‘feature’ can be used for offensive purposes:

  • niche Lolbin – having a library of your choice loaded by matlab may help to evade security software
  • niche and stealthy persistence – matlab files can be modified in a viral way to force the loading our our library of choice at some random moment in the future

Beyond good ol’ Run key, Part 142

I never heard of OBS (Open Broadcaster Software), until I saw this Twitter thread.

After downloading it, trying it, tinkering with it… I actually found it far more confusing than Screen2Gif, but this is because it offers a lot more advanced options, tweaking, and… supports scripting.

A-HA!

The moment I learnt about scripting, I immediately went to OBS’ Scripting Help section and started reading it with an intention of creating a small PoC. My thought process was: if I can write an OBS script that executes program or command of my liking anytime OBS starts, I am totally writing a new blog post in the series…

BUT

I also browsed the OBS Forum posts… and while doing so, I quickly discovered this OBS script that implements everything that I wanted to demo in the ‘I will write it when I can PoC it’ post.

Booooo to me actually learning OBS Scripting, Hurrah to you reader.

This script is a beauty. It executes programs of your liking at the time OBS starts, and kills them when OBS exits.

And now I feel terrible, because I have contributed NOTHING to this post other than describing other peoples’ work.