A programmer who wrote a lolbin I presented previously is probably the same coder that wrote another program for Dell – an application called Dell WebUpdater Executable.

Same as in the previous example, one needs to create a DLL with a name that is using a file name of a main lolbinish executable, and suffixed with wupd.dll, i.e. testwupd.dll for test.exe.

Verified:       Signed
Signing date:   04:38 2008-02-25
Publisher:      Dell Inc.
Company:        n/a
Description:    Dell WebUpdater Executable
Product:        Dell WebUpdater
Prod version:   1.95.0.0
File version:   1.95.0.0
MachineType:    32-bit

Sample: 6FBD2979F6E8E7AE0A85AB20DADC7BD1BC70AD2F76B399F3CD287AE8D1B06BFE

Executing unsigned code is very easy when you have a signed .exe loading a DLL with a predetermined file name.

This is a case of a Dell’s Viewer Executable that expects to see a DLL named <file>retv.dll in the same directory where it is placed. Launching the .exe loads and executes the DLL immediately, e.g. using a pair of signed test.exe + unsigned testretv.dll.

Verified:       Signed
Signing date:   10:42 2008-03-04
Publisher:      Dell Inc.
Company:        n/a
Description:    Viewer Executable
Product:        n/a
Prod version:   1.86.0.0
File version:   1.86.0.0
MachineType:    64-bit

Sample:

001494D4BC994C453F5055D01FB39B1BFA6738AA31E3DE4DD32D3850946ACA4A