This is not really a proper LOLBIN category, but is interesting for many reasons. How often do we see libraries that are written by A, sometimes even open source, but then they are signed by B?

I mentioned 7z a while ago, but there is more…

Examples:

Debugging Tools for Windows signed by NVIDIA Corporation:

Verified:       Signed
Signing date:   03:13 2014-07-04
Publisher:      NVIDIA Corporation
Company:        Microsoft Corporation
Description:    Windows Image Helper
Product:        Debugging Tools for Windows(R)
Prod version:   6.12.0002.633
File version:   6.12.0002.633 (debuggers(dbg).100201-1203)
MachineType:    32-bit

Sample: 70FBA09DEDCDDCA02C38785071745C50CDB8C532BDB0C5A632F79EE5873C9405

OpenSSL Shared Library, signed by Intel Corporation-Mobile Wireless Group

Verified:       Signed
Signing date:   02:13 2012-09-13
Publisher:      Intel Corporation-Mobile Wireless Group
Company:        The OpenSSL Project, http://www.openssl.org/
Description:    OpenSSL Shared Library
Product:        The OpenSSL Toolkit
Prod version:   1.0.0b
File version:   1.0.0b
MachineType:    64-bit

Sample: 00471424438D68AE3F7E734808562A529D563243D156380A487C2D92D8EE4446

What are the benefits of using these?

• They are signed
• They are often not up to date –> vulnerable
• Their sigs are probably quite hard to be revoked
• They are whitelisted by hash by many security solutions, including forensic suites, AV, EDR, etc.

Another launcher from Dell is presented below. Similarly to the one I described earlier, it relies on an .ini file named after the main .exe. This time the commands can be selected depending on an OS version though e.g.:

[CommandLine]
Command_x86=java.exe
Command_XP_x64=java.exe
Command_2003_x64=java.exe
Command_VISTA_x64=java.exe

Sample: 00F87A7F5BC496DA831ECA31010521D2297621575DAA163FA2E9CD50DB5461A9