Category Archives: LOLBins

Sitting on the Lolbins, 5

Posted on by

Killing processes is easy — you can call an API (TerminateProcess), use existing OS binaries (taskkill), or… use one of many signed binaries written specifically for this purpose. The most known is obviously pskill from Sysinternals, but there is more.

ASUSTeK produced a number of these, both for 32- and 64- architecture. It doesn’t have the name of the executable included in the version info all the time, but when it does, it is typically called KillProcess.

Also, not all of them seem to be coming from the same programmer e.g. one of them is a more generic tool that offers a few more options that just killing the process by the process name:

Usage: killproc [-p | -m | -l | -la] [process name]
-p: partial of process name.
-m: match process name.
-l: list processes.
-la: list all processes

Samples:

12D709A7FDDF97E8210F4CDFAF8FE94E79E50306713C1EB4BB62EB8ED6DA2020
1A4C16981AFA4E8EC7C772D9F031AC6C6DB78E776FC817ABDF060416B376EFBB

Sitting on the Lolbins, 4

Posted on by

I have always looked at my reverse engineering adventures as a way to become a better programmer. What I couldn’t understand from MSDN, or example code snippets I could almost certainly understand at the basic assembly level.

Sometimes though, when I look at some code, I do scratch my head a bit. The case I am going to describe below is one where I am left with a slightly worried state of mind. Is my programming craft better after seeing all this?

You decide.

A few years ago ASUSTeK produced a very interesting executable called Batch Caller Exe. As the name suggests it does run batch files. If we put aside the obvious but why, we still have to deal with the how.

The way it works is that you run it with one of the options described below:

file.exe /Install test

OR

file.exe /Uninstall test

The interesting bit is that the test in that syntax is a prefix for a batch file name. And the expected file name is actuall called <prefix>install_all.bat, or <prefix>uninstall_all.bat.

Using test as an example, you need to create either testinstall_all.bat or testuninstall_all.bat. They will be executed as per the command line arguments.

So, it of course gives us an option to disturb the process tree, maybe even bypass some filters, but… it feels odd, doesn’t it?

Sample: 035E9CC2FFC4D60581CA975FF73CD92FC93C0CDFCE57D3F7368781E95B907FBE