Category Archives: LOLBins

Sitting on the Lolbins, 1

Posted on by

I recently mentioned that I am sitting on quite a few lolbins, and was asked to share, so here’s the first batch – at least 6 of them 🙂

c:\Program Files\HP\<model>\
\Bin\<model>.exe
\Bin\HPCustParticUI.exe
\Bin\hpqDTSS.exe
\Bin\InstanceFinderDlg.exe
\Bin\ScanToPCActivationApp.exe
\Bin\Toolbox.exe

where <model> means the actual HP printer model e.g. HP OfficeJet Pro 8710:

c:\Program Files\HP\HP OfficeJet Pro 8710\Bin\HP OfficeJet Pro 8710.exe

All of them take a nice command line argument -uiDll, e.g.:

Toolbox.exe -uiDll c:\Test\test.dll

This loads and executes your DLL of choice 🙂

Notably, there are a few more executables in the same directory that can be used for this purpose:

\Bin\DigitalWizards.exe
\Bin\FaxApplications.exe
\Bin\HPRewards.exe

but they require additional command line arguments that I have not figured out yet.

Bring your own lolbas?

Posted on by

Recently, I was wondering what is the best term for binaries/scripts that are signed, can do the Lolbas thing, but are not necessarily installed on the system.

So far I have been covering many of these using a generic term ‘Re-usigned binaries’ (portmanteau of ‘reuse’ and ‘signed’). But it’s not catchy enough. Could a better term be ‘Bring your own lolbas/lolbin’? BYOL? Kinda similar to Bring Your Own Vulnerability (BYOV)? In fact a BYOL is a subset of BYOV.

I have covered many BYOL examples before. And I believe there will be a lot more in the future. After a very fertile research period lolbin fans explored most of the native OS executables, DLLs, scripts. It’s a natural course of events that their eyes will eventually turn to the other stuff.

The other stuff can be e.g. 7Zip program signed by legitimate companies. @Oddvarmoe posted about it on Twitter in April:

It triggered my interest and I set on a path to discover more instances of various 7zip components signed by legitimate companies. The results of a very basic research are very promising: there are plenty of these:

  • ASUSTeK Computer Inc.
  • HUAWEI Technologies Co., Ltd.
  • NVIDIA Corporation
  • Samsung Electronics CO., LTD.
  • Trend Micro, Inc.

I won’t be posting hashes, because… well… why burning them… The other less obvious bit is that these signed components are often old and could contain unpatched vulnerabilities as well.