Category Archives: LOLBins

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 3

Posted on by

Apparently, there is a never-ending stream of genuine OS components and legitimate applications that are not only signed, but are also rich in features that can be used to disturb the process tree… and hide from EDR.

Here’s another one: stubapp.exe

It is an application installed by HP drivers that can be typically found in these 2 locations:

  • C:\Program Files\HP\HPLJUT\stubapp.exe
  • c:\Program Files (x86)\HP\HPLJUT\stubapp.exe

The program comes with a sample stubapp.ini file that explains the .ini file syntax:

;
; StubApp ini file
;
; usage:
; Stubapp -i <inifile> -m <section>
;
; [section]
; 1=x
; 2=y
; [1.2k]
; exename=notepad.exe
; <section> contains a list with parts to run
[...]
; Application parameters
; exename - location of application
; command line parameters to be passed - exact syntax
; waittofinish - 0=execute and continue; 1=wait for it to finish execution before continuing (CreateProcess must =1)
; createprocess - user create process instead of shell execute; 1=yes, 0 or not specified = shellexecute (cannot waittofinish)
; whentorun - 0=sw first only; 1=hw first only; 2=both hw and sw 1st; 
; 3=check the processes in [File_detect] & [regdetect] Sections (check for PNP)

With this info we can quickly craft a simple .ini file which we can use to e.g. launch Calculator:

[Foo]
1=Bar

[Bar]
exename=c:\windows\system32\calc.exe
params=""
waittofinish=0
whentorun=2
createprocess=1

We launch it with the following command:

stubapp.exe -i <fullpath to ini file>  -m Foo

As a side effect of executing the program we will observe a log file created in a temporary directory (%TEMP%\stubapp.log) that amongst other things contains the following information:

 Application to launch: c:\windows\system32\calc.exe
 Application parameters: 
 Wait for application to finish: 0
 When to run application: 2
 If we should use CreateProcess: 1
 if we should check the registry: NOT FOUND
 SW 1st or HW 1st - Launching: c:\windows\system32\calc.exe
 CreateProcess = 1, using CreateProcess
 Application to launch: "c:\windows\system32\calc.exe" 
 CStubApp::RunCreateProcess: Entering
 Process launched

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 2

Posted on by

Update

After my post Zod contacted me with this mike-dropping link: Ultimate AppLocker ByPass List. Really lots of good stuff there! Thx Zod!

Old Post

In the first part I listed a couple of examples of programs that may be used as a proxy to launch other programs. In the meantime, subTee kicked off a very interesting thread on Twitter listing a number of signed .exe binaries that can be used as a proxy to load a DLL. Yesterday I came across a few cool posts by @0rbz_. This in return reminded me of my first post and I decided to add a few more proxy/living off the land ideas.

There is a number of signed .exe that can be used to load other .exes or .dlls and as a result – break standard EDR detection rules, or bypass some whitelisting. This may sometimes involve copying the signed binary to your folder in order to sideload your DLL (PlugX is a very good example, funnily enough – in many cases they don’t even need to bring a signed .exe and fetch one that is typically present on the system).

Here is the list:

  • AppVLP.exe – to launch .exe
    • From this Tweet by @0rbz_
    • Just run C:\Program Files\Microsoft Office\root\client\AppVLP.exe <exename>
  • pcalua.exe
    • From this Tweet by @0rbz_ and mentioned on this forum
    • Just run C:\windows\system32\pcalua.exe -a <exename>
  • odbcconf.exe – to load .dll
  • odbcad32.exe – to load .dll via GUI
    • drop c:\windows\system32\<dllfile>
    • run odbcad32.exe
    • go to Tracing Tab
    • choose Custom Trace DLL
    • hit Start Tracing Now
  • WinMail.exe – to load .dll
    • copy c:\Program Files\Windows Mail\WinMail.exe to your folder
    • name your DLL ‘msoe.dll’
    • launch one of these
      • WinMail.exe /identcatalog
      • WinMail.exe /identfileslist:foo
      • WinMail.exe /identfile:foo
  • xwizard.exe – to load .dll
    • From my previous post
    • copy c:\WINDOWS\system32\xwizard.exe to your folder
    • name your DLL ‘xwizards.dll’
    • run xwizard.exe with at least two arguments
  • java.exe – to load .dll
    • From my previous post
    • run java -agentlib:<dllname>
      or
    • run java -agentpath:<dllname_with_dll_extension>
  • any other phantom / sideloaded dlls – to load .dll

If you know of any other tricks like this, please let me know. Thanks!

p.s. as I was about to post it, Huntress Labs just published yet another cool technique using WseClientSvc.exe passthru.exe calc.exe!