Category Archives: LOLBins

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 4

Posted on by

Here’s yet another subclass of tricks one can use to distort the process tree seen by EDR and sandbox solutions.

Many Windows programs launch other internal Windows programs (native to OS). They do so carefully so they typically launch them from %SystemRoot%. Many of them use GetSystemDirectory to build a path, but there are still quite a few that rely on an environment variable – they need to use an ExpandEnvironmentStrings API to obtain the actual path.

Changing that environmental variable and copying the required files to a redirected location while replacing the target application enables us to launch a payload of choice making it look like it was executed by a signed binary.

Example:

In this old post I mentioned AtBroker. When you launch it from a command line without any arguments it will simply launch Narrator.exe.

We can:

  • create a test folder
  • change the SystemRoot to point to it
  • copy all the necessary files from the original system32 and Registration folder (procmon helps)
  • launch atbroker.exe
  • the narrator.exe payload will be executed

This launches C:\Test\System32\Narrator.exe:

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 3

Posted on by

Apparently, there is a never-ending stream of genuine OS components and legitimate applications that are not only signed, but are also rich in features that can be used to disturb the process tree… and hide from EDR.

Here’s another one: stubapp.exe

It is an application installed by HP drivers that can be typically found in these 2 locations:

  • C:\Program Files\HP\HPLJUT\stubapp.exe
  • c:\Program Files (x86)\HP\HPLJUT\stubapp.exe

The program comes with a sample stubapp.ini file that explains the .ini file syntax:

;
; StubApp ini file
;
; usage:
; Stubapp -i <inifile> -m <section>
;
; [section]
; 1=x
; 2=y
; [1.2k]
; exename=notepad.exe
; <section> contains a list with parts to run
[...]
; Application parameters
; exename - location of application
; command line parameters to be passed - exact syntax
; waittofinish - 0=execute and continue; 1=wait for it to finish execution before continuing (CreateProcess must =1)
; createprocess - user create process instead of shell execute; 1=yes, 0 or not specified = shellexecute (cannot waittofinish)
; whentorun - 0=sw first only; 1=hw first only; 2=both hw and sw 1st; 
; 3=check the processes in [File_detect] & [regdetect] Sections (check for PNP)

With this info we can quickly craft a simple .ini file which we can use to e.g. launch Calculator:

[Foo]
1=Bar

[Bar]
exename=c:\windows\system32\calc.exe
params=""
waittofinish=0
whentorun=2
createprocess=1

We launch it with the following command:

stubapp.exe -i <fullpath to ini file>  -m Foo

As a side effect of executing the program we will observe a log file created in a temporary directory (%TEMP%\stubapp.log) that amongst other things contains the following information:

 Application to launch: c:\windows\system32\calc.exe
 Application parameters: 
 Wait for application to finish: 0
 When to run application: 2
 If we should use CreateProcess: 1
 if we should check the registry: NOT FOUND
 SW 1st or HW 1st - Launching: c:\windows\system32\calc.exe
 CreateProcess = 1, using CreateProcess
 Application to launch: "c:\windows\system32\calc.exe" 
 CStubApp::RunCreateProcess: Entering
 Process launched