Category Archives: Living off the land

This LOLBIN doesn’t exist…

Posted on by

I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even less – about its esoteric, yet omnipresent DLL plug-ins…

One of the more interesting plug-ins that I know of, and yet, one that you will never really see residing on any system, is… ShellDispatch.dll.

It’s a rarely used Nullsoft Plug-In DLL that is known to be used by the installer of WinAmp, yes.. THE WinAmp… and even there… it is used temporarily, as it is immediately deleted from the file system after delivering the required functionality.

What’s so special about it?

The ShellDispatch.dll exports a few functions:

  • AddRef
  • GetInterface
  • Release
  • RunDll_ShellExecuteW
  • ShellExecute

The RunDll_ShellExecuteW is the most interesting to us as it is a callback function specifically crafted to respond to invocations via rundll32.exe, and since it’s a wrapper for ShellExecute API we can use it to launch any program of our choice, f.ex, calculator:

rundll32 ShellDispatch.dll, RunDll_ShellExecute open calc

Again, the chances you will ever see it abused are VERY LOW.

Matlab persistent lolbin – 2 years too late, but always…

Posted on by

I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of our choice when we use its feature that is both Matlab-user friendly, and … unbelievable.

Using the following command line invocation:

MATLAB.exe -nosplash -nodesktop -r "run('c:\test\test.m'); exit;"

we can instruct matlab to load the matlab file named ‘test.m’ in a batch-like fashion.

The ‘test.m’ in this example include a short piece of code shown below:

x = foo();

When matlab loads the ‘test.m’, it tries to resolve the function ‘foo’ that it will eventually recognize as unknown; as a result, it will look for locally present Matlab executable files (*.mex32 on 32-, and *.mexw64 on 64-bit Windows), and will try to find that function there. In our case (on 64-bit version of OS/matlab) it will look for a ‘foo.mexw64’ file, load it (it is a DLL), and then call a function mexFunction acting as an interface between matlab and the matlab executable.

The example session is shown in this animation:

It’s obvious there are at least two scenarios where this ‘feature’ can be used for offensive purposes:

  • niche Lolbin – having a library of your choice loaded by matlab may help to evade security software
  • niche and stealthy persistence – matlab files can be modified in a viral way to force the loading our our library of choice at some random moment in the future