Hexacorn

…and the most 1337 #lolbin is…

Posted on 2019-07-04 by adam

idaX.exe -Otest:

test – DLL inside Ida’s plugins directory (with the appropriate filext DLL, PLW, P64)
idaX – ida[wtq](64)? depending on the version

btw. Ida says:

Loading plugin C:\ida\plugins\test.plw… C:\ida\plugins\test.plw: incompatible plugin version, skipped

for my malformed IDA Plugin test dll but the DLL is loaded nevertheless.

Beyond good ol’ Run key, Part 107

Posted on 2019-06-07 by adam

This is a persistence, and a code injection trick in one. It affects only environments where NVIDIA CUDA Toolkit is present. If it is the case, the system will have these two environment variables present:

CUDA_INJECTION32_PATH
CUDA_INJECTION64_PATH

They typically point to legitimate NVIDIA DLLs, but one could replace them with anything. The DLLs are loaded via LoadLibrary.

This is not a backdoor of any sort – just a legitimate profiler interface.