Category Archives: Living off the land

Living off the land: VMware tools zip.exe

Posted on by

Just a quick note that any system with VMWare Tools installed on it can use the zip.exe as a ‘process tree disturbing agent’ 😉

  • Name your program unzip.exe
  • Run:
    • “c:\Program Files\VMware\VMware Tools\zip.exe” -T <name of an existing zip>

When launched with the -T option, zip.exe will execute the unzip.exe.

Sysmon doing lines, part 2

Posted on by

Sysmon is a cool tool and we love it. Sometimes it does not work as expected though.

It’s late so just dropping another recipe here:

  • Name your DLL wevtapi.dll
  • Run sysmon.exe -u to … ‘uninstall’ it
  • Your DLL will be loaded

You can also drop Riched32.dll in the same directory and try to ‘install’ sysmon – you will notice the EULA box is loaded incorrectly, because the side-loaded Riched32.dll DLL will take over and will execute your code.