Category Archives: Living off the land

Downloading off the land

Posted on by

There are many documented ways to use legitimate applications to download stuff from the net.

Here are two more:

  • wmplayer.exe <URL>
  • FlashPla.exe <URL>

when executed they will download the file pointed by URLs, save them to the browser cache folder e.g. %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE, and .. fail playing them as media.

But the files will remain on the system…

The first one is a pretty obvious one –  it’s just a Windows Media Player and it’s present natively on many systems.

The second one – FlashPla.exe – is your good ol’ Adobe Flash Player; you will find it all over the place as it’s being shipped with many drivers and tools accompanying various peripheral devices. It may not be called FlashPla (another name I came across is CL_Gallery.exe, FlashPlayer.exe, cs3flashplayer.exe,SAFlashPlayer.exe), but it’s pretty easy to find.

Example locations:

  • c:\Program Files (x86)\CyberLink\Power2Go\Gallery\CL_Gallery.exe
  • c:\Program Files (x86)\HP\Digital Imaging\help\player\FlashPla.exe
  • C:\Program Files\HP\Digital Imaging\help\player\FlashPla.exe
  • C:\ProgramData\LG\LG LIP2230\Help\flash\FlashPla.exe
  • C:\Program Files\Macromedia\Flash 5\Players\FlashPla.exe
  • C:\Program Files\FlashJester\Jugglor v30\Projector Files\CS3FlashPlayer.exe

Both players open windows and are pretty noisy (e.g. in Registry), but it’s always worth documenting the possibilities…

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 3

Posted on by

Apparently, there is a never-ending stream of genuine OS components and legitimate applications that are not only signed, but are also rich in features that can be used to disturb the process tree… and hide from EDR.

Here’s another one: stubapp.exe

It is an application installed by HP drivers that can be typically found in these 2 locations:

  • C:\Program Files\HP\HPLJUT\stubapp.exe
  • c:\Program Files (x86)\HP\HPLJUT\stubapp.exe

The program comes with a sample stubapp.ini file that explains the .ini file syntax:

;
; StubApp ini file
;
; usage:
; Stubapp -i <inifile> -m <section>
;
; [section]
; 1=x
; 2=y
; [1.2k]
; exename=notepad.exe
; <section> contains a list with parts to run
[...]
; Application parameters
; exename - location of application
; command line parameters to be passed - exact syntax
; waittofinish - 0=execute and continue; 1=wait for it to finish execution before continuing (CreateProcess must =1)
; createprocess - user create process instead of shell execute; 1=yes, 0 or not specified = shellexecute (cannot waittofinish)
; whentorun - 0=sw first only; 1=hw first only; 2=both hw and sw 1st; 
; 3=check the processes in [File_detect] & [regdetect] Sections (check for PNP)

With this info we can quickly craft a simple .ini file which we can use to e.g. launch Calculator:

[Foo]
1=Bar

[Bar]
exename=c:\windows\system32\calc.exe
params=""
waittofinish=0
whentorun=2
createprocess=1

We launch it with the following command:

stubapp.exe -i <fullpath to ini file>  -m Foo

As a side effect of executing the program we will observe a log file created in a temporary directory (%TEMP%\stubapp.log) that amongst other things contains the following information:

 Application to launch: c:\windows\system32\calc.exe
 Application parameters: 
 Wait for application to finish: 0
 When to run application: 2
 If we should use CreateProcess: 1
 if we should check the registry: NOT FOUND
 SW 1st or HW 1st - Launching: c:\windows\system32\calc.exe
 CreateProcess = 1, using CreateProcess
 Application to launch: "c:\windows\system32\calc.exe" 
 CStubApp::RunCreateProcess: Entering
 Process launched