You are browsing the archive for Reusigned Binaries.

Sitting on the Lolbins, 12

September 6, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

What is a LOLBIN? Does it need to be signed?

These questions are not important really. If you can find a clean executable and make it run another program then it is already a… lolwin.

The unsigned SetupProxy.exe program does exactly that. All you have to do is to provide a setup.ini file that the setup program expects to see. Inside this .ini file you have to specify what programs to run for 32- and 64- bit systems e.g.:


You need to use a directory traversal trick as the program expects paths relative to the one it is ran from.

That’s it really.

Okay, one more thing… the program stores a verbose info about the setup progress inside a %TEMP%\LxProxy.log file:

| Friday, September 06, 2019 14:31:42
| Setup.exe
| Version:
| SetupProxy: to Launch Install GUI.
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy::read registry for the language: Software\inkjet\install
SetupProxy::language from the regstry:
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy:: the setup.ini exists; Launch InstallGUI: C:\foo\bar….\windows\system32\notepad.exe
Finished SetupProxy : Friday, September 06, 2019 14:31:44



Sitting on the Lolbins, 11

August 31, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

A programmer who wrote a lolbin I presented previously is probably the same coder that wrote another program for Dell – an application called Dell WebUpdater Executable.

Same as in the previous example, one needs to create a DLL with a name that is using a file name of a main lolbinish executable, and suffixed with wupd.dll, i.e. testwupd.dll for test.exe.

Verified:       Signed
Signing date:   04:38 2008-02-25
Publisher:      Dell Inc.
Company:        n/a
Description:    Dell WebUpdater Executable
Product:        Dell WebUpdater
Prod version:
File version:
MachineType:    32-bit

Sample: 6FBD2979F6E8E7AE0A85AB20DADC7BD1BC70AD2F76B399F3CD287AE8D1B06BFE