Sitting on the Lolbins, 12
September 6, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries
What is a LOLBIN? Does it need to be signed?
These questions are not important really. If you can find a clean executable and make it run another program then it is already a… lolwin.
The unsigned SetupProxy.exe program does exactly that. All you have to do is to provide a setup.ini file that the setup program expects to see. Inside this .ini file you have to specify what programs to run for 32- and 64- bit systems e.g.:
[SETUP]
InstallPath=..\..\windows\system32\notepad.exe
InstallPath64=..\..\windows\system32\notepad.exe
You need to use a directory traversal trick as the program expects paths relative to the one it is ran from.
That’s it really.
Okay, one more thing… the program stores a verbose info about the setup progress inside a %TEMP%\LxProxy.log file:
/———————————————————————–\
| Friday, September 06, 2019 14:31:42
| Setup.exe
| Version:
|
| SetupProxy: to Launch Install GUI.
———————————————————————–/
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy::read registry for the language: Software\inkjet\install
SetupProxy::language from the regstry:
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy:: the setup.ini exists; Launch InstallGUI: C:\foo\bar….\windows\system32\notepad.exe
Finished SetupProxy : Friday, September 06, 2019 14:31:44
Sample:
1DFFF3F5934AB61C861620CF2C6BC81FF8AF9A1E5F6A3D31B3315F8BE8BC3360