So many lolbins…

There is a class of Dell-written launchers that are very demanding. In order to use any of them to launch a program we need to use a 6-level directory traversal.

Why?

Because it relies on GetPrinterDriverDirectory API to retrieve a path where the file it expects to see will be launched from (the path resolves to C:\Windows\system32\spool\DRIVERS\W32X86 on 32-bit Windows). And then, depending on the OS major version (5 or 6), it appends additional subfolder path (2 or 3) to it.

In other words, to run c:\windows\system32\notepad.exe, one has to run the following:

<sample> ..\..\..\..\..\..\windows\system32\notepad.exe

Samples:
0B7F97EC4792A65D5DFA596F2693E8ADBFBDBA340BF300BDB761B483D6922FF9
E11DFC77E4B9570425FAAAC65B26070448E83EB7B9451AA5A9B0B61F1E8FBCA6

Killing processes is easy — you can call an API (TerminateProcess), use existing OS binaries (taskkill), or… use one of many signed binaries written specifically for this purpose. The most known is obviously pskill from Sysinternals, but there is more.

ASUSTeK produced a number of these, both for 32- and 64- architecture. It doesn’t have the name of the executable included in the version info all the time, but when it does, it is typically called KillProcess.

Also, not all of them seem to be coming from the same programmer e.g. one of them is a more generic tool that offers a few more options that just killing the process by the process name:

Usage: killproc [-p | -m | -l | -la] [process name]
-p: partial of process name.
-m: match process name.
-l: list processes.
-la: list all processes

Samples:

12D709A7FDDF97E8210F4CDFAF8FE94E79E50306713C1EB4BB62EB8ED6DA2020
1A4C16981AFA4E8EC7C772D9F031AC6C6DB78E776FC817ABDF060416B376EFBB