Trololololobin and other lolololocoasters

Posted on by

In my older tweet I gave an example of a surgical way to inject process into a chain of executed programs and launch them at a predetermined position in a great-great-great….grand-parent-child relationship by using the start command:

start /b "" start /b "" start /b "" start /b "" start /b "" start /b notepad.exe

Many Lolbins focus on loading DLLs, downloading files, etc. I was wondering if there is a class of Lolbins that could be used to generate this kinda process tree. The idea being that if we can find it, we can create more ‘signed executable’ chains and potentially disrupt parent-child relationship-based EDR detections.

After combing through my file collection I found one candidate and I suspect there will be others.

The Toshiba’s signed tinstall.exe is an executable that is a part of many installs from this company. When launched, it spawns a child process which is a next step of the installation. The peculiar way it is doing it is providing us the feature I described above. When launched, it takes its own file name, and appends ‘wb’ to it, and then launches a program with that newly created name. Under normal circumstances, the name of the spawned process will be tinstallwb.exe.

By placing a number of copies of tinstall.exe in files named .exe, wb.exe, wbwb.exe, wbwbwb.exe, etc. we can build a chain of process spawned from signed executables with the wbwbwbwbwbwbwb.exe being the final ‘payload’:

Wine tasting, again

Posted on by

In my old post I have listed a number of wine functions that are exported in that environment and are not present in Windows libraries. 5 years later I decided to re-visit that post and update it with the info from the latest wine vs Windows 10 death match.

The list of APIs has changed, and a new set of functions that can be used to distinguish between the two environments are listed below.

The test program can be downloaded here.

Wine

Windows 10

List of functions

  • advapi32.dll!LookupAccountSidLocalA
  • advapi32.dll!LookupAccountSidLocalW
  • advapi32.dll!LsaRegisterPolicyChangeNotification
  • advapi32.dll!LsaUnregisterPolicyChangeNotification
  • advapi32.dll!QueryWindows31FilesMigration
  • advapi32.dll!SynchronizeWindows31FilesAndWindowsNTRegistry
  • comctl32.dll!DPA_GetSize
  • comctl32.dll!DrawShadowText
  • comctl32.dll!DSA_Clone
  • comctl32.dll!DSA_GetSize
  • comctl32.dll!GetWindowSubclass
  • comctl32.dll!HIMAGELIST_QueryInterface
  • comctl32.dll!ImageList_CoCreateInstance
  • comctl32.dll!LoadIconMetric
  • comctl32.dll!LoadIconWithScaleDown
  • comctl32.dll!TaskDialog
  • comctl32.dll!TaskDialogIndirect
  • dbgeng.dll!DebugExtensionInitialize
  • dnsapi.dll!DnsAcquireContextHandle_UTF8
  • gdi32.dll!GetDCHook
  • gdi32.dll!pfnRealizePalette
  • gdi32.dll!pfnSelectPalette
  • gdi32.dll!SetDCHook
  • gdi32.dll!SetHookFlags
  • gdi32.dll!SetObjectOwner
  • gdi32.dll!__wine_get_vulkan_driver
  • gdi32.dll!__wine_get_wgl_driver
  • gdi32.dll!__wine_make_gdi_object_system
  • gdi32.dll!__wine_set_display_driver
  • gdi32.dll!__wine_set_visible_region
  • imm32.dll!__wine_get_ui_window
  • imm32.dll!__wine_register_window
  • imm32.dll!__wine_unregister_window
  • inseng.dll!DllInstall
  • IPHLPAPI.dll!AllocateAndGetIfTableFromStack
  • IPHLPAPI.dll!AllocateAndGetIpForwardTableFromStack
  • IPHLPAPI.dll!AllocateAndGetIpNetTableFromStack
  • IPHLPAPI.dll!AllocateAndGetTcpExTableFromStack
  • IPHLPAPI.dll!AllocateAndGetTcpTableFromStack
  • IPHLPAPI.dll!AllocateAndGetUdpTableFromStack
  • kernel32.dll!ConvertToGlobalHandle
  • kernel32.dll!GetDaylightFlag
  • kernel32.dll!GetProcessFlags
  • kernel32.dll!InvalidateNLSCache
  • kernel32.dll!MakeCriticalSectionGlobal
  • kernel32.dll!OpenVxDHandle
  • kernel32.dll!RegisterServiceProcess
  • kernel32.dll!ReinitializeCriticalSection
  • kernel32.dll!SetCPGlobal
  • kernel32.dll!UninitializeCriticalSection
  • kernel32.dll!wine_get_dos_file_name
  • kernel32.dll!wine_get_unix_file_name
  • kernel32.dll!__wine_start_process
  • mpr.dll!NPSAuthenticationDialogA
  • mpr.dll!NPSCopyStringA
  • mpr.dll!NPSDeviceGetNumberA
  • mpr.dll!NPSDeviceGetStringA
  • mpr.dll!NPSGetProviderHandleA
  • mpr.dll!NPSGetProviderNameA
  • mpr.dll!NPSGetSectionNameA
  • mpr.dll!NPSNotifyGetContextA
  • mpr.dll!NPSNotifyRegisterA
  • mpr.dll!NPSSetCustomTextA
  • mpr.dll!NPSSetExtendedErrorA
  • mpr.dll!PwdChangePasswordA
  • mpr.dll!PwdChangePasswordW
  • mpr.dll!PwdGetPasswordStatusA
  • mpr.dll!PwdGetPasswordStatusW
  • mpr.dll!PwdSetPasswordStatusA
  • mpr.dll!PwdSetPasswordStatusW
  • mpr.dll!WNetCachePassword
  • mpr.dll!WNetEnumCachedPasswords
  • mpr.dll!WNetGetCachedPassword
  • mpr.dll!WNetLogoffA
  • mpr.dll!WNetLogoffW
  • mpr.dll!WNetLogonA
  • mpr.dll!WNetLogonW
  • mpr.dll!WNetRemoveCachedPassword
  • mpr.dll!WNetRestoreConnectionA
  • mpr.dll!WNetRestoreConnectionW
  • mpr.dll!WNetVerifyPasswordA
  • mpr.dll!WNetVerifyPasswordW
  • msctf.dll!TF_InitMlngInfo
  • mshtml.dll!NP_GetEntryPoints
  • mshtml.dll!RNIGetCompatibleVersion
  • msi.dll!__wine_msi_call_dll_function
  • netapi32.dll!I_BrowserQueryEmulatedDomains
  • netapi32.dll!I_NetNameCompare
  • netapi32.dll!I_NetNameValidate
  • netapi32.dll!NetpGetComputerName
  • ntdll.dll!NtClearPowerRequest
  • ntdll.dll!NtCreatePowerRequest
  • ntdll.dll!NtSetPowerRequest
  • ntdll.dll!RtlFindLastBackwardRunSet
  • ntdll.dll!RtlFindLongestRunSet
  • ntdll.dll!RtlFindNextForwardRunSet
  • ntdll.dll!RtlFindSetRuns
  • ntdll.dll!wine_nt_to_unix_file_name
  • ntdll.dll!wine_server_call
  • ntdll.dll!wine_server_fd_to_handle
  • ntdll.dll!wine_server_handle_to_fd
  • ntdll.dll!wine_server_release_fd
  • ntdll.dll!wine_server_send_fd
  • ntdll.dll!wine_unix_to_nt_file_name
  • ntdll.dll!__wine_dbg_get_channel_flags
  • ntdll.dll!__wine_dbg_header
  • ntdll.dll!__wine_dbg_output
  • ntdll.dll!__wine_dbg_strdup
  • ntdll.dll!__wine_get_unix_codepage
  • ntdll.dll!__wine_locked_recvmsg
  • ntdll.dll!__wine_make_process_system
  • ntdll.dll!__wine_set_signal_handler
  • ole32.dll!CoGetState
  • Query.dll!CIState
  • Query.dll!LocateCatalogsA
  • Query.dll!LocateCatalogsW
  • rpcrt4.dll!I_RpcBindingSetAsync
  • rpcrt4.dll!I_RpcServerStartListening
  • rpcrt4.dll!I_RpcServerStopListening
  • rpcrt4.dll!I_RpcWindowProc
  • rpcrt4.dll!NdrAsyncStubCall
  • serialui.dll!EnumPropPages
  • setupapi.dll!AssertFail
  • setupapi.dll!CaptureAndConvertAnsiArg
  • setupapi.dll!CaptureStringArg
  • setupapi.dll!DelayedMove
  • setupapi.dll!DuplicateString
  • setupapi.dll!EnablePrivilege
  • setupapi.dll!FileExists
  • setupapi.dll!MultiByteToUnicode
  • setupapi.dll!OpenAndMapFileForRead
  • setupapi.dll!QueryRegistryValue
  • setupapi.dll!RegistryDelnode
  • setupapi.dll!RetreiveFileSecurity
  • setupapi.dll!StampFileSecurity
  • setupapi.dll!StringTableAddString
  • setupapi.dll!StringTableAddStringEx
  • setupapi.dll!StringTableDestroy
  • setupapi.dll!StringTableDuplicate
  • setupapi.dll!StringTableGetExtraData
  • setupapi.dll!StringTableInitialize
  • setupapi.dll!StringTableInitializeEx
  • setupapi.dll!StringTableLookUpString
  • setupapi.dll!StringTableLookUpStringEx
  • setupapi.dll!StringTableSetExtraData
  • setupapi.dll!StringTableStringFromId
  • setupapi.dll!StringTableStringFromIdEx
  • setupapi.dll!StringTableTrim
  • setupapi.dll!TakeOwnershipOfFile
  • setupapi.dll!UnmapAndCloseFile
  • shdocvw.dll!InstallReg_RunDLL
  • shell32.dll!CheckEscapesA
  • shell32.dll!Control_FillCache_RunDLLA
  • shell32.dll!Control_FillCache_RunDLLW
  • shell32.dll!ExtractVersionResource16W
  • shell32.dll!Printers_RegisterWindowW
  • shell32.dll!Printers_UnregisterWindow
  • shell32.dll!Printer_LoadIconsW
  • shell32.dll!SheChangeDirW
  • shell32.dll!SheGetDirW
  • shell32.dll!SHRegCloseKey
  • shell32.dll!SHRegDeleteKeyW
  • shell32.dll!SHRegOpenKeyA
  • shell32.dll!SHRegOpenKeyW
  • shell32.dll!SHRegQueryValueA
  • shell32.dll!SHRegQueryValueExA
  • shell32.dll!SHRegQueryValueExW
  • shell32.dll!SHRegQueryValueW
  • shlwapi.dll!MLFreeLibrary
  • shlwapi.dll!ShellMessageBoxWrapW
  • shlwapi.dll!_SHGetInstanceExplorer
  • sti.dll!StiCreateInstanceA
  • user32.dll!CalcChildScroll
  • user32.dll!CharNextExW
  • user32.dll!CharPrevExW
  • user32.dll!KillSystemTimer
  • user32.dll!SetDeskWallPaper
  • user32.dll!SetLogonNotifyWindow
  • user32.dll!SetSystemTimer
  • user32.dll!UserSignalProc
  • user32.dll!__wine_send_input
  • user32.dll!__wine_set_pixel_format
  • winmm.dll!GetDriverFlags
  • winmm.dll!OpenDriverA
  • wsock32.dll!WsControl
  • XInput1_4.dll!XInputGetStateEx