Bring your own lolbas?

Posted on by

Recently, I was wondering what is the best term for binaries/scripts that are signed, can do the Lolbas thing, but are not necessarily installed on the system.

So far I have been covering many of these using a generic term ‘Re-usigned binaries’ (portmanteau of ‘reuse’ and ‘signed’). But it’s not catchy enough. Could a better term be ‘Bring your own lolbas/lolbin’? BYOL? Kinda similar to Bring Your Own Vulnerability (BYOV)? In fact a BYOL is a subset of BYOV.

I have covered many BYOL examples before. And I believe there will be a lot more in the future. After a very fertile research period lolbin fans explored most of the native OS executables, DLLs, scripts. It’s a natural course of events that their eyes will eventually turn to the other stuff.

The other stuff can be e.g. 7Zip program signed by legitimate companies. @Oddvarmoe posted about it on Twitter in April:

It triggered my interest and I set on a path to discover more instances of various 7zip components signed by legitimate companies. The results of a very basic research are very promising: there are plenty of these:

  • ASUSTeK Computer Inc.
  • HUAWEI Technologies Co., Ltd.
  • NVIDIA Corporation
  • Samsung Electronics CO., LTD.
  • Trend Micro, Inc.

I won’t be posting hashes, because… well… why burning them… The other less obvious bit is that these signed components are often old and could contain unpatched vulnerabilities as well.

Batch decompilation with IDA / Hex-Rays Decompiler

Posted on by

if you are very used to 32-bit IDA you may sometimes find yourself in a blind alley when you try to port your working solution to IDA 64-bit. This was the case with my old batch decompilation script.

The way it works is very simple – for every <file> in a folder, run IDA in its automation/batch mode mode, decompile the <file>, and finally save it in a <file>.c file – more or less like the below (I am omitting the loop):

c:\Ida\idaw.exe -A -Ohexrays:-new:%%k.c:ALL “%%k”

Nothing could be simpler.

Until you run it with the 64-bit idaw64.exe:

c:\Ida\idaw64.exe -A -Ohexrays:-new:%%k.c:ALL “%%k”

It doesn’t work. It loads idaw64 and just stays there.

The gotcha is in a plug-in name. The 64-bit decompiler’s plugin name is not hexrays, it’s not hexrays64 either. It is actually hexx64.dll.

So, you have to run this instead:

c:\Ida\idaw64.exe -A -Ohexx64:-new:%%k.c:ALL “%%k”

It’s ridiculously trivial, but it’s always the little things.

Also, interestingly, when you google hexx64.dll or hexx64.p64 you only get a few hits. As if not too many ppl ever came across the issue.

Another gotcha is that if you run it with too many files, your system’s performance will deteriorate quickly. I don’t know if it is memory fragmentation/leaks, or something else, but after running the script on a number of samples I observed my VM dying on me and requiring a restart due to low memory (despite no other process running on a 2G RAM guest). If you know what causes it I would be grateful if you could let me know.

The third gotcha is to rely on the text version of IDA for this task – it is faster than the GUI version. At least in my experience.

Finally, the last gotcha is to remove all the other plugins from the IDA’s Plugins directory, other than the one you are using e.g. hexrays. Why? This may look like nothing, but IDA enumerates and loads all of them _each_ time it starts.