ExtExport – yet another LOLBin

Posted on by

This is a quick & dirty recipe how to load a DLL of your choice using a built-in tool ExtExport.exe that can be found inside the Internet Explorer directory:

Method #1

  • Drop a file named like one of these:
    • mozcrt19.dll
    • mozsqlite3.dll
    • sqlite3.dll
      inside the c:\test folder
  • Now run:
    • “C:\Program Files\Internet Explorer\ExtExport.exe” c:\test foo bar

This will load one (or all) of these DLLs.

Method #2

The tool has more arbitrary DLL loading possibilities that allow to specify the name of the library directly from a command line.

This method requires providing more arguments e.g.:

  • ExtExport.exe c:\Test\test.dll 2 3 4 FIREFOX {00000000-0000-0000-0000-000000000000}

I have not explored what other arguments mean but you can swap them with whatever you want to evade static detection; what matters is that the first argument must be a DLL name we want to load and the last argument must be a valid GUID presented in a form shown in a syntax above (acceptable by the IID­From­String function).

Method #3

It’s actually a variant of the method 2 – we just need to swap ‘FIREFOX’ with ‘360SE’:

  • ExtExport.exe c:\Test\test.dll 2 3 4 360SE {00000000-0000-0000-0000-000000000000}

DeXRAY 2.13 update

Posted on by

@MrAdz350 pinged me on Twitter about his research on Sentinel One Quarantine files and as a result I have added support for this file format today. The support is not perfect yet – there seem to be some metadata appended to the encrypted file which dexray doesn’t support yet (some more analysis is needed). Still, at least you can extract the original sample.

Thanks @MrAdz350 !

The latest version of DeXRAY can be downloaded here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Sentinel One (MAL)
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN), including from SEP on Linux
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)