Matlab persistent lolbin – 2 years too late, but always…

Posted on by

I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of our choice when we use its feature that is both Matlab-user friendly, and … unbelievable.

Using the following command line invocation:

MATLAB.exe -nosplash -nodesktop -r "run('c:\test\test.m'); exit;"

we can instruct matlab to load the matlab file named ‘test.m’ in a batch-like fashion.

The ‘test.m’ in this example include a short piece of code shown below:

x = foo();

When matlab loads the ‘test.m’, it tries to resolve the function ‘foo’ that it will eventually recognize as unknown; as a result, it will look for locally present Matlab executable files (*.mex32 on 32-, and *.mexw64 on 64-bit Windows), and will try to find that function there. In our case (on 64-bit version of OS/matlab) it will look for a ‘foo.mexw64’ file, load it (it is a DLL), and then call a function mexFunction acting as an interface between matlab and the matlab executable.

The example session is shown in this animation:

It’s obvious there are at least two scenarios where this ‘feature’ can be used for offensive purposes:

  • niche Lolbin – having a library of your choice loaded by matlab may help to evade security software
  • niche and stealthy persistence – matlab files can be modified in a viral way to force the loading our our library of choice at some random moment in the future

PE Section names – re-visited, again, in 2023

Posted on by

In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that the world of PE Sections has expanded a bit, again; here are some stats:

  • 3176 b’.rsrc’
  • 3109 b’.text’
  • 3109 b’.reloc’
  • 3108 b’.data’
  • 3102 b’.pdata’
  • 2983 b’.rdata’
  • 2007 b’.a64xrm’ –> CHPEV2 section
  • 1958 b’.hexpthk’ –> possibly stands for Hybrid Executable Push Thunk
  • 1705 b’.didat’
  • 241 b’.00cfg’
  • 50 b’.orpc’
  • 39 b’?g_Encry’ –> WarbirdPayload
  • 31 b’PAGE’
  • 25 b’INIT’
  • 25 b’GFIDS’
  • 25 b’.edata’
  • 19 b’.wpp_sf’
  • 14 b’.idata’
  • 12 b’.mrdata’
  • 9 b’PAGECMRC’
  • 7 b’RT_DATA’
  • 7 b’RT_BSS’
  • 6 b’RT_CODE’
  • 5 b’_RDATA’
  • 5 b’.sdbid’
  • 5 b’.no_bbt’
  • 5 b’.apiset’
  • 4 b’RT_CONST’
  • 4 b’.isoapis’
  • 4 b’.imrsiv’
  • 2 b’PAGEWdfV’
  • 2 b’PAGELK’
  • 2 b’PAGEDATA’
  • 2 b’PAGECONS’
  • 2 b’.text_hf’
  • 2 b’.sipc’
  • 1 b’msrodata’
  • 1 b’debug_wi’
  • 1 b’cachelin’
  • 1 b’__Defaul’
  • 1 b’SANONTCP’
  • 1 b’RT’
  • 1 b’FE_TEXT’
  • 1 b’ExtTel’
  • 1 b’ERRATA’
  • 1 b’CiPolicy’
  • 1 b’.ssm_url’
  • 1 b’.proxy’
  • 1 b’.ndr64′
  • 1 b’.mytext’
  • 1 b’.guids’
  • 1 b’.detourd’
  • 1 b’.detourc’
  • 1 b’.bootdat’
  • 1 b’.DDIData’