Apparently, there is a never-ending stream of genuine OS components and legitimate applications that are not only signed, but are also rich in features that can be used to disturb the process tree… and hide from EDR.<\/p>\n
Here’s another one: stubapp.exe<\/p>\n
It is an application installed by HP drivers that can be typically found in these 2 locations:<\/p>\n
The program comes with a sample stubapp.ini file that explains the .ini file syntax:<\/p>\n
;\r\n; StubApp ini file\r\n;\r\n; usage:\r\n; Stubapp -i <inifile> -m <section>\r\n;\r\n; [section]\r\n; 1=x\r\n; 2=y\r\n; [1.2k]\r\n; exename=notepad.exe\r\n; <section> contains a list with parts to run\r\n[...]\r\n; Application parameters\r\n; exename - location of application\r\n; command line parameters to be passed - exact syntax\r\n; waittofinish - 0=execute and continue; 1=wait for it to finish execution before continuing (CreateProcess must =1)\r\n; createprocess - user create process instead of shell execute; 1=yes, 0 or not specified = shellexecute (cannot waittofinish)\r\n; whentorun - 0=sw first only; 1=hw first only; 2=both hw and sw 1st; \r\n; 3=check the processes in [File_detect] & [regdetect] Sections (check for PNP)<\/pre>\nWith this info we can quickly craft a simple .ini file which we can use to e.g. launch Calculator:<\/p>\n
[Foo]\r\n1=Bar\r\n\r\n[Bar]\r\nexename=c:\\windows\\system32\\calc.exe\r\nparams=\"\"\r\nwaittofinish=0\r\nwhentorun=2\r\ncreateprocess=1<\/pre>\nWe launch it with the following command:<\/p>\n
stubapp.exe -i <fullpath to ini file> -m Foo<\/pre>\nAs a side effect of executing the program we will observe a log file created in a temporary directory (%TEMP%\\stubapp.log) that amongst other things contains the following information:<\/p>\n
Application to launch: c:\\windows\\system32\\calc.exe\r\n Application parameters: \r\n Wait for application to finish: 0\r\n When to run application: 2\r\n If we should use CreateProcess: 1\r\n if we should check the registry: NOT FOUND\r\n SW 1st or HW 1st - Launching: c:\\windows\\system32\\calc.exe\r\n CreateProcess = 1, using CreateProcess\r\n Application to launch: \"c:\\windows\\system32\\calc.exe\" \r\n CStubApp::RunCreateProcess: Entering\r\n Process launched<\/pre>\n","protected":false},"excerpt":{"rendered":"Apparently, there is a never-ending stream of genuine OS components and legitimate applications that are not only signed, but are also rich in features that can be used to disturb the process tree… and hide from EDR. Here’s another one: … Continue reading