{"id":4863,"date":"2018-05-01T22:40:25","date_gmt":"2018-05-01T22:40:25","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4863"},"modified":"2018-10-09T01:01:10","modified_gmt":"2018-10-09T01:01:10","slug":"wab-exe-as-a-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/05\/01\/wab-exe-as-a-lolbin\/","title":{"rendered":"wab.exe as a LOLBin"},"content":{"rendered":"<p>WAB stands for Windows Address Book. It&#8217;s also a name of a tool typically located inside these two file paths:<\/p>\n<ul>\n<li>c:\\Program Files (x86)\\Windows Mail\\wab.exe<\/li>\n<li>c:\\Program Files\\Windows Mail\\wab.exe<\/li>\n<\/ul>\n<p>In the past the program was used to manipulate .wab files, but\u00a0 nowadays it is a legacy tool and is not used that much anymore.<\/p>\n<p>Still, we can use it to do one more thing for us&#8230;<\/p>\n<p>When launched, it tries to load a wab32.dll library. The actual location and the name of a DLL is determined by the following Registry key:<\/p>\n<ul>\n<li>HKLM\\Software\\Microsoft\\WAB\\DLLPath<\/li>\n<\/ul>\n<p>which typically points to:<\/p>\n<ul>\n<li>%CommonProgramFiles%\\System\\wab32.dll<\/li>\n<\/ul>\n<p>By changing this path you can load any DLL of your choice.<\/p>\n<p>Only if the DLLPath Registry path is not resolved the tool will try to load the wab32.dll from a current directory. So yet another opportunity for side-loading&#8230;<\/p>\n<p>Last, but not least &#8211; on older systems it could act as a persistence mechanism.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WAB stands for Windows Address Book. It&#8217;s also a name of a tool typically located inside these two file paths: c:\\Program Files (x86)\\Windows Mail\\wab.exe c:\\Program Files\\Windows Mail\\wab.exe In the past the program was used to manipulate .wab files, but\u00a0 nowadays &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/05\/01\/wab-exe-as-a-lolbin\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4863"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4863"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4863\/revisions"}],"predecessor-version":[{"id":5391,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4863\/revisions\/5391"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}