{"id":6095,"date":"2019-03-30T01:18:44","date_gmt":"2019-03-30T01:18:44","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6095"},"modified":"2019-04-29T10:22:18","modified_gmt":"2019-04-29T10:22:18","slug":"sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/03\/30\/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default\/","title":{"rendered":"Squirrel packages&#8217; manager as a lolbin (a.k.a. many Electron apps are lolbins by default)"},"content":{"rendered":"\n<p>A week ago, or so I posted this <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1108429585602019328\">Twit<\/a> that refers to Slack&#8217;s executables as lolbins&#8230; I have already <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/08\/16\/squirrel-as-a-lolbin\/\">posted<\/a> about it last year &#8211;  the Slack&#8217;s <em>update.exe<\/em> is a nice lolbin, because it&#8217;s actually a Squirrel packages&#8217; manager in disguise. A side effect of using <a href=\"https:\/\/electronjs.org\/\">Electron<\/a>.<\/p>\n\n\n\n<p>I was wondering if this is a common pattern, and if Slack is the only software producer that relies on this software paradigm. Right&#8230; yeah, I know, the <em>paradigm <\/em> sounds very academic and serious, but it&#8217;s just about software development frameworks, file naming, their final placement on the user&#8217;s system, their behavior, and in the end&#8230; what you get from a command line when you run <em>update.exe \/?<\/em>. Or something along these lines if the software authors relied on the same Electron framework as the one Slack did , and as my Twit shown &#8211; it was deemed to be &#8216;Lolbinish&#8217;.<\/p>\n\n\n\n<p>So, before we go any further, here&#8217;s is a TL; DR; for you &#8211; run this on your (test\/targeted) system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\Users&gt;dir \/a\/b\/s update.exe<\/pre>\n\n\n\n<p>This will give you a list of potential candidates of programs that may in fact be wrappers of Squirrel packages&#8217; manager.<\/p>\n\n\n\n<p>Once you run the cherry-picked <em>update.exe<\/em> you will typically get this banner:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Usage: Squirrel.exe command [OPTS]<br>   Manages Squirrel packages<br>[...]<\/pre>\n\n\n\n<p>&#8211;   and&#8230; yup&#8230; you can use it as a Lolbin as described in my Twit and last year&#8217;s post:<\/p>\n\n\n\n<ul><li>%USERPROFILE%\\AppData\\Local\\&lt;app>\\update.exe  &#8211;processStart &#8220;test.exe&#8221; (<em>where test.exe must be placed in a app-* subfolder)<\/em><\/li><\/ul>\n\n\n\n<p>You can not only run programs via proxy, but also e.g. create shortcuts: <\/p>\n\n\n\n<ul><li>%USERPROFILE%\\AppData\\Local\\&lt;app> \\update.exe &#8211;createShortcut  -l  &lt;parameters> e.g.:<ul><li>%USERPROFILE%\\AppData\\Local\\slack\\update.exe &#8211;createShortcut c:\\WINDOWS\\system32\\mspaint.exe -l Desktop,StartMenu<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>After googling around, I can confirm that there are more apps placing <em>update.exe<\/em> on user&#8217;s systems, including, but not limited to:<\/p>\n\n\n\n<ul><li><a href=\"https:\/\/discordapp.com\/download\">Discord<\/a><\/li><li><a href=\"https:\/\/slack.com\/downloads\/windows\">Slack<\/a><\/li><li><a href=\"https:\/\/www.huddly.com\/app\/\">Huddly<\/a><\/li><li><a href=\"https:\/\/www.whatsapp.com\/download\/\">Whatsapp<\/a><\/li><li><a href=\"https:\/\/support.office.com\/en-gb\/article\/yammer-for-windows-and-mac-50920c05-cbfc-4f11-8503-e20fb2e623a5\">Yammer<\/a><\/li><\/ul>\n\n\n\n<p>I bet there is more. I bet there will be more in the future, because <a href=\"https:\/\/www.electron.build\/\">Electron<\/a> is a popular framework for the current app ecosystem that wants to deliver to Windows, Linux, OSX at the same time.<\/p>\n\n\n<p>When you browse the <a href=\"https:\/\/electronjs.org\/\">https:\/\/electronjs.org\/<\/a> web site, you can find references to many applications built using this framework:<\/p>\n\n\n<ul><li>1Clipboard<\/li><li> Atom<\/li><li> Beaker Browser<\/li><li> Caret<\/li><li> Collectie<\/li><li> Discord<\/li><li> Figma<\/li><li> Flow<\/li><li> Ghost<\/li><li> GitHub Desktop<\/li><li> GitKraken<\/li><li> Hyper<\/li><li> Insomnia<\/li><li> JIBO<\/li><li> Kap<\/li><li> Kitematic<\/li><li> Now Desktop<\/li><li> Simplenote<\/li><li> Skype<\/li><li> Slack<\/li><li> Svgsus<\/li><li> WebTorrent<\/li><li> WordPress.com<\/li><\/ul>\n\n\n\n<p>Also, in some cases the update.exe doesn&#8217;t produce any output if ran w\/o any command line (e.g. when you run Discord). In such case you can just blindly try <em>Update.exe &#8211;processStart &lt;file_inside_the_app_folder&gt;<\/em>. I can confirm it still works and launches the program of our choice. Your mileage for other Electron apps may vary.<\/p>\n\n\n\n<p>All in all, not a big deal, but good to know about. Both on a blue and red team side of the puzzle.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A week ago, or so I posted this Twit that refers to Slack&#8217;s executables as lolbins&#8230; I have already posted about it last year &#8211; the Slack&#8217;s update.exe is a nice lolbin, because it&#8217;s actually a Squirrel packages&#8217; manager in &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/03\/30\/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6095"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6095"}],"version-history":[{"count":10,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6095\/revisions"}],"predecessor-version":[{"id":6284,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6095\/revisions\/6284"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}