{"id":6188,"date":"2019-04-14T22:56:40","date_gmt":"2019-04-14T22:56:40","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6188"},"modified":"2019-04-14T23:00:14","modified_gmt":"2019-04-14T23:00:14","slug":"signed-nullsoft-plug-ins-potential-lolbins","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/04\/14\/signed-nullsoft-plug-ins-potential-lolbins\/","title":{"rendered":"Signed Nullsoft Plug-ins &#8211; potential Lolbins"},"content":{"rendered":"\n<p>A couple of years ago I exported ~12K Nullsoft plugins from a large corpora of installers. It was a part of my research on hooking Nullsoft plug-in APIs that I described <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/06\/26\/enter-sandbox-part-6-the-nullsoft-hypothesis-and-other-installers-conundrums\/\">here<\/a>.<\/p>\n\n\n\n<p>Today I revisited this old repo, because it crossed my mind that perhaps some of these DLLs were actually signed. And if they are, I thought, then perhaps some of them will tick the box of <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/11\/10\/reusigned-binaries-living-off-the-signed-land\/\">re-usigned libraries<\/a>. <\/p>\n\n\n\n<p>To my surprise, I found over 2K signed plug-ins. <\/p>\n\n\n\n<p>Encouraged by these stats, I ran a script to list all the functions exported by these DLLs. Apart from default exports that can be found in the most popular Nullsoft plug-ins, I was able to find tones of other functions.<\/p>\n\n\n\n<p>There are functions for pretty much every occasion:<\/p>\n\n\n\n<ul><li>Internet downloads<\/li><li>Resource handling<\/li><li>Message Boxes<\/li><li>Mathematical functions<\/li><li>FTP<\/li><li>File operations<\/li><li>Audio \/ Video<\/li><li>Unicode<\/li><li>Network enumeration<\/li><li>Process operations<\/li><li>Sqlite3<\/li><li>Encryption<\/li><li>HTML<\/li><li>SSH<\/li><li>Hooking<\/li><li>String operations<\/li><li>GDI \/ UI primitives<\/li><li>XML<\/li><li>ZIP<\/li><li>Zlib<\/li><li>and lots more<\/li><\/ul>\n\n\n\n<p>There are also &#8216;more refined&#8217; self-descriptive functions e.g. CreateProcessInjected, InjectDll, _DownloadCompleteFile, SilentOpenURLA, KillAllXBrowserProcesses and a variation of KillProcess functions.<\/p>\n\n\n\n<p>Given the variety of exported functions many of these DLLs must be based of source code of popular foss libraries. Why? It&#8217;s really hard to believe someone accidentally included all OpenSSL exports in a working Plug-in. <\/p>\n\n\n\n<p>Being so feature-rich one could use these to build unusual code paths that would rely on code callbacks provided by these signed DLLs. In a way similar to ROP, except re-using functional code blocks instead of a single instructions, their small clusters, or trampolines.<\/p>\n\n\n\n<p>Here&#8217;s the <a href=\"https:\/\/hexacorn.com\/examples\/NullSoft_Plugins_exported_functions.zip\">whole list<\/a> if you want to have a look. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>A couple of years ago I exported ~12K Nullsoft plugins from a large corpora of installers. It was a part of my research on hooking Nullsoft plug-in APIs that I described here. Today I revisited this old repo, because it &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/04\/14\/signed-nullsoft-plug-ins-potential-lolbins\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,39,21,56,64,59],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6188"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6188"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6188\/revisions"}],"predecessor-version":[{"id":6192,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6188\/revisions\/6192"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}