{"id":6893,"date":"2019-11-22T01:46:21","date_gmt":"2019-11-22T01:46:21","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6893"},"modified":"2019-11-22T01:46:23","modified_gmt":"2019-11-22T01:46:23","slug":"the-curious-case-of-svcpack1-dll","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/11\/22\/the-curious-case-of-svcpack1-dll\/","title":{"rendered":"The curious case of svcpack1.dll"},"content":{"rendered":"\n<p>When you disassemble\/decompile code produced by popular vendors you usually (blindly) assume that they got it right. I know of typical vulnerabilities, I know of business logic bugs, but somehow&#8230; I always feel that all the actions of programmers are either justified, or at least, reasonable within a scope of a particular operation&#8230; <\/p>\n\n\n\n<p>This is why the case of svcpack1.dll is puzzling me.<\/p>\n\n\n\n<p>Imagine a signed .exe from Microsoft literally injecting a remote thread into winlogon.exe. Imagine this thread doing nothing, but loading a library called `svcpack1.dll`. Okay. It&#8217;s a legacy code. It&#8217;s from a Service Pack Update executable, but still&#8230;. <\/p>\n\n\n\n<p>This is an interesting opportunity.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"758\" height=\"1024\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/svcpack1-758x1024.png\" alt=\"\" class=\"wp-image-6894\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/svcpack1-758x1024.png 758w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/svcpack1-222x300.png 222w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/svcpack1-768x1038.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/svcpack1.png 831w\" sizes=\"(max-width: 758px) 100vw, 758px\" \/><\/figure>\n\n\n\n<p>As I have said may times before&#8230; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/11\/10\/reusigned-binaries-living-off-the-signed-land\/\">re-usigned binaries<\/a> are probably a future of malicious activities. Signed, with a great reputation score, yet&#8230; given specific circumstances&#8230; possibly&#8230; really bad&#8230;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you disassemble\/decompile code produced by popular vendors you usually (blindly) assume that they got it right. I know of typical vulnerabilities, I know of business logic bugs, but somehow&#8230; I always feel that all the actions of programmers are &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/11\/22\/the-curious-case-of-svcpack1-dll\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6893"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6893"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6893\/revisions"}],"predecessor-version":[{"id":6895,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6893\/revisions\/6895"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}