And it caught my attention, because its filename implies it is some sort of installer. And since installers are renowned<\/a> for offering LOLBIN functionality I started digging…<\/p>\n\n\n\n The version info made me shiver… Que?<\/p>\n\n\n\n I have not heard of ‘NetMeeting’ for at least 700 years…<\/p>\n\n\n\n To my surprise, the program is very small (8K) and after loading it into IDA I realized why. It uses Setup APIs to install… stuff. <\/p>\n\n\n\n So, my hunch was right and the LOLBIN opportunity became real. <\/p>\n\n\n\n Like a dog that got thrown a bone I raised to the occasion and unleashed all the research powers at my disposal. I painstakingly crafted (googled it really<\/em>) an artisan .inf file that satisfies the ugly desires of SetupOpenInfFileW API that I spotted in the first line of decompiled code:<\/p>\n\n\n\n I proceeded to collect my winning lottery ticket and… nothing happened. <\/p>\n\n\n\n Like a wounded offensive researcher so eager to release his pervert creations… I scowled. I have already created a web site (with a logo<\/em>), a github repo, and a joke to piss off critics of offensive research. Could I be so shortsighted that I did all this without a foresight of failure? Gods of research must be very pleased seeing me struggling, I thought… and in an attempt to reconcile with them I put my hopes in a paradigm shift that I decided to empower my research with. <\/p>\n\n\n\n Like a dog that was thrown a ribeye steak, I scowled again… then I pushed that envelope and proceeded to unleash all the research powers at my disposal, plus one. I decided to actually read the second line of code that IDA presented to me in its wisdom:<\/p>\n\n\n\n With a cautious candor I sniffed around this inferior piece of code and then I realized that my soul left my body… and I scowled again, because it dawned on me (didn’t read the RTFM<\/em>) that… what led me to the garden of evil was a stupid cross-reference. It turns out, you see, that the API I listed above, one whose name should never be mentioned again has… expectations. <\/p>\n\n\n\n That entitled bratwurst of a code that happened to be used by instnm.exe<\/em> requires that the .inf file you provide as a command line argument contains a reference to the LayoutFile<\/em> so that it can, wait for it, make two .inf become one. I bet the guy who wrote that piece of code listened to Spice Girls<\/a><\/em> for too long. The idiot almost costed me my reputation and caused this post to be that long. <\/p>\n\n\n\n Like a dog that became wolf and was thrown a piece of A5 wagyu I scowled again\u2026 In an unprecedented move that this blog has never witnessed I created 2 .inf files to save this LOLBIN almost-catastrophe:<\/p>\n\n\n\n layout.inf<\/strong><\/p>\n\n\n\n instnm.inf<\/strong><\/p>\n\n\n\n I proceeded to collect my winning lottery ticket and\u2026 again… nothing happened.<\/p>\n\n\n\n G-O-D D-A-M-N I-T!<\/p>\n\n\n\n Like a… <\/p>\n\n\n\n I went old-school. I Launched Procmon, found out this idiot coder wants my DLL in c:\\windows\\syswow64. But I don’t want to place it there. I drop it in c:\\test. Bite me. I then make my new instnm.inf file:<\/p>\n\n\n\n Then this happens:<\/p>\n\n\n\n NetMeeting is back!<\/p>\n","protected":false},"excerpt":{"rendered":" All Windows Lolbins are dead. Right? The native OS program that I never looked at caught my attention today. Its location is: c:\\windows\\SysWOW64\\instnm.exe And it caught my attention, because its filename implies it is some sort of installer. And since … Continue reading
– 32-bit NetMeeting Installer for Win64<\/em>.<\/p>\n\n\n\n[Version]\nSignature=$CHICAGO$\nLayoutFile=layout.inf\n\n[DefaultInstall]\nRegisterDlls=foo\n\n[foo]\n11,,test.dll, 1<\/pre>\n\n\n\n
SetupOpenAppendInfFileW<\/pre>\n\n\n\n
[Version]\nSignature=$CHICAGO$\n[DefaultInstall]<\/pre>\n\n\n\n
[Version]\nSignature=$CHICAGO$\nLayoutFile=layout.inf\n\n[DefaultInstall]\nRegisterDlls=foo\n\n[foo]\n11,,test.dll, 1<\/pre>\n\n\n\n
[Version]\nSignature=$CHICAGO$\nLayoutFile=layout.inf\n[DefaultInstall]\nRegisterDlls=foo\n[foo]\n11,,..\\..\\..\\..\\..\\test\\test.dll, 1<\/pre>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/instnm.png\")
<\/figure>\n\n\n\n