{"id":8694,"date":"2023-08-25T23:05:18","date_gmt":"2023-08-25T23:05:18","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8694"},"modified":"2023-08-25T23:09:45","modified_gmt":"2023-08-25T23:09:45","slug":"lolbins-for-connoisseurs","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/08\/25\/lolbins-for-connoisseurs\/","title":{"rendered":"Lolbins for connoisseurs&#8230;"},"content":{"rendered":"\n<p>We are all quite fixated on a purity of lolbins. Best if it is a hidden\/undocumented\/unexpected behavior of a native OS binary that can be abused for some nefarious purposes. I, obviously, love these the most, too.<\/p>\n\n\n\n<p>However&#8230;<\/p>\n\n\n\n<p>Living Off The land&#8217;s scope should be wide.<\/p>\n\n\n\n<p>Take a compression utility as an example: zip, bzip2, 7z and their variations. It&#8217;s a lame example, but it serves the purpose of demonstration well. There are many software packages out there today. There is a subset of them that are being quite popular. And there is a subset of software packages that are quite popular that install a compression utility&#8230;<\/p>\n\n\n\n<p>Let&#8217;s have a look at a sample of &#8216;interesting&#8217; paths:<\/p>\n\n\n\n<ul>\n<li>%program files%\\2printer\\7z.exe<\/li>\n\n\n\n<li>%program files%\\advanced system optimizer 3\\updater\\extract\\7z.exe<\/li>\n\n\n\n<li>%program files%\\aiseesoft studio\\aiseesoft ipad transfer\\7z.exe<\/li>\n\n\n\n<li>%program files%\\aunsoft\\aunsoft dvd ripper\\zip.exe<\/li>\n\n\n\n<li>%program files%\\aunsoft\\aunsoft transmxf\\zip.exe<\/li>\n\n\n\n<li>%program files%\\aunsoft\\aunsoft video converter\\zip.exe<\/li>\n\n\n\n<li>%program files%\\auntec\\ifonebox\\7z.exe<\/li>\n\n\n\n<li>%program files%\\docufreezer\\7z.exe<\/li>\n\n\n\n<li>%program files%\\driver tuneup\\dp\\7z.exe<\/li>\n\n\n\n<li>%program files%\\driver updater\\dp\\7z.exe<\/li>\n\n\n\n<li>%program files%\\dvdfab media player 3\\7za.exe<\/li>\n\n\n\n<li>%program files%\\dvdfab passkey\\7za.exe<\/li>\n\n\n\n<li>%program files%\\epson\\sl-d700\\common\\7za.exe<\/li>\n\n\n\n<li>%program files%\\fastneuron inc\\backupchain\\7za.exe<\/li>\n\n\n\n<li>%program files%\\fengtao software inc.\\ifonerestore\\7z.exe<\/li>\n\n\n\n<li>%program files%\\filetiger\\zip.exe<\/li>\n\n\n\n<li>%program files%\\getnzb\\7z.exe<\/li>\n\n\n\n<li>%program files%\\gimp*\\bin\\bzip2.exe<\/li>\n\n\n\n<li>%program files%\\gimp*\\bin\\minigzip.exe<\/li>\n\n\n\n<li>%program files%\\git\\usr\\bin\\bzip2.exe<\/li>\n\n\n\n<li>%program files%\\git\\usr\\bin\\gzip.exe<\/li>\n\n\n\n<li>%program files%\\git\\mingw64\\bin\\bzip2.exe<\/li>\n\n\n\n<li>%program files%\\globalshareware\\ifonemate\\7z.exe<\/li>\n\n\n\n<li>%program files%\\greatis\\regrunsuite\\7za.exe<\/li>\n\n\n\n<li>%program files%\\imyfone\\imyfone tunesfix\\7z.exe<\/li>\n\n\n\n<li>%program files%\\intelligent converters\\demos\\zip.exe<\/li>\n\n\n\n<li>%program files%\\intel\\phone flash tool\\7z.exe<\/li>\n\n\n\n<li>%program files%\\kingo root\\tools\\7z.exe<\/li>\n\n\n\n<li>%program files%\\moyea\\dvd4web converter\\7z.exe<\/li>\n\n\n\n<li>%program files%\\my-bp\\zip.exe<\/li>\n\n\n\n<li>%program files%\\my-pf\\zip.exe<\/li>\n\n\n\n<li>%program files%\\ospeedy batch photo processor\\7za.exe<\/li>\n\n\n\n<li>%program files%\\pa file sight\\7za.exe<\/li>\n\n\n\n<li>%program files%\\pa storage monitor\\7za.exe<\/li>\n\n\n\n<li>%program files%\\radarsync\\updater\\extract\\7z.exe<\/li>\n\n\n\n<li>%program files%\\radioboss\\7za.exe<\/li>\n\n\n\n<li>%program files%\\raxco\\perfectupdater\\updater\\extract\\7z.exe<\/li>\n\n\n\n<li>%program files%\\systweak\\netbook optimizer\\updater\\extract\\7z.exe<\/li>\n\n\n\n<li>%program files%\\tenorshare ibackupunlocker\\7z\\7z.exe<\/li>\n\n\n\n<li>%program files%\\unhackme\\7za.exe<\/li>\n\n\n\n<li>%program files%\\winzip driver updater\\updater\\extract\\7z.exe<\/li>\n\n\n\n<li>%program files%\\wise\\wise driver care\\7z.exe<\/li>\n\n\n\n<li>%program files%\\wondershare\\dr.fone\\addins\\recovery\\extractor\\7z.exe<\/li>\n<\/ul>\n\n\n\n<p>While most of these are not necessarily the most popular ever, there are people downloading and installing these&#8230;<\/p>\n\n\n\n<p>And compression utilities are not the only tools we may find, f.ex. some software install curl.exe and wget.exe &#8211; how cool is that?<\/p>\n\n\n\n<ul>\n<li>%program files%\\git\\mingw64\\bin\\curl.exe<\/li>\n\n\n\n<li>%program files%\\hp\\pfp_guide\\wget.exe<\/li>\n\n\n\n<li>%program files%\\pa file sight\\wget.exe<\/li>\n\n\n\n<li>%program files%\\pa storage monitor\\wget.exe<\/li>\n\n\n\n<li>%program files%\\printfil\\wget.exe<\/li>\n\n\n\n<li>%program files%\\wondershare\\dr.fone\\addins\\recovery\\wget.exe<\/li>\n<\/ul>\n\n\n\n<p>Need a mysql dump? here it is:<\/p>\n\n\n\n<ul>\n<li>%program files%\\memberties\\server\\bin\\mysqldump.exe<\/li>\n<\/ul>\n\n\n\n<p>VNC?<\/p>\n\n\n\n<p>There you go:<\/p>\n\n\n\n<ul>\n<li>%localappdata%\\crossloop\\winvnc.exe<\/li>\n\n\n\n<li>%program files%\\crossloop\\winvnc.exe<\/li>\n\n\n\n<li>%program files%\\hammer software\\metalan administrator 2\\vnc\\tightvnc3\\winvnc.exe<\/li>\n\n\n\n<li>%userappdata%\\design master software\\remote support\\vnc.exe<\/li>\n\n\n\n<li>c:\\tcafe\\tcvnc.exe<\/li>\n<\/ul>\n\n\n\n<p>And if you need any more examples, remember my <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/11\/10\/reusigned-binaries-living-off-the-signed-land\/\">NVIDIA Uninstallers<\/a> post from 2017.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are all quite fixated on a purity of lolbins. Best if it is a hidden\/undocumented\/unexpected behavior of a native OS binary that can be abused for some nefarious purposes. I, obviously, love these the most, too. However&#8230; Living Off &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/08\/25\/lolbins-for-connoisseurs\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,56,64,59],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8694"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8694"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8694\/revisions"}],"predecessor-version":[{"id":8696,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8694\/revisions\/8696"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}