26 Jan

Abusing Microsoft-signed executables

This morning I noticed an article from Cylance named “Graftor Variant Leveraging Signed Microsoft Executable“. It’s a nice article, so I can really recommend you read it.

TL;DR version: Graftor authors are using DLL hijacking in SrcTool.exe to load their own dbghelp.dll. If antimalware solution trusts executable that’s signed by Microsoft (most of them do!) and doesn’t check all the DLLs it loads, malicious code will not be detected.

Other vulnerable files

I decided to look for other Microsoft-signed files that could be abused in a similar manner. One quick search for EXE files in folder C:\Program Files (x86)\Windows Kits that also contain string dbghelp.dll and here’s the result:

  • agestore.exe
  • cdb.exe
  • dbh.exe
  • kd.exe
  • mftrace.exe
  • ntkd.exe
  • ntsd.exe
  • srctool.exe
  • symchk.exe*
  • symstore.exe
  • tlist.exe
  • tracefmt.exe
  • tracepdb.exe

*symchk.exe also requires SymbolCheck.dll.

All these files are statically linked to dbghelp.dll and therefore vulnerable to DLL hijacking. agestore.exe, mftrace.exe, srctool.exe, symstore.exe, tlist.exe, tracefmt.exe and tracepdb.exe are the best targets – if you don’t pass any command-line to them, they load dbghelp.dll but don’t call any of its APIs and therefore will not crash.

Demo time

Here’s a small fake dbghelp.dll you can use for testing: https://www.mediafire.com/?yx677bhxtyc13pu

Place it in the folder with vulnerable EXE lies and run the EXE. If a “DLL Hijacking” messagebox shows up, the EXE is vulnerable. smile Something like this:

Have fun and keep it safe!

4 thoughts on “Abusing Microsoft-signed executables

  1. Hmm, looks interesting. :)
    Stupid AVs detect all they shouldn’t(EG DUP2 patchers), but don’t detect all they have to, just wasting system resources. So i’m not using any AV for a long time and never had a virus.
    But which AV could you recommend for home users?
    And another question (sorry for offtopic) – how to determine, what AV searches for in any given file to tell us that it’s a virus?

  2. Oh yeah there are so many creative ways to execute code without using your own executable :D

  3. So Kao, i send a email to you and said not has not receive any, so i send other with the title “Help to…” (and you will see the rest).
    Check your spam box also, if you not receive on inbox maybe was on spam box who knows, i really need your help.

Leave a Reply

Your email address will not be published.

Number