Self-Extracting Executables for Hackers
Key Takeaways
This video by John Hammond covers the use of iexpress.exe to create self-extracting executables for security research and red team engagements, including living off the land binaries and social engineering tactics. The video demonstrates how to use iexpress.exe to bundle and package files, create self-extracting executables, and specify post-install commands to execute code or run payloads.
Full Transcript
do me a favor and try something for me will you on your Windows computer open up the start menu and type in I express. exe and once you hit enter or click on that best match don't worry you're not going to run malware or get a virus or anything but you will see this kind of weird old school looking window this is The iexpress Wizard and I'm serious try it out it will work on your computer if you're running any version of Windows greater than Windows 2000 I know it's super old but this utility this tool has still been shipped with every version of Windows and it is native and installed by default this tool will allow you to create a self-extracting or self-installing package ultimately it makes a computer program like aexe file but it pulls out the contents from itself to run a program on your computer now this is kind of interesting and a little clever right especially for malware virus is actual threats from hackers adversaries threat actors or penetration testers and red teamers trying to do some sweet stuff for security research because they're taking advantage of tools and utilities that aren't native to the operating system and what they tend to call living off the land now a lot of you might already be really familiar with this online resource called lbass or living off the land binaries scripts and libraries and this is a whole collection of all the different programs applications andex files that are natively naturally installed with Microsoft Windows that can be used and abused to do different things other than what they were intended to do right like maybe execute new code or fire up a dll dynamic link library to run other pieces of code maybe work with some alternate data streams download files from the internet hey pull down credentials tamper with material whatever you want but it's interesting if we actually scroll to the very top here I'm trying to introduce this whole iexpress thing but I express. exe actually isn't in this listing of a living offthe land binary but I would go so far as to say you can do some pretty weird shady and shenanigan stuff with I express. exe so here's the real favor I'll ask you watch this video and then give me your hot take let me know do you think this I express. exe tool should be part of the LOL bass resource is it a l bin or living off the land binary let's play with it what I'm going to do is open up the terminal and I'll go ahead and move into my desktop here let's go ahead and create just a directory for us to work in we'll call this I express. test and I'll move into that directory and from there I do like to do this because I've seen iexpress act weird when you aren't creating a new exe within the same directory that you're already working in so let me start I express. exe from here and now let's see this thing in action what we could do is actually create a new self extraction directive file or AED or said file this is kind of the blueprint and hey actually the skeleton for what it'll build out as this self- extracting package or executable let's click next here and then you got a couple options for what you want your package to really do you want to extract files and run an installation command ooh little bit interesting we could get code execution or fire off a payload like real malware or virus or whatever tooling you might like for your red team engagements your penetration tests or cyber crime threat actors adversaries they do this just as well we could extract files or create a cab file this is interesting this is separate from that do said file but it's a cabinet file some folks might be familiar it's a Microsoft cabinet file which you can think of like a zip archive and that it bundles and packages up files but it'll naturally and normally work with them super easily on Windows let's work with the default let's just extract files and run an installation command cuz I'm kind of curious what we could get this thing to do we could Define a package title and like we're literally creating our own installer for whatever software that we want right like a package you would download we could maybe fake stuff hey we could say look I'm going to build out something for Google Chrome or Internet Explorer or whatever software that you want you could have some social engineering and deception in the mix here and seriously you could even have like a confirmation prompt where you ask them are you ready to install Google Chrome or whatever you want we don't need to do that in this case we can just say no prompt and keep rolling with the defaults you could even display a license agreement like browse to a whole text file to include and display there let's click next and now we could actually include the files that will be bundled up in this package and embedded in the exe itself acting as a Cabinet file really I'll tell you more about that in a sec but first let's add some files that we want to run this could be our payload this could be malware our virus whatever you want and I'm not going to go through a whole Showcase of a metas sploit callback or a sliver or Havoc connection I do want to showcase this for the sake of the demo as a little bit more of a proof of concept so what we'll do is pretty simple look let's just actually use the calculator application again native built in and installed within Windows as part of the system route see Windows system 32 so let me navigate to there and hey enter the calc.exe let's add that and you could add as many of these files as you want whether it's a dll or a batch script or Visual Basic script.js jscript file Powershell anything but we're good with calc.exe and now you could actually say this is the program that I want to run execute and launch within that we could specify Kel or anything else that we included or we could even specify a PO install command so this is our opportunity to execute code run a payload fire off malware do whatever trade craft we might like and we even get a second opportunity to do that with the post post install command you could add in again calc.exe or anything else you packaged we'll leave that as none for now but we'll drill down into that more in a little bit later I think it's really cool though you could make this a little bit stealthy again keeping up with your social engineering charade if you went that route you could totally hide the window so that it's not displayed on the desktop or it could run minimized or maximized but let's be sneaky and let's let this run as a hidden window we could click next and even a finished message like hey you successfully inst called Google Chrome and again we won't need to do that for our example but it's totally possible and then we'll build out okay where do we actually want to save the package this is really where we'll specify our directory that we're working in that iexpress test little sandbox and home that we made for ourselves we can call this Google chrome.exe to keep up the charade I'll hit save and you got a couple other options here do you want to hide file extracting progress animation from the user o heck yeah we could be even more sneaky and stealthy with that another option here to store files using long file name inside package if you click on this it gives you a little bit of a warning is to look it's different in Windows 95 and later and earlier whatever look we don't need to particularly drill down into that one but I would like to hide that file extracting progress animation so let's click next and then we could even determine look do we want to have the user restart their computer after installing this package and application and program you could specify this if you only restart if needed or always restart start and you've even got a cool check boox here do not prompt the user before restarting you might be able to do some damage with that but let's just keep this as no restart so we can play with it then it'll build out the said file that SED by default it'll fill out the same exact path as we had chosen previously just with a do set extension rather than aexe so we could go ahead and roll with that let's hit next and then we can create the package just hit next and it will build this thing together with some flashy Terminals and command lines popping up but then then it's done so let's click finish here and then back in our Command prop let me actually Ls I'm in Powershell so the Alias is right you could dir or get child item full commandlet but that'll display our Google chrome.exe and our Google chrome. SED or said file I'll open this up in Explorer so you can see it just as well and this will show us look there is our Google chrome.exe and the said file if I double click on this what does it do pops open the calculator cuz that's what we told it to do right that's the command that we wanted to run and the bundled up file that will actually extract and run but if I rightclick this file let me take a look at the properties here you can see our Google chrome.exe is actually the win32 cabinet self extractor and taking a look at like oh the details here well it's okay copyright Microsoft Corporation product name Internet Explorer product version all this stuff actually with the original file name of w extract. exe and then some mu at the end there a little bit peculiar we'll keep keep that in the back of our mind but let me actually drill down into this because I think there's something important to Showcase if I use some tools from the CIS internal suite and a lot of folks might be familiar with that for extra tools and programs to be able to examine files and see what's going on on your computer we could use Sig check and actually take a look at the signature of the file this will need to accept a user license agreement so let's just click agree on that and it'll display all the kind of help and information on how to use the utility But ultimately we just need to pass in hey the file that we want to examine here in this case that's our Google chrome.exe I hit tab to autocomplete that but it'll tell me look even though it all says Microsoft Corporation and it's this like normal natural win32 self- cabinet extractor whatever it is unsigned because obviously we aren't Microsoft we are not ay Distributing the software on behalf of Microsoft that's something we do have to take note of anything that you build out with iexpress will not be signed unless you add a little bit more to it with your own efforts but that was all using that iexpress utility and we could try to take a look at the help information from that like as I ran I express. exe previously if I were to use another argument here with like a forward slash and a question mark that'll tell me a little bit more on how to use this thing there are other arguments or parameters we could include like sln to build a package now with a said file name provided and a quiet mode when using sln even minimize Windows when using sln even over writing some details and all that's a little bit peculiar especially when we talk about that sln because it's mentioning the said file right and we had that in our directory here so this Google chrome.exe again is actually being built out by this said file that kind of defines its structure what it's doing and how it works so let me do something weird I'll get back into our little Explorer here and I'm going to delete the exex file let me right click to send that to the recycle bin now all I have left is this Ed file but I could just as easily recreate it and rebuild it based off this blueprint when I use I express. exe and you don't need to include the file extension right just the command in your path naturally sln Google chrome. set and it'll build out oh all the windows pop up again the exact same executable file I could slash and run Google chrome.exe and it'll pop up in the calculator again so this is all the stuff that's defined in doed file what the heck is that the self extracting definition directive derivative whatever let's open that up in a text editor I know that's weird but let me rightclick this and try to open with and I'm using Sublime Text here you could use notepad or whatever you might like but let me just open that and here we are what I'll do is actually hit control shift p to hey change maybe the syntax I'll just use bash because it's nice and easy but basically it's like an inii file structure where we have a version defined for class iexpress said version 3 and all the this is plain text right like we could play with this we see the package purpose that we chose to install an app but some of those other things like to create a cab file or to extract only might be other values here and then the show install program window could be one or zero or whatever we could toggle that and you could see all the things like hiding the extraction animation we had clicked that radio button but we could toggle the values here if we wanted to use long file name inside compress cab fix size reboot mode even n for no right and then it actually includes like what looks like variables you might be used to this kind of wrapped around percent sign Syntax for like Doss or batch variables you would use in scripts in Old School cmd.exe it does kind of the very same while all these are defined with strings down below and these are things that we could actually tamper with or play with right this target name was where we said we want to actually save this to the friendly name was like that title that could be displayed or the app that we launched well hm the file actually gets embedded in to this cabinet file and exe that bundles it all together that was calc.exe from C Windows system 32 but the app that's launched is something that we could still kind of mess with right it's just plain text so what's to stop me from making this anything else like notepad.exe or car map. exe or malware exe or virus or Powers show cradle or Stager or anything to do a little bit more spooky Shady Shenanigans let me save this with notepad.exe in there and let's use that capability that we had just learned previously to actually use our iexpress sln to build out the executable and actually we could use that slq to be quiet remember we saw that in the options so let me uh clear everything we were working with previously let's get a blank canvas and delete or remove our Google chrome.exe now that that's gone we're working with just Google Chrome said so you'll see once I iexpress to SL and to build this out right now slq to be quiet based off of oured file I'll hit enter but you don't see the flying command prompt and windows popping up and doing weird stuff we do however still have our Google chrome.exe Now if I were to run this are we going to get the calculator anymore no we're supposed to get notepad though right but it's not showing up I don't see it running anywhere else so uh I'm going to get a little bit interested and and peculiar let's open up CIS internal Suite utilities like process Explorer or process monitor if we wanted to trace each thing let's open up proc Explorer and I could go see is notepad running we just can't see it here it's fired up and I'll just hit n on my keyboard and oh yeah we do see it running but remember it's hidden we chose that option so we could still run anything we want but tuck it away and hide it and there is a lot more interesting stuff that we could do though because we actually ran I express previously but we have a whole another executable to play with now which is our own Google chrome.exe again totally faked right it's clearly running notepad let me kill that old running like zombie ghost Google chrome.exe and with that I want to tell you a little bit more about what we might be able to do with this program just like we used that SL question mark for iexpress let's do it on our own created self- extracting executable oh we got a couple other options here we've got quiet modes for packages even extracting or overriding the install command and there's some peculiar stuff we could dig into here let me fill that out a little bit more and there's in a whole another rabbit hole and Cliff for us to jump off of for this stuff so I want to drill down into it and tell you all the weird wild and wacky stuff that iexpress could be used for as a lull bin but first let me tell you about the sponsor of today's video delete me when your employees data is available online it's a constant threat to your organization and two often data Brokers collect and sell personal information of your team members this exposed data and employee and executive pii opens the door for third-party risk and ultimately cyber security threats against you and your organization think of all the possible personal details like an employees home address their phone number bank and credit card information social security number and so much more all of that sensitive data should stay confidential delete me takes that information out of the hands of data Brokers and subsequently out of the hands of hackers delete me eliminates employee data and tracking information online all to reduce you and your organization's human attack surface they make your security Investments worth it all your anti-fishing tools email protection and cyber security training are more effective when adversaries don't have ready access to your team members person lives lock down your data and your business with delete me one of the most trusted and proven privacy Solutions with over 100 million data listings removed and still counting get started with delete me with my link below in the video description and receive a free delete me scan for your organization jh. life/ Del me huge thanks to delete me for sponsoring this video okay back in action and we got a a couple more things we can play with here cuz we've learned some sweet things right we could manipulate or modify the said file within our text editor and we saw what was our app launched actually run as well as what we could have supplied for our post install command so let me put this back to just running calc.exe and let me change this to the old calc.exe just as well and what do you think's going to happen right obviously I rebuild this with iexpress NQ Google chrome. said run our new Google chrome.exe now we'll have two calculators pop up you saw one and then the other just show there so two opportunities to execute code but when we ran this previously with a couple question marks to get the help information there's even more if we wanted to override the install command defined by the author we could use SLC colon whatever so let's see if we could run something different like C colonar map. exe as one example and is this going to show up visibly it will okay cool we can close out of that but let me actually open up another resource so you can see some of the sweet details between the other arguments we could provide to our self- extracting exe this is over on ss64 comom and it gives us just a little bit more detail on what we might be able to do we saw all the arguments to play with I express. exe itself but we also have some other options with the self-extracting archive or that exe we saw SL Q with quiet mode no prompts and no errors that would be pretty handy but there's even a couple others that we didn't see in the popup earlier like quiet SLA with a colon or SL col and you to say look assume the person running the app is admin so don't check for admin rights or dis space interesting same with Co and you assume the person running the app is a non-admin user huh I don't know if you saw when we were actually experimenting with that within Sublime Text there are these other fields here for admin quiet install command and user Qui install command so what if we change this all to just a bunch of different things like could we run cmd.exe as an admin or powershell.exe if we were to specify we're running as a user I'm not positive and I haven't tested this with like user account control or with a account that is not in the local admin group because mine is currently so I'll leave that as an exercise for the reader but if we go back to run this thing after we rebuild this with iexpress study xn based off our said file that we've just changed let's go see if we can run Google chrome.exe on its own will give us the calculator as it has and two of them because of our post install command but if we specified slq for quiet that won't display on the screen but what about our process monitor let's go take a look in proc Explorer sorry can I see the calculator app running not strictly but our Google chrome.exe is running powershell.exe so it is firing it off it's in the background like we can't see the window here but that was what we just specified for our user quiet install command okay I mean that's just natural then apparently the default with SL q but let's clear that let me Tas Hill that Google chrome.exe and now let's try to do the very same but with our slq colon a to say that we're an admin I'll hit enter here uh again hidden window so it's tucked away in the background but get back into process Explorer we can see Google chrome.exe is now running cmd.exe and yet the whole thing was supposed to just run the calculator right so and and again twice we got two opportunities with a post install command so this is Bonkers with one executable packaging up all these other things or at least telling it what it's going to end up running while only the Cal is included as the source files inside like the cabinet that's packed up the contents but we could still tell it look run Cal or run notepad or run cmd.exe or powershell.exe based off of how you invoke it so you could get a little bit sneaky have sort of like a proxy and Abstract away maybe other things that you want to do based off of just adding a flag or a switch on the command line neat and again of course obviously this calc.exe notepad cmd.exe power shell this could be your Stager your Trojan your remote access toolkit your malware ransomware I don't know whatever you're doing simulating some adversaries this could be what you end up using to build out your payload in an assessment or engagement pentest whatever this could be some sweet tooling and tradecraft and if I may say the whole inspiration for this video came from a tweet from one of my favorite security researchers for gorus toric or a tweet I'm sure if you've seen any of my other videos you hear me just fanboying over the fella but seriously I think he's a genius and always putting out some really sweet stuff with Lins or just interesting things on the Windows operating system and he's wondering look should I express. exe count as a Lin one of those living offthe land binaries he's showcasing here in a little bit of a screenshot just 14 lines of batch script like a file echoing out what would be the contents of a do said file to end up staging the app launched as we saw cmd.exe now popping open the calculator just as we've been doing to Tinker an experiment here they bu it with I express. exe and Lin to fire it up this is everything that we've done just in one automated single click script and kind of neat but a lot of the conversations that came from here have some interesting stuff Nas bench another awesome fill in the industry was saying look hey I'm actually doing a write up on this way back in February don't spoil the other L bin that's hidden inside okay so there's again even more to pull the thread here and if we actually drill on into this there's some cool conversations from Adam hexor again another fellow that I've tried to Showcase and reference and include sing the Praises of for previous videos but no one seems to be drilling down into what Nas is discussing and Bops actually chimes in and saying look he had a tweet way back in 2018 folks have been talking about this for years obviously it's an old utility but it can do some even more wild stuff let me click into this and I'll show you iexpress is still bundled with Windows 10 server 2016 all the other operating systems again since Windows 2000 you could specify an INF file that has an SC T section with a directive for Fetch and execute via the said file we've been playing with or iexpress Wizard and again he notes it's a little bit old school but might have some utility and if you look here what they're doing is adding a little bit more to the contents of the doed file in the strings he actually notes the app that he wants to launch is evil.in coming from some location here but that INF file actually includes contents to unregister DLS and have an unregistered dll section to use scr object. dll pull down the contents of a entirely different file and I'll move my face here I know I'm in the way to see a test. SCT now that's online that's on the internet like look that could be a remote resource to hide and tuck away what you want to end up running for your next payload if we actually go visit the link hey that URL that's included in the INF file to reference and call some other capability with this test. SCT file this includes the payload and syntax to run with an exec function creating a new active X object W script shell just another proxy abstract way to invoke and run some shell commands like noad in this simple example another proof of concept but I think I hope that drills down the point you could just host whatever you want on an external resource that's not local from your initial access or whatever you're doing to Stage this capability in the first place you can get super duper Shady think of using that with like a paste bin equivalent or some other website just a host a payload as a plain text raw file whatever past spin equivalent honestly if I may say paste. mozilla.org is pretty phenomenal for this because you've got the raw capability and you can set the expiration to just a onetime snippet Burn After Reading so you could stage a payload that's staged up on the internet but then gone forever if anyone else would to look back at the artifacts so Gregor's questions here is why is iexpress still included in the default Windows installation even Windows 11 coming through all the way from Windows 2000 but if this were not already proving some potential as a Lin or living off the land binary I did want to note Nas in his work on this I actually DMD NZ and asked him if I had his permission to share our direct messages so we're all good there but I said look hey man have you ever actually shared did you publish your ipress work is that something that was out and about I hadn't seen it online in his GitHub or blogs or whatever and he says no honestly I haven't yet he says I can make it public in the coming days if you want kind of interesting stuff and I said look I wanted to Showcase this in a video but I was curious if you'd be willing to uh share some of your Insight too and he did quote the original post from a tweet or gregorz TK and he says look honestly that's the gist the full details are interesting but you could probably recreate it from there so I baned with him a little bit back and forth and I was saying you know what sweet I'd love to Showcase this let's go explore it though because if I express wasn't already the gift that keeps on giving here there is more to make it a little bit more of a lull bin or living off the land binary take note here iexpress uses make cab or makecab.exe in order to create the cab or exe file but internally apparently at one point in Microsoft there is a tool called diamond. exe that would act similar to make cab and that's what you might see if you ever see some of that process kind of Huck up in the middle of it it'll spawn a DDF or a diamond directive file those are the things you'll even end up passing to makecab.exe but if you add a little bit of insight into the doed file just another property or like a key we set equal to Something in the plain text there if you actually specified the compression typee Quantum it'll end up calling diamond. exe rather than makecab.exe but diamond. exe does not exist normally naturally on a modern Windows system so we could get in the middle of that and just run our own diamond. exe which again could be our own payload or whatever we want let me show you that in action let's clear out get a little bit of a clean slate here let's remove our user or admin quiet install and even our post install command let's actually leave the app launched as calc uh but we do need for our post install command I believe that should be none wrapped in these greater than less than symbol Wakka Waka alligator faces right so that should be as it is by default if we bounce back to our terminal we can rebuild this with that /nq or Google chrome. set and firing up Google chrome.exe will naturally spawn calculator as usual but if we're going to play play with that compression type equals Quantum and I know it sounds super duper silly right oh quantum computers and all but that's real that's genuinely what it is look we need to make our own diamond. exe as I mentioned that's not something that is usually in Windows that's not a program that is just part of the path naturally but if you have your local access or for whatever reason hey you can stage some things and the commands that you might run previously using this said technique or whatever you might want or in the case that you are local admin and Will Roll with that Philosophy for the moment let me actually fire up a new windows terminal run as administrator so with that let me copy our C Windows system 32 and let's use the calc.exe but let's actually put it in that default path here but we'll call it diamond. exe in this case fingers crossed okay that's looking good now I can go back to the other terminal and run diamond. exe naturally to fire up the calculator so if we put this together with oured file we actually have to consider one specific thing if we scroll back up to the very top here remember I was briefly mentioning that package purpose right now it is just install app and if you remember from us working with iexpress previously actually using the guey to interact with this when we create a set file and we specify the package purpose the create compressed files only to build the cabinet file that is where it would end up running make cab and that's the process C that it would go through so actually this is the only path where this diamond. exe comes into play so you got to make sure that a said file that you work with will actually have the package purpose set to create cab and we can see this if we build out a new one uh I'll just cruise through this process super easy see Windows system 32 and we can put like notepad in here for whatever and again that would be a hidden window if we do that or it'll end up just extracting it or it's not going to run it so let's go ahead and put our own like run Cab in the express test folder that we're in that's fine we'll go ahead and save the file we'll create the package it'll build it all out good by me now in ILS I have run. said and run. cab uh cab was already built by iexpress but let me remove that because we want to kind of have a clean slate because really we're just working with that run. said file oh and suble is not in my path so let me get back into it in the interface let me open up run. said and note the difference here if I toggle back and forth between these windows the big one is create cab as the purpose so let me set the syntax highlighting The Bash so we get a little bit more color but the options here this section is where we would actually go ahead and specify our Quantum compression type now before we do that before I added in this new line here let me show you an action because if I were to actually put this side by side let me move the terminal over to the left we can open up our process process Explorer with CIS internals as usual I'll move that to the right and we'll collapse a couple of these so it's a bit easier to see take a look and watch carefully in the windows terminal block in the processes that are running now if I were to naturally I express sln to build out our run. that should build the cab file and you see it does and make cab is what spawned there but remember diamond. exe is now in our path and that will still spawn the calculator remember while we're naturally running Express and we can do this with quiet so you'll actually be able to see the processes pop up and not get in the way with the windows here oh okay whoops I must have uh missed a space character there we don't see it happen super quick within process Explorer but we can use process monitor actually and see this thing for real let me go toggle hey a new filter let's look for our process name is naturally makecab.exe we can add that make sure that we're monitoring go ahead and click apply we'll save that's doing its thing now if I run this fingers crossed let's try it again make cab is the one that fires off that is the usual functionality and normal and natural but if we kind of use this as the Lin capability to genuinely turn I express into another potential proxy to run some other code let's add the compression type equal to all caps Quantum we'll go ahead and save that let me click contrl s on my keyboard or bring it up in the context menu and now let me stop filtering here stop listening and we'll add a different filter where we're no longer looking for make cap we can turn that off but let's add looking for a process name diamond. exe We'll add that click apply and okay now that that is saved with our said file that's all the line that we need now when I run iexpress once again diamond is run and the calculator opens and I forgot to listen in process monitor totally classic now when we can see this in diamond. exe was firing up okay tiny cutesy right small little thing just to be able to abstract out what command you might run and what'll actually end up firing off again that could be your payload that can be your reverse shell that can be your command and control callback your beacon your implant whatever you do for staging more malware in your attack campaign but that is not all if we weren't already way too far deep down the rabbit hole of all the weird wild stuff that iexpress can do Nas had another trick up his sleeve this is stub modification it's another secret of iexpress it's related to how the exe is generated like our Google chrome.exe right that fake simulated self-extracting executable when you create an exe it's actually a cab file with a stub pointing to W extract. exe hm we actually saw that right like when we were taking a look at the properties of our Google chrome.exe it straight up told us it's the win32 cabinet self extract if we bounce over to system 32 we could actually see that if we look for w extract. exe let me take a look at the properties of that it's actually win32 cabinet self extractor all the exact same details it's like building that as it because remember the exe or the cab file that ends up being built out if we toggle back over to look at our run. cab clicking into it like it's going to bundle in notepad or whatever we specified in that iexpress gooey Builder and everything that we specified in our set file so could we change this going back to our Google Chrome doed forgetting about run. said and run. cab let's delete those and go back to the original World we were in we could actually specify back in Sublime Text again moving out of run. said but back to our install app package purpose one of the things that we could specify not the compression type Quantum here but the extractor sub could be whatever we want rather than W extract. EXE like how about cmd.exe now I know this would naturally just run calc.exe but now we're going to say hey I just want you to fire it up with cmd.exe again you could just really do this in the other natural native functionality but a whole another option is this oh and I had a typo there got to be super careful that should be extractor stub T I know it's like subbing in another file but make sure that is the extractor stub we'll save that and now because we've specified that new extractor stub it will not just run Cal in fact it won't because it won't be able to extract naturally with W extract it'll open up the command prompt fingers crossed there we are we're we're just in cmd.exe obviously again you can make that whatever you want you can make it notepad you can make it calc that will fire in place let's rebuild let's run notepad or your malware but interesting tidbit here let me get back into Explorer cuz remember when we were looking at the properties it like straight up had the win32 extractor there I'll close this cuz I think that's cash from previously but if I open up the properties now it's notepad look at the details here file description notepad type his application file product whatever original file name notepad could go back to this again make it cmd.exe rebuild and now Google chrome.exe is actually totally just the command prompt Windows command processor okay so I know we're a little all over the place we've gone all over the map with I Express Cab files said files what we might run with the regular app launch capability post install command admin capabilities user giving us like potential for three different things to run all with different invocations of the same exact file the quantum compression type the extractor stub let me kind of take this back to the start but look I do want to note if you you wanted to get weird wild and funky with this I think this is kind of a fun Easter egg while we bear in mind we've seen like what three four I don't know many different ways to do Lin like things if you want to have some fun with this calc.exe may very well be what we naturally run and we can rebuild and reset to get back to a clean slate removing what would have been our extractor stub here but remember how that post install command is ran kind of following after the app is installed or whatever first process kind of finishes its execution well because Cal will open subsequent little calc.exe versus calculator. exe this one works really well and could be kind of fun if we were to do some wacky wild stuff with it like what's to stop us from just using Powershell to hey track down like invoking powershell.exe as the PO install command but actually adding some command line arguments or another command to run here with tax C what if we actually started another process with the syntax here to actually grab the current process based off of the name that we know like we've defined we can control it's Google chrome.exe or whatever we call our self extracting executable here so let's play with that and actually grab its path and we'll have to wrap this in quotes here because it is a string with spaces but what are we doing here we're telling it to launch the calculator application as Google Chrome kind of our fake here but the post install command will get the Google Chrome process path and run it again so we're telling it to run itself again and then again and again and again and again so you basically build out I don't know a silly stupid bomb Doss thing let's get back to our terminal and let me rebuild this one last last time for our Google Chrome said and let's fire up Google chrome.exe with the process monitor over on the left and watch this beautiful horrific horrendous cacophony of multiple calculators opening over and over and over again as one thing that you could do but keep in mind all of the crazy wild shenanigans that we've already done thus far between look the install command that you want to run to begin with the post install command that you can run after the fact the user and admin quiet install commands that allow you to do different things with the same file and then the quantum compression type to fire off diamond. exe and the extractor stub to run something entirely different for the exe itself I don't know I'd love to ask you and your opinion with these fireworks of calculators going off do you think that this qualifies as a l bin or living off the land buying I would love your hot take please do let me know in the comment section below and please do all those YouTube algorithm things like comment subscribe and please pretty pretty please hey give some shout outs to uh all the other folks that have done the real work here I've just wanted to sing their praises and showcase it uh Boh hops Greg Tor or goras Tork Nas bench and certainly hey please do give some love to our sponsors big thanks to delete me link in the video description I hope you check them out and okay I got to stop this before uh OBS runs out of memory and the computer entirely crashes thanks for watching Everybody I'll see you in the next video
Original Description
https://jh.live/deleteme || Get started with a free DeleteMe scan for your organization! https://jh.live/deleteme
Learn Cybersecurity - Name Your Price Training with John Hammond: https://nameyourpricetraining.com
Learn Coding: https://jh.live/codecrafters
WATCH MORE:
Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4
Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5
📧JOIN MY NEWSLETTER ➡ https://jh.live/email
🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Tool Use & Function Calling
View skill →Related Reads
📰
📰
📰
📰
File Path Traversal Vulnerability
Medium · Cybersecurity
Beyond Prompt Injection: The AI Attacks That Actually Matter
Medium · Cybersecurity
Breaking Born2Root: From Enumeration to Root Access
Medium · Cybersecurity
Treasury Sanctions Two Individuals and VPN Firm Enabling Ransomware Attacks on Americans
Dev.to · Codego Group
🎓
Tutor Explanation
DeepCamp AI