Side Loading Dll with a SteelSeries Signed Binaries

I'm a gamer. I bought one of the awesome SteelSeries Sensei [RAW] Mouse.

This is an awesome mouse perfect to micro your units in SC2 :-)

So I looked around the installation of the SteelSeries Engine 3 software which allows to manage your device: "SteelSeries Engine 3 talks directly to your game, which changes your device's illumination in real time, based off of in-game events.".

In the installation folder, I found the following interesting binary:

win_driver_installer.exe

This binary is digitally signed by SteelSeries:

I tried to run it and I got the following error:

The binary win_driver_installer.exe tried to load SSEdevice.dll which is also signed.

So I forged a C++ .dll that leverages a PowerShell payload and tries to connect to one of my CobaltStrike server and I tried to make it side loaded by win_driver_installer.exe but unfortunately I got this new error:

I changed my entry point in my .dll:

I checked the export worked:

I ran again and... bingo I have a beacon!

That's all folks!

Running system commands through Nvidia signed binaries

A while ago, when working on PowerMemory, I discovered a hidden account configured by Nvidia on one of my computers (https://twitter.com/pabraeken/status/651369704746020864).

Then, when I come into the awesome Hexacorn article "Reusigned Binaries – Living off the signed land" (http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/), I was super excited :-)

I started looking for other similar binaries developed by Nvidia that could execute system commands with the legitimacy of Nvidia.

I found this one:

Running it looked very promising:

The list of commands includes all the one found by Hexacorn
"AddUninstall, Call, CheckPath, CheckRAID, ClassSweep, Copy, CopyV, CreateDevice, CreateShortcut, Del, DelBoot, DelBootQuiet, DelIniIfMatched, DelOemInfs, DelReg, DelRegE, DirAndApply, Echo, EnumDevices, EnumRegCmd, EnumRegNamesCmd, Eval, FindOEMInf, GetDrivePort, GetFolderPath, GetInfGUID, GetReg, Help, If, InstallDriver, InstallDriverEx, KillApp, RemoveDevice, Run, RunOnce, SendMessage, Set, SetEnv, SetReg, Sleep, Splash, StartLogging, StopLogging, SysCallAndWait, System, UnifyUninst, Uninstall, UnInstallEx, UninstallGUI, UninstallService, WaitOnRegDel"
+ These one:

"Decrement Increment DisplayControlPanel AskToCloseAndExitIfRunning RemoveDriverStore RemoveDeviceEx DisableDevice RemoveUpperFilter StopService RmString DelAll"

Here is the description for all commands:

• Decrement: Decrements a variable numerically.
• Increment: Increments a variable numerically.
• DisplayControlPanel:  Displays message about Display Control Panel uninstall.
• AskToCloseAndExitIfRunning: Given an application name, enumerates all running application for a match. If found, prompts the user to close the application.
• RemoveDriverStore: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
• RemoveDeviceEx: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
• DisableDevice: Disable any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
• RemoveUpperFilter: Remove filter service from any devices that specify it.
• StopService: Uninstalls the given service name. 
• RmString: Removes the string from the original string of words if found and saves the result in new variable.
• DelAll: Delete the given folder if it exists, it also deletes the contents within the folder.

Running calc.exe

Dumping the manifest shows us that the file requires Administrator privileges (exactly like the binaries nvuhda.exe and nvuhda6.exe described by Hexacorn).

 Sigcheck -m nvudisp.exe

This is a promising avenue to explore and could be used by real attackers to break standard EDR detection rules.

That's all folks!