A while ago, when working on PowerMemory, I discovered a hidden account configured by Nvidia on one of my computers (
https://twitter.com/pabraeken/status/651369704746020864).
Then, when I come into the awesome Hexacorn article "Reusigned Binaries – Living off the signed land" (
http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/), I was super excited :-)
I started looking for other similar binaries developed by Nvidia that could execute system commands with the legitimacy of Nvidia.
I found this one:
Running it looked very promising:
The list of commands includes all the one found by Hexacorn
"AddUninstall, Call, CheckPath, CheckRAID, ClassSweep, Copy, CopyV, CreateDevice, CreateShortcut, Del, DelBoot, DelBootQuiet, DelIniIfMatched, DelOemInfs, DelReg, DelRegE, DirAndApply, Echo, EnumDevices, EnumRegCmd, EnumRegNamesCmd, Eval, FindOEMInf, GetDrivePort, GetFolderPath, GetInfGUID, GetReg, Help, If, InstallDriver, InstallDriverEx, KillApp, RemoveDevice, Run, RunOnce, SendMessage, Set, SetEnv, SetReg, Sleep, Splash, StartLogging, StopLogging, SysCallAndWait, System, UnifyUninst, Uninstall, UnInstallEx, UninstallGUI, UninstallService, WaitOnRegDel"
+ These one:
"Decrement Increment DisplayControlPanel AskToCloseAndExitIfRunning RemoveDriverStore RemoveDeviceEx DisableDevice RemoveUpperFilter StopService RmString DelAll"
Here is the description for all commands:
- Decrement: Decrements a variable numerically.
- Increment: Increments a variable numerically.
- DisplayControlPanel: Displays message about Display Control Panel uninstall.
- AskToCloseAndExitIfRunning: Given an application name, enumerates all running application for a match. If found, prompts the user to close the application.
- RemoveDriverStore: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
- RemoveDeviceEx: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
- DisableDevice: Disable any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
- RemoveUpperFilter: Remove filter service from any devices that specify it.
- StopService: Uninstalls the given service name.
- RmString: Removes the string from the original string of words if found and saves the result in new variable.
- DelAll: Delete the given folder if it exists, it also deletes the contents within the folder.
Running calc.exe
Dumping the manifest shows us that the file requires Administrator privileges (exactly like the binaries nvuhda.exe and nvuhda6.exe described by Hexacorn).
Sigcheck -m nvudisp.exe
This is a promising avenue to explore and could be used by real attackers to break standard EDR detection rules.
That's all folks!
