lundi 23 avril 2018

Running system commands through Nvidia signed binaries

A while ago, when working on PowerMemory, I discovered a hidden account configured by Nvidia on one of my computers (

Then, when I come into the awesome Hexacorn article "Reusigned Binaries – Living off the signed land" (, I was super excited :-)

I started looking for other similar binaries developed by Nvidia that could execute system commands with the legitimacy of Nvidia.

I found this one:

Running it looked very promising:

The list of commands includes all the one found by Hexacorn
"AddUninstall, Call, CheckPath, CheckRAID, ClassSweep, Copy, CopyV, CreateDevice, CreateShortcut, Del, DelBoot, DelBootQuiet, DelIniIfMatched, DelOemInfs, DelReg, DelRegE, DirAndApply, Echo, EnumDevices, EnumRegCmd, EnumRegNamesCmd, Eval, FindOEMInf, GetDrivePort, GetFolderPath, GetInfGUID, GetReg, Help, If, InstallDriver, InstallDriverEx, KillApp, RemoveDevice, Run, RunOnce, SendMessage, Set, SetEnv, SetReg, Sleep, Splash, StartLogging, StopLogging, SysCallAndWait, System, UnifyUninst, Uninstall, UnInstallEx, UninstallGUI, UninstallService, WaitOnRegDel"
+ These one:

"Decrement Increment DisplayControlPanel AskToCloseAndExitIfRunning RemoveDriverStore RemoveDeviceEx DisableDevice RemoveUpperFilter StopService RmString DelAll"

Here is the description for all commands:

  • Decrement: Decrements a variable numerically.
  • Increment: Increments a variable numerically.
  • DisplayControlPanel:  Displays message about Display Control Panel uninstall.
  • AskToCloseAndExitIfRunning: Given an application name, enumerates all running application for a match. If found, prompts the user to close the application.
  • RemoveDriverStore: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
  • RemoveDeviceEx: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
  • DisableDevice: Disable any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
  • RemoveUpperFilter: Remove filter service from any devices that specify it.
  • StopService: Uninstalls the given service name. 
  • RmString: Removes the string from the original string of words if found and saves the result in new variable.
  • DelAll: Delete the given folder if it exists, it also deletes the contents within the folder.
Running calc.exe

Dumping the manifest shows us that the file requires Administrator privileges (exactly like the binaries nvuhda.exe and nvuhda6.exe described by Hexacorn).

 Sigcheck -m nvudisp.exe

This is a promising avenue to explore and could be used by real attackers to break standard EDR detection rules.

That's all folks!

14 commentaires:

  1. Really it was amazing post. Thank you for sharing with us.

  2. Lower the threat of having every unique Ultra Pure 360 Keto life-threatening hassle or persistent infection.
    Remove cussed fat from all frame locations or will in no way are to be had in lifestyles all all all yet again.
    Help in getting enough sleep or character not unusual ordinary normal wellknown ordinary performance of napping hours are advanced.
    Improve the body regular essential ordinary ordinary ordinary conventional normal regular overall performance for physical or character perform a hint more than the.

  3. Alle Nebenwirkungen Slimymed Premium Diät
    Da dies ein modernes Produkt auf dem Markt sein könnte, um frühzeitig zu bestimmen, ob oder nicht mehr oder Slimymed Premium jetzt nicht oder nicht oder nicht mehr oder jetzt nicht oder jetzt nicht oder nicht oder jetzt nicht oder jetzt nicht oder nicht mehr oder nicht oder nicht mehr oder nicht Jetzt hat es keine Probleme. Wenn Sie gegeben wurden, wurden gegeben, gegeben worden waren, gegeben worden waren, gegeben worden waren, gegeben worden waren, um Probleme bezüglich der Verwendung von Slimymed Premium Diät gegeben worden zu sein, können Sie zu Ihrem medizinisch-wissenschaftlichen klinischen Arzt gehen, um die hochwertigen Wirkungen zu profitieren. Wenn Sie gegen diese Behandlung allergisch sind, müssen Sie möglicherweise die Richtlinien des Arztes überprüfen. Bisher wurden alle detaillierten Ergebnisse für Personen registriert.


  4. Novum Health Keto Ingredients List
    Novum Health Keto has 3 critical elements Novum Health Keto which accelerate your weight reduction faster than each one-of-a-type remedy that you can attempt.

    Lemon– it burns the undesirable fat stored inside the frame for a toned body and could increase the electricity degree
    Garcinia Cambogia– it's far a pumpkin-specific fruit that often grows within the Asian global places, and it in truth works to sell weight loss thru the usage of boosting the metabolism, burning the extra fats and curtailing the urge for food for decrease intake of electricity



  5. Besides getting intercourse Primal Grow Pro benefits, you may get high-quality health advantages, as properly, on the same time as you start using the complement. The product is capable of regularly enhancing your muscle corporations at the identical time as you use it regularly. You moreover may be considerably benefited with the increase of your libido, energy, stamina, as it has the functionality to provide a interesting and charming sex enjoy on your partner with out issues and effectively. In massive, the supplement will beneficial useful useful useful resource you significantly in making you enjoy similar to a whole guy and removing your shortcoming.


  6. Where & How To Buy Keto Fab?
    Keto Fab complement is obtainable totally Keto Fab on the internet net internet web site online online on line online of the product. You will genuinely order one or a couple for your self. The internet web page gives you all of the essential insights of the product, which makes it a whole lot masses loads an entire lot hundreds an lousy lot an awful lot loads an awful lot a fantastic deal an entire lot loads masses a super deal much less complex a exquisite way to need the choice. In addition, it want to be said that the products isn’t available inside the marketplace on the possibility physical keep or close by maintain. It isn't in the marketplace on the possibility online searching internet web page on-line. It’s encouraged to shop for the Keto Drive weight reduction complement within the tremendous Keto Fab net net net net web page online online in truth with complete authentication.



  7. And More!
    There are such quite a few blessings that Keto Lyte those keto drugs can provide you alongside the bounce in advance ketogenic diet regime! And the first rate detail is that THE KETO DIET WORKS! One test states that the usage of a keto diet regime can decorate metabolism and manipulate starvation. So, if you are looking for an EASIER, FASTER manner to shed kilos that WORKS, this pinnacle promoting keto tablet is precisely what you want. To try it for your self and word if there may be a FREE TRIAL OFFER taking area, click on on any image or buttthis net internet internet page on the equal time as elements final!



  8. VidaGenex Keto Burn Review:
    My name is Roxy, and I am 32 years of age. Because of my excessive frame weight, I couldn’t most probable located at the get dressed. I become distressed and compelled due to my frame shape. I tried with some improvements, but, none of them supply me outstanding results. At final, I came to undergo in thoughts VidaGenex Keto Burn Diet this is view because of the truth the extraordinary complement for my weight loss necessities. I commenced out to utilize the enhancement typically and were given top notch effects. I grow to be in particular content fabric material with my object. Obviously, I can prepared to place on any closets like thin healthy pants, well-known get dressed subjects, and tights efficaciously than at any time in contemporary-day memory. I prescribe the item for excellent people, who're experiencing corpulence problem like me.

  9. As we remember that overweight and Vitrexotin growing of age motives low degree of testosterone in the frame. When testosterone get reduced then it outcomes in worst manhood. Many humans have hundreds of problems concerning sexual issues and they went on are looking for to discover new solution. But, on which product you can collect as actual with? Which is proper on your fitness? And who can reduce the ones styles of health problems? Well, your answer is Vitrexotin that may be a tremendous supply for of electricity and stamina within the frame. It specially designed for boosting bodily staying energy and stamina in the body.


  10. Brief About Biogenix RX Male Enhancement:
    It is the cutting-edge-day arrived food supplement inside the market, allowing men to growth the period in addition Biogenix RX to the girth in their male organ in a greater herbal and further comfortable manner. They can advantage this proper from the consolation of their home itself, as it is a non-surgical, expedient penis amplification product. Using the supplement often allow you to get an fantastic effect because of the reality it may enlarging your penis even from the number one day of its use.


  11. Never need to alternate the dose or in no manner bethink that increase in remedy will provide you with the Keto Boost Plus powerful outcomes. The immoderate can be extra volatile than your thinking, so get this as prescribed.

    For similarly facts, take a look at the intake approach flow into at your medical clinical clinical physician first or get the consultation.

    Where To Purchase Keto Boost Plus
    You waste it sluggish in case you are searching out the reliable or Keto Boost Plus from a community keep because of the truth it's miles tremendous available on the shops. Get all Keto Boost Plus of the facts which you desires from the net internet net internet web web page online on line online of Keto Boost Plus.


  12. Josephine, 37 Years – I love this Max 30 Keto product because it has helped me to control urge for food. With the help of healthy eating plan pills Max 30 Keto Diet I controlled to cast off my repeated behavior. I lessen the fats within the stomach, and plan to use it until they gather my fitness dreams. In addition, it helped me stay active all day. Due to the choice makers, I am very thankful to them.

    Closing Words
    Max 30 Keto Diet can be taken into consideration as a boon for in reality all people who're overweight. It is for the remedy of weight issues and all the troubles associated with weight. All in reality surely considered taken into consideration one in every of a kind customers will gain from this fantastic product and want to no longer be left inside the all another time of.
    Read More>>

  13. britney spears keto : Figure out how to be sound and fit. Get wellbeing tips, activities and exercise tips to improve your exercise, diet intend to keep you fit.