lundi 23 avril 2018

Running system commands through Nvidia signed binaries

A while ago, when working on PowerMemory, I discovered a hidden account configured by Nvidia on one of my computers (

Then, when I come into the awesome Hexacorn article "Reusigned Binaries – Living off the signed land" (, I was super excited :-)

I started looking for other similar binaries developed by Nvidia that could execute system commands with the legitimacy of Nvidia.

I found this one:

Running it looked very promising:

The list of commands includes all the one found by Hexacorn
"AddUninstall, Call, CheckPath, CheckRAID, ClassSweep, Copy, CopyV, CreateDevice, CreateShortcut, Del, DelBoot, DelBootQuiet, DelIniIfMatched, DelOemInfs, DelReg, DelRegE, DirAndApply, Echo, EnumDevices, EnumRegCmd, EnumRegNamesCmd, Eval, FindOEMInf, GetDrivePort, GetFolderPath, GetInfGUID, GetReg, Help, If, InstallDriver, InstallDriverEx, KillApp, RemoveDevice, Run, RunOnce, SendMessage, Set, SetEnv, SetReg, Sleep, Splash, StartLogging, StopLogging, SysCallAndWait, System, UnifyUninst, Uninstall, UnInstallEx, UninstallGUI, UninstallService, WaitOnRegDel"
+ These one:

"Decrement Increment DisplayControlPanel AskToCloseAndExitIfRunning RemoveDriverStore RemoveDeviceEx DisableDevice RemoveUpperFilter StopService RmString DelAll"

Here is the description for all commands:

  • Decrement: Decrements a variable numerically.
  • Increment: Increments a variable numerically.
  • DisplayControlPanel:  Displays message about Display Control Panel uninstall.
  • AskToCloseAndExitIfRunning: Given an application name, enumerates all running application for a match. If found, prompts the user to close the application.
  • RemoveDriverStore: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
  • RemoveDeviceEx: Remove any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
  • DisableDevice: Disable any device matched with the given description from the system using setupdi calls. Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY, HDC, MEDIA, NET, SYSTEM.
  • RemoveUpperFilter: Remove filter service from any devices that specify it.
  • StopService: Uninstalls the given service name. 
  • RmString: Removes the string from the original string of words if found and saves the result in new variable.
  • DelAll: Delete the given folder if it exists, it also deletes the contents within the folder.
Running calc.exe

Dumping the manifest shows us that the file requires Administrator privileges (exactly like the binaries nvuhda.exe and nvuhda6.exe described by Hexacorn).

 Sigcheck -m nvudisp.exe

This is a promising avenue to explore and could be used by real attackers to break standard EDR detection rules.

That's all folks!

11 commentaires:

  1. Fantastic!!! A fireplace in a master bath, what a luxury.
    clipping path service

  2. Thanks a lot for your good job.Please keep continue sharing with us. photo editing service

  3. Really it was amazing post. Thank you for sharing with us.


  4. What Is Keto Trim 800 ?
    Keto Trim 800 is regarded as the fine manner to lose your abundance body weight. This weight reduction object has been made at the ketogenic manner so you will in favored lose weight unexpectedly. At the issue whilst your body is underneath a keto diet, at that aspect you will, in good sized, get power from fats cells. Subsequently, your frame consumes fat cells typically on this manner causing you to get proper frame structure. This first-rate weight loss supplement is very useful for both male and lady. To get this object, you need to set up from the true web page to receive its good sized rewards. Generally, this enhancement is known as a modern success among wellness enthusiasts.

    Read More >>>

  5. Also, every man inclines to Bluoxyn have a thin and wholesome frame that could’t be saved up after intersection ’30s and the frame don’t look fascinating, small and captivating any similarly. In this way, it's far the need of an opportunity to look greater youthful, savvy, in shape, along wholesome muscle groups. Along those strains, a man may be called a Real Man! A solid and stable frame conjures up and attracts in everybody to yourself. The more part of the men is spending the form of good sized form of hours and coins inside the rec middle. To achieve a valid and in shape frame, however, remains fruitless in getting the required effects.
    Read News >>

  6. Debbiesmiracles supported in light of the manner that it is critical for you. On this put up, debbiesmiracles is dissected, which is a debbiesmiracles that is predicted getting all of the greater skinny unexpectedly. Know more about it by using searching complete overview: around debbiesmiracles? It is an staggering headway to your debbiesmiracles goals and routine. It's miles a debbiesmiracles issue, which consolidates the veritable get of debbiesmiracles ..

  7. sharktankpedia fat-fuming nutritional sharktankpedia that accreditations that will help you make a lovely and slant sharktankpedia by using affecting undesirable muscle to fats degree ranges. There are unattainable who don't have enough time for closure sustenance and working out. For them it is the excellent preference to hack down the extra features sensibly. In like way, including this sharktankpedia on your especially requested for methodology, you do not have to hit the rec stow away for a cerebrum boggling day and ..

  8. Governmenthorizons fat for quite some time. Jacquelin – governmenthorizons is a bewildering and i'm to an earth shattering diploma stupified how persuading it's far. It helped me now not just shed off the unwanted pounds from my governmenthorizons, apart from kept it. To visit the heart of the matter, it's miles a lovely weight-association tablet and you should give it a shot as soon as. Alana – because of my paintings open .

  9. autobodycu which consolidates the veritable get of autobodycu that is the most unmistakable standard aspect having autobodycu and fat fuming houses. It's far a total application, in that you get a autobodycu, an consuming recurring cookbook, use much less energy guide and organized others. To understand more about the bundling, you may visit its reliable web page. The first-class autobodycu continues walking with greater matters, that are in like course principal to those who wish to have a pulling in and skinny ..