Hunnic Cyber - Logo

Macro Function to Find InstallUtil.exe

In this post I am going to be sharing a VBA function that enumerates the location of InstallUtil.exe for executables that are targeted at .NET framework version 3.5.

If you are aiming to use a .NET loader, dropper or beacon that wants to use InstallUtil.exe as an avenue for bypassing Application Whitelisting it is intelligent to target version v3.5 as nearly all corporate workstations will have it installed owing to their use of Microsoft Office (https://products.office.com/en-us/office-system-requirements). Below you can see the default .NET framework installed with operating systems, and in the link in the sentence before you can see that the most widely use Office versions require .NET v3.5:

  • Windows 7 (all editions) includes the .NET Framework 3.5.1 as an OS component.  This means you will get the .NET Framework 2.0 SP2, 3.0 SP2 and 3.5 SP1 plus a few post 3.5 SP1 bug fixes.  3.0 SP2 and 3.5 SP1 can be added or removed via the Programs and Features control panel.
  • Windows Server 2012 (all editions) includes the .NET Framework 4.5 as an OS component, and it is installed by default except in the Server Core configuration.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Server Manager.
  • Windows Server 2012 R2 (all editions) includes the .NET Framework 4.5.1 as an OS component, and it is installed by default except in the Server Core configuration.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Server Manager.
  • Windows 10 (all editions) includes the .NET Framework 4.6 as an OS component, and it is installed by default.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Programs and Features control panel.
  • Windows 10 November 2015 Update (all editions) includes the .NET Framework 4.6.1 as an OS component, and it is installed by default.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Programs and Features control panel.
  • Windows 10 Anniversary Update (all editions) includes the .NET Framework 4.6.2 as an OS component, and it is installed by default.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Programs and Features control panel.
  • Windows Server 2016 (all editions) includes the .NET Framework 4.6.2 as an OS component, and it is installed by default except in the Server Core configuration.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Server Manager.
  • Windows 10 Creators Update (all editions) includes the .NET Framework 4.7 as an OS component, and it is installed by default.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Programs and Features control panel.
  • Windows 10 Fall 2017 Creators Update (all editions) includes the .NET Framework 4.7.1 as an OS component, and it is installed by default.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Programs and Features control panel.
  • Windows 10 April 2018 Update (all editions) includes the .NET Framework 4.7.2 as an OS component, and it is installed by default.  It also includes the .NET Framework 3.5 SP1 as an OS component that is not installed by default.  The .NET Framework 3.5 SP1 can be added or removed via the Programs and Features control panel.

In a previous post we mentioned using a VBA macro with environmental keying. While this is effective at evading sandboxes and antviruses the executable it drops may not be allowed to run (using wmic in the example) if the Group Policy prohibits the running of exe's.

There for we may want to drop a .NET executable (loader, dropper, beacon) and run with InstallUtil.exe specifying the /U flag (uninstall) to evade this whitelisting approach.

Below is a function that you can add to your macros, that will enumerate the location of InstallUtil.exe to be used with an executable that is targeted at that version.

Function FindInstallUtil() As String
    Dim strPath As String: strPath = Environ("WINDIR") & "\\Microsoft.Net\\Framework"
    Dim strKeyword As String: strKeyword = "v2.0"
    Dim strKeyword2 As String: strKeyword2 = "v3.5"
    Dim strKeyword3 As String: strKeyword3 = "v3.0"
    Dim objSubFolder As Object
    Dim folders(5) As String
    Dim fpf As String
    Dim oFSO As FileSystemObject
    Dim oFolder As Folder
    i = 0
    With CreateObject("Scripting.FileSystemObject")
        For Each objSubFolder In .GetFolder(strPath).SubFolders
            If InStr(1, objSubFolder.Name, strKeyword, vbTextCompare) > 0 Or InStr(1, objSubFolder.Name, strKeyword2, vbTextCompare) > 0 Or InStr(1, objSubFolder.Name, strKeyword3, vbTextCompare) > 0 Then
                folders(i) = objSubFolder.Path
                i = i + 1
            End If
        Next
    End With
        For Each f In folders
            fpf = f & "\InstallUtil.exe"
                If Dir(fpf) <> "" Then
                    FindInstallUtil = fpf
                    GoTo ExitFunc
                End If
        Next
ExitFunc:
  End Function

In order to use this function you will need to the Microsoft Scripting Runtime as a reference in your macro:

In a later post I will be showing you how to use this function with Hunnic Cyber's loader.