Rundll32 goes to hell…
2024-9-22 06:43:6 Author: www.hexacorn.com(查看原文) 阅读量:22 收藏

Parsing command line invocations is fun, because it’s impossible to do it right (all the time).

Imagine a test DLL that exports a function called foobar. We place this DLL in c:\test directory and name it like this:

test.dll, #666

We can then use rundll32.exe to execute the foobar function using the following syntax:

rundll32 "c:\test\test.dll, #666", foobar

A different version can use the following name:

test.dll,abcxyz

with the invocation:

rundll32 "test.dll,abcxyz", foobar

We do need quotes, because rundll32.exe does not accept file names with a ‘coma’ in them (for obvious reasons), and the full path is not needed if we are in the same directory, but the gist is that these are all proper DLL file names!:

What your sophisticated regexes extracting DLL name and API’s ordinal number, or API name from this sort of invocations tells you today?

And then here’s another case for your consideration – create a test DLL with the following exports:

  • A
  • W
  • AA
  • AW
  • WA
  • WW

When you run the following invocations:

rundll32 c:\test\test.dll, A
rundll32 c:\test\test.dll, W

– which of these 6 exported functions will get executed?

I have provided an answer to this question a few years ago, and here’s the DebugView output:

The bottom line is that you can’t use regexes for parsing command line invocations w/o running into many corner cases.


文章来源: https://www.hexacorn.com/blog/2024/09/21/rundll32-goes-to-hell/
如有侵权请联系:admin#unsafe.sh