how to be a bad ctor

January 24, 2020 in Living off the land, LOLBins

If you have any app installed that utilizes InstallShield for deployment the chances are that you may have a Ctor.dll file present on the system.

The nice bit about this library is that it exports a function called LaunchSetup. You can pass any file name to it and you will have it running in no time; that is:

RunDll32.exe c:\test\ctor.dll, LaunchSetup <program>

There is one caveat though. You won’t be able to run Calculator or Notepad applications this way. This is because the function makes a copy of the program file provided from command line to the %TEMP% directory first, and launches it from there. As such, programs that rely on .MUI files to run (e.g. OS GUI-based programs like Notepad, Calculator) need them to be copied to that very same %TEMP% folder as well. But running Calc is not really the point of LOLBINS, isn’t it? 😉

Typical ctor.dll locations:

  • C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll
  • C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\<number>\Intel32\Ctor.dll
  • C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\<number>\<number>\Intel32\Ctor.dll

The Wizard of X – Oppa PlugX style, Part 2

January 24, 2020 in Compromise Detection, Living off the land, LOLBins

Every once in a while I come back to have a second look at some stuff from the past. Today I had a quick look at xwizards.dll that I wrote about before and noticed that I forgot to mention one more thing.

The exported function RunWizard takes GUID as an input. If you register a DLL under a GUID of your choice you can load the DLL via xwizard.exe e.g.:

Windows Registry Editor Version 5.00




will register c:\test\test.dll under {11111111-1111-1111-1111-111111111111} GUID. All we have to do now is run:

  • xwizard RunWizard {11111111-1111-1111-1111-111111111111}