Run Lola-bin, run…

February 13, 2020 in Anti-Forensics, Living off the land, LOLBins

@bohops described an interesting way to load COM objects via rundll32 using a less-known command line argument ‘-sta’ in his two posts back in 2018.

In this post I document one more and also not that well known command line argument of rundll32.exe which is ‘-localserver’.

To test it you need to register a COM object that points to c:\test\test.dll:

Windows Registry Editor Version 5.00
 [HKEY_CLASSES_ROOT\CLSID\{01234567-0123-0123-0123-0123456789ab}\InprocServer32]
 @="c:\Test\test.dll"
 "ThreadingModel"="Both"

and then run:

rundll32.exe -localserver 01234567-0123-0123-0123-0123456789ab

Share this :)

Comments are closed.