You are browsing the archive for Living off the land.

advpack.dll ! DelNodeRunDLL32 and its flags

November 24, 2018 in Archaeology, Living off the land, LOLBins

It’s one of these “I was looking at something else, and as usual, came across something else” cases. In this particular instance it was the good ol’ DelNodeRunDLL32 function exported by the advpack.dll.

A quick search followed, and I soon discovered that @bohops twitted about it a while ago, so there was not that much to add…

However…

Looking closer at the DelNodeRunDLL32W function I noticed that it tries to take two arguments, not one, as originally assumed. If the second argument is not present, it is assumed to be 0.

Why not checking what the second argument is all about though? And here we are…

A few more Google searches later we can (re-)discover that DelNodeRunDLL32 function can delete both individual files, and whole directories + change its behavior if we ask it too.

How?

Via its flags. Ones that we can choose to pass via a command line argument (the second one, as you guessed by now).

Again, googling around I came across this header file that lists all the flags that are documented:

// FLAGS:
#define ADN_DEL_IF_EMPTY 0x00000001 // delete the directory only if it's empty
#define ADN_DONT_DEL_SUBDIRS 0x00000002 // don't delete any sub-dirs; delete only the files
#define ADN_DONT_DEL_DIR 0x00000004 // don't delete the dir itself
#define ADN_DEL_UNC_PATHS 0x00000008 // delete UNC paths

Running

  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test” – will wipe out the whole ‘test’ directory
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test\file” – will delete the ‘file’ only
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test”,4 – will wipe out the whole ‘test’ directory except the ‘test’ directory itself
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test”,1 – will wipe out the whole ‘test’ directory only if it is empty

Little trivia, but always…

Beyond good ol’ Run key, Part 91

October 10, 2018 in Anti-Forensics, Autostart (Persistence), LOLBins

This is a mixed persistence trick/LOLBIN.

There is a program in the Windows system directory that is very rarely used: dmcfghost.exe. As far as I can tell it has something to do with OMA Client Provisioning (CP) protocol (the internal name of the program states: ‘Host Process for Push Router Client of OMA-CP’).

When you run it, if everything goes as planned (I don’t understand the logic inside the program, but it looks like running it on win 10 always returns success internally), it will load a DLL from the following registry entry:

  • HKLM\SOFTWARE\Microsoft\PushRouter\
    Test\TestDllPath2=<DLL>

So, adding e.g. a Run key pointing to dmcfghost.exe will ensure that this binary is loaded every time user logs on, and the ‘test’ DLL will load as well.