Author Archives: adam

Some unusual run-time rundll32.exe artifacts

Posted on by

If you use Process Monitor as often as I do, you probably know that loading a DLL via rundll32.exe produces this curious set of events:

It turns out that the code of rundll32.exe includes a routine called RunDLL_InitActCtx that tries to load these manifests one by one (via CreateActCtxW API). I was hoping this may bring some unusual sideloading opportunities, but so far, I have not found any way to abuse this feature; still, I am documenting it here – perhaps you will be more successful!

1 or more little secrets of disksnapshot.exe

Posted on by

This native tool is not very well known, but it may be useful in some cases.

The tool seems to be parsing volumes directly, bypassing the Windows APIs — hence, it kinda works like a dir command, but parses the $MFT of volumes directly (but still via API).

The program accepts a number of command line arguments:

DiskSnapshot.exe [options]
        -c write detail data to console
        -i write detail data to console (same as -c)
        -s (deprecated) summary data to console
        -u process large volumes (no limit)
        -j [config] specifies an alternate config file
        -v [volume][path] specifies volume(+path) to process, e.g. "d:" or "d:\foo"
        -d [input-file] print encoded versions of the strings in the input file, for decoding purposes
        -e prints out escalation keywords
        -k calculate checksums for files, used to investigate duplicated on-disk content (c arg required).
        -o [output-file] write detail data to a file

It turns out that the ‘checksum’ is actually a SHA256 algorithm, so running:

disksnapshot -c -k -v c:\test

will list all the files in the c:\test directory, and will calculate the SHA256 of each file.

The other curious command line argument is -e. Running:

disksnapshot -e > escalation_keywords.txt

gives us this list of keywords (on Windows 11 25H2). It turns out that this list is based on the content of c:\WINDOWS\system32\DiskSnapshot.conf file.

There is an undocumented command line argument -z that kinda tries to collect telemetry, but it doesn’t really work. If the call to a function TelIsTelemetryTypeAllowed(2) returns 1 it just exits with a message:

Telemetry run: telemetry is disabled, exiting

Otherwise, it checks if the OS is a retail version (guessing by the function name that is called here), and if it is, it ‘rolls a dice’ and prints the below message:

    curtime = _time64(0);
    _o_srand(curtime);
    rand = ::rand();
    if ( rand != 7 * (rand / 7) )
    {
      v4 = o___acrt_iob_func_0(2u);
      fwprintf(v4, L"Telemetry run: failed the dice roll, exiting\n");
      return 0;
    }

There is a command line argument -j that we can use to change the default config file from c:\WINDOWS\system32\DiskSnapshot.conf file to our own, but I am not sure how to use it. The disksnapshot -j c:\test\test.conf -e command prints out the content of the custom config, but when I tried to apply it to the volume, it somehow didn’t work. I guess I just don’t fully understand the logic behind this tool.