Category Archives: Anti-*

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 5

Posted on by

Update

After I posted it bohops provided one more variant:

rundll32.exe shdocvw.dll, OpenURL [path to file.url]

Thanks!

Old Post

This is nothing new, but just documenting for the sake of documenting.

It crossed my mind to look for all the DLLs that refer to OpenURL – an API that is exported by the url.dll – which is used to launch URLs (and was a subject of the first part of the series). I quickly discovered that ieframe.dll also exports identically named function; a quick googling around followed and I noticed it was a subject to previous analysis (CVE-2016-3353) – as a result, the vulnerability that allowed remote execution of code was patched.

Still, the built-in functionality can help to launch other programs via proxy e.g. using the .url file:

[InternetShortcut]
URL=file:///c:\windows\system32\calc.exe

and running:

rundll32 ieframe.dll, OpenURL <path to local URL file>

will launch calculator.

 

Beyond good ol’ Run key, Part 72

Posted on by

In my old post I described a simple trick that shows how to set up a hot key that can be assigned to execute shortcuts (.LNK files) placed on a Desktop or in a Start Menu. This action survives reboots and logon/logoffs so it’s a nice, and somehow accidental persistence mechanism.

Turns out there is one more variant of this trick that relies on using the .URL files.

Placing a .URL files containing the following data:

[InternetShortcut]
URL=file:///c:/windows/system32/calc.exe
HotKey=768

on a Desktop will assign CTRL+SHIFT sequence to an action that will trigger the execution of the calculator.

The Hotkey can be assigned either manually (via properties):

– in such case you won’t be able to assign the more trickier combinations like CTRL+SHIFT. Or we can do it manually, and in such case all the hotkey tricks are available. All you have to do is to assign a proper value to the HotKey parameter inside the .url file.

You can find out what values represent what codes or by experimenting… or… you can cheat and read this old guide: An Unofficial Guide to the URL File Format.