Category Archives: Archaeology

Rundll32 and Phantom DLL lolbins

Posted on by

This may be a new, kinda ephemereal addition to the lolbin world (not sure if anyone covered it before).

Windows 11 comes with a large number of DLLs – some of which are broken.

DuCsps.dll on Windows 11 Pro 22H2

The DuCsps.dll imports 2 APIs from UpdateAPI.dll:

  • GetInstalledPackageInfo, and
  • FreeInstalledPackageInfo.

The problem is that there is no UpdateAPI.dll. It may be present in other versions of Windows, but it’s not present in 22H2 (note: I have not tested all the subversions, so YMMV).

tssrvlic.dll on Windows 11 Pro 22H2

The same goes for tssrvlic.dll that imports 3 APIs from a non-existing TlsBrand.dll:

  • RDSGetProductAccessRights,
  • W2K3ADPUCALDetailsCreator, and
  • RDSProductDetailsCreator

They both create a lolbin opportunity via a missing phantom DLL, and an attacker can simply bring in their versions of malicious UpdateAPI.dll or TlsBrand.dll, and then run (from the same directory where these payloads are located) the following rundll32 commands:

rundll32 DuCsps.dll, foo

rundll32 tssrvlic.dll, bar

where foo and bar can be anything.

See below:

Counting the API arguments…

Posted on by

Today Matt posted a half-joking twit about the acceptable number of arguments that can be passed to a function…

I took the challenge VERY SERIOUSLY and decided to investigate.

In my old post I shared my collections of API prototypes that I had extracted from various Microsoft documentation and other sources over the years; so my task was really easy — analyze this data and find the best candidate APIs that meet the criteria.

I first looked at 2004-2007_apis.zip file that included the number of arguments in one of the columns. After merging all this data into a single file, loading it to Excel, and sorting it in a descending order by the number of arguments I immediately got my first candidate:

It takes 17 arguments :-O

I then looked at 2013_apis.zip file as well — this time I had to write a simple script to parse the file and count number of arguments for each function and then save the results to a file. Same as before, I then loaded it to Excel, sored it in a descending order by the number of arguments and now I had my final candidate:

– it takes 21 arguments 🙂

Now, there may be other functions that take even more arguments as an input, but I bet they are quite rare. If you find one tough, please let me know and I will update this post.

Bonus

The longest api name I have ever encountered is this (1077 characters):

  • ZN5boost12accumulators6detail14build_acc_listINS_6fusion12mpl_iteratorINS_3mpl6v_iterINS5_6v_itemINS1_19accumulator_wrapperINS0_4impl18lazy_variance_implIdNS0_3tag4meanEEENSB_13lazy_varianceEEENS7_INS8_INS9_11moment_implIN4mpl_4int_ILi2EEEdEENSB_6momentILi2EEEEENS7_INS8_INS9_11median_implIdEENSB_6medianEEENS7_INS8_INS9_22p_square_quantile_implIdNS0_10for_medianEEENSB_28p_square_quantile_for_medianEEENS7_INS8_INS9_8max_implIdEENSB_3maxEEENS7_INS8_INS9_9mean_implIdNSB_3sumEEESC_EENS7_INS8_INS9_8sum_implIdNSB_6sampleEEES12_EENS7_INS8_INS9_10count_implENSB_5countEEENS7_INS8_INS9_8min_implIdEENSB_3minEEENS5_7vector0INSH_2naEEELi0EEELi0EEELi0EEELi0EEELi0EEELi0EEELi0EEELi0EEELi0EEELl0EEEEENS4_INS6_IS1R_Ll9EEEEELb0EE4callINS_9parameter3aux8arg_listINS1Z_15tagged_argumentINSB_11accumulatorENS0_15accumulator_setIdNS0_5statsIS1E_SC_SZ_SQ_SE_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_S1H_EEvEEEENS1Z_14empty_arg_listEEEEENS3_4consIS1F_NS2A_IS1B_NS2A_IS18_NS2A_IS14_NS2A_IS10_NS2A_ISW_NS2A_ISR_NS2A_ISN_NS2A_ISF_NS3_3nilEEEEEEEEEEEEEEEEEEERKT_RKS1T_RKS1V

it’s from the sample:

  • 8005F35D2C2642B33ADB77CBD100BF64CC7DB611FA789AE18BFFF3F91B26AB40_4E8BA4874E4D7B99C0BDF31EFBB4051DCDB2F29D

Additionally, the API name that includes the most words in it (11) is:

  • AccessCheckByTypeResultListAndAuditAlarmByHandle