Category Archives: LOLBins

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 5

Posted on by

Update

After I posted it bohops provided one more variant:

rundll32.exe shdocvw.dll, OpenURL [path to file.url]

Thanks!

Old Post

This is nothing new, but just documenting for the sake of documenting.

It crossed my mind to look for all the DLLs that refer to OpenURL – an API that is exported by the url.dll – which is used to launch URLs (and was a subject of the first part of the series). I quickly discovered that ieframe.dll also exports identically named function; a quick googling around followed and I noticed it was a subject to previous analysis (CVE-2016-3353) – as a result, the vulnerability that allowed remote execution of code was patched.

Still, the built-in functionality can help to launch other programs via proxy e.g. using the .url file:

[InternetShortcut]
URL=file:///c:\windows\system32\calc.exe

and running:

rundll32 ieframe.dll, OpenURL <path to local URL file>

will launch calculator.

 

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 4

Posted on by

Here’s yet another subclass of tricks one can use to distort the process tree seen by EDR and sandbox solutions.

Many Windows programs launch other internal Windows programs (native to OS). They do so carefully so they typically launch them from %SystemRoot%. Many of them use GetSystemDirectory to build a path, but there are still quite a few that rely on an environment variable – they need to use an ExpandEnvironmentStrings API to obtain the actual path.

Changing that environmental variable and copying the required files to a redirected location while replacing the target application enables us to launch a payload of choice making it look like it was executed by a signed binary.

Example:

In this old post I mentioned AtBroker. When you launch it from a command line without any arguments it will simply launch Narrator.exe.

We can:

  • create a test folder
  • change the SystemRoot to point to it
  • copy all the necessary files from the original system32 and Registration folder (procmon helps)
  • launch atbroker.exe
  • the narrator.exe payload will be executed

This launches C:\Test\System32\Narrator.exe: