Category Archives: Living off the land

1 little known secret of advpack.dll, LaunchINFSection

Posted on by

Yes, yet another oldie with a secret…

The .inf files are as old as Windows itself, and their internal structure has been covered by many, and over at least last two decades.

So, what’s new?

Well…

Ever heard of LoadAdvpackExtension ?

This simple .inf file demonstrates how to use it to load a DLL of your choice:

[version]
signature=”$CHICAGO$”
AdvancedINF=2.5,”test”

[DefaultInstall]
Patching=1
LoadAdvpackExtension=test64.dll

To launch it, you need to do the following:

Place the above .inf file in c:\test\test.inf
Place test64.dll in c:\test
Go to terminal: cmd.exe
Run: set path=.
Run: c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection c:\test\test.inf,,1,

We change the PATH to make sure our test64.dll is found in a current directory, and then loaded:

VMwareResolutionSet.exe VMwareResolutionSet.dll lolbin

Posted on by

If you still use VMWare, your Windows guest system will benefit from an installation of VMWare Tools.

The VMWare Tools package is usually installed into this directory:

c:\Program Files\VMware\VMware Tools

It turns out that running the executable:

c:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe

leads to it trying to lead a phantom DLL:

c:\Program Files\VMware\VMware Tools\VMwareResolutionSet.dll

So, as usual, creating your own payload DLL and placing it in that location can help us to load it via proxy.