Category Archives: Sideloading

Rundll32 and Phantom DLL lolbins

Posted on by

This may be a new, kinda ephemereal addition to the lolbin world (not sure if anyone covered it before).

Windows 11 comes with a large number of DLLs – some of which are broken.

DuCsps.dll on Windows 11 Pro 22H2

The DuCsps.dll imports 2 APIs from UpdateAPI.dll:

  • GetInstalledPackageInfo, and
  • FreeInstalledPackageInfo.

The problem is that there is no UpdateAPI.dll. It may be present in other versions of Windows, but it’s not present in 22H2 (note: I have not tested all the subversions, so YMMV).

tssrvlic.dll on Windows 11 Pro 22H2

The same goes for tssrvlic.dll that imports 3 APIs from a non-existing TlsBrand.dll:

  • RDSGetProductAccessRights,
  • W2K3ADPUCALDetailsCreator, and
  • RDSProductDetailsCreator

They both create a lolbin opportunity via a missing phantom DLL, and an attacker can simply bring in their versions of malicious UpdateAPI.dll or TlsBrand.dll, and then run (from the same directory where these payloads are located) the following rundll32 commands:

rundll32 DuCsps.dll, foo

rundll32 tssrvlic.dll, bar

where foo and bar can be anything.

See below:

Sysmon doing lines, part 2

Posted on by

Sysmon is a cool tool and we love it. Sometimes it does not work as expected though.

It’s late so just dropping another recipe here:

  • Name your DLL wevtapi.dll
  • Run sysmon.exe -u to … ‘uninstall’ it
  • Your DLL will be loaded

You can also drop Riched32.dll in the same directory and try to ‘install’ sysmon – you will notice the EULA box is loaded incorrectly, because the side-loaded Riched32.dll DLL will take over and will execute your code.