Stay positive Lolbins… not!

Posted on by

Update

After I posted this, a number of comments on Twitter followed; there was an interesting development from @sixtyvividtails:

Old Post

This is a quick bit on how to increase a number of available lolbins without much effort.

Well, we will just play with a syntax a bit 🙂

Many Lolbins rely on using rundl32.exe to launch functions from the susceptible libraries. A bit that is often forgotten is the fact APIs can be called not only by their names, but also ordinal numbers.

As such, a very well-known lolbin:

  • rundll32 advpack.dll, RegisterOCX calc.exe

(which in turns loads the advpack.dll, resolves its RegisterOCXW function before calling it with a ‘calc.exe’ argument) can take a form of:

  • rundll32 advpack.dll, #12 calc.exe

I checked on Windows XP, Windows 7, and Windows 10 and the ordinal is always the same. Using the same approach one can find similar syntax for other lolbins. Simple, but possibly evasive.

Oh wait… but this is not the end.

The Rundll32 takes ordinal numbers by using the following syntax:

#<number>

The <number> is converted from a string to an integer using a wtoi function. This API in turn accepts both positive and negative numbers.

Aha…

Knowing how positive and negative numbers are represented in memory, we can easily come up with a negative number that will be converted by wtoi to… a positive 12:

Try this:

  • rundll32 advpack.dll, #-4294967284 calc.exe

Btw. if you are wondering, ‘+’ prefix works too:

  • rundll32 advpack.dll, #+12 calc.exe

After playing with it a bit more, you can also add some additional stuff after the digits e.g.:

  • rundll32 advpack.dll, #-4294967284-foobar calc.exe

And yes, there is one moar… for 64-bit rundll you can run:

  • rundll32 advpack.dll, #-1152921504606846964 calc.exe

Happy hunting!

Sleeping DLL beauties

Posted on by

How do we sleep?

We do one of these:

  • kernel32/kernelbase ! Sleep
  • kernel32/kernelbase ! SleepEx
  • ntdll ! ZwDelayExecution

but… not only.

Windows 10 offers more libs with more sleeping goodness:

  • staterepository.core.dll ! sqlite3_win32_sleep
  • winsqlite3.dll ! sqlite3_win32_sleep
  • number of tools e.g. Visual Studio offer access to e_sqlite3.dll ! sqlite3_win32_sleep, Python to sqlite3.dll ! sqlite3_win32_sleep

These are actually identical SQLite functions exported by various libraries.

And then you may have LibreSSL on your system (c:\windows\system32\libcrypto.dll), so you can use:

  • libcrypto.dll, sleep

All of them can be used as a lame anti-sandbox/anti-analysis alternative to traditional delay functions listed at the top of the post. And as a random, but lasting very long delay replacing a never ending loop in batch files, or if lucky, maybe even ping 127.0.0.1.

How?

By executing these APIs via rundll32:

  • start /wait rundll32 kernel32.dll, Sleep
  • start /wait rundll32 kernelbase.dll, Sleep
  • start /wait rundll32 kernel32.dll, SleepEx
  • start /wait rundll32 kernelbase.dll, SleepEx
  • start /wait rundll32 staterepository.core.dll, sqlite3_win32_sleep
  • start /wait rundll32 winsqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 sqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 e_sqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 libcrypto.dll, sleep

In these cases the argument to functions will be pretty high numbers (taken from stack and kinda random), but it’s not about logic, is it? 😉