Hexacorn

As I have shown in the last post, there exists a class of DLLs on Windows OS that load other libraries via import table, and sometimes these needed imported libraries do not exist. This creates an opportunity that we can leverage f.ex. by using rundll32.exe to load these ‘broken’ libraries, and to avoid them failing to load because of missing libraries – we provide these as a payload, saved in an appropriately named DLL files (in essence, they are phantom DLLs) .

The previous post discussed 64-bit libraries, and here I will demo a single instance of a 32-bit library like this:

uxlib.dll on Windows 11 Pro 22H2

It imports IsCrossArchitectureInstall API from WDSUTIL.dll, so providing our own will lead to this:

This may be a new, kinda ephemereal addition to the lolbin world (not sure if anyone covered it before).

Windows 11 comes with a large number of DLLs – some of which are broken.

DuCsps.dll on Windows 11 Pro 22H2

The DuCsps.dll imports 2 APIs from UpdateAPI.dll:

GetInstalledPackageInfo, and
FreeInstalledPackageInfo.

The problem is that there is no UpdateAPI.dll. It may be present in other versions of Windows, but it’s not present in 22H2 (note: I have not tested all the subversions, so YMMV).

tssrvlic.dll on Windows 11 Pro 22H2

The same goes for tssrvlic.dll that imports 3 APIs from a non-existing TlsBrand.dll:

RDSGetProductAccessRights,
W2K3ADPUCALDetailsCreator, and
RDSProductDetailsCreator

They both create a lolbin opportunity via a missing phantom DLL, and an attacker can simply bring in their versions of malicious UpdateAPI.dll or TlsBrand.dll, and then run (from the same directory where these payloads are located) the following rundll32 commands:

rundll32 DuCsps.dll, foo

rundll32 tssrvlic.dll, bar

where foo and bar can be anything.

See below:

Hexacorn

Rundll32 and Phantom DLL lolbins, 32-bit version

Rundll32 and Phantom DLL lolbins