Today I have discovered the PipelineFilterHook Registry entry only to find out that this blog post has already described it in detail. Nice work!

So, I decided to take a look at my favorite phantom DLLs again, and came up with this finding…

The wpr.exe program accepts many command line arguments:

The ‘boottrace’ command line argument is one of them, and if we provide some reasonable, even non-sensical second command line argument to the program, we can trigger the execution of wpr.exe program’s path that will lead to loading of axeonoffhelper.dll from System32 directory. As it happens, axeonoffhelper.dll is a phantom DLL.

So, placing your payload in:

C:\Windows\System32\axeonoffhelper.dll

and then executing f.ex.:

wpr -boottrace -stopboot foo

will lead to C:\Windows\System32\axeonoffhelper.dll being executed.

Executing this function via rundll32.exe leads to loading of mscoreei.dll from one of the default .NET directories.

However…

The RunDll32ShimW function takes into account the value of the environmental variable COMPlus_InstallRoot when it searches for the mscoreei.dll file.

So…

If we change the value of the COMPlus_InstallRoot variable to point to a directory of our choice, place the payload in a subdirectory associated with the .NET version installed on the system, we can sideload our payload like this:

set COMPLUS_InstallRoot=c:\test\
rundll32.exe mscoree.dll, RunDll32ShimW