{"id":10023,"date":"2025-05-18T00:51:30","date_gmt":"2025-05-18T00:51:30","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10023"},"modified":"2025-05-18T00:51:30","modified_gmt":"2025-05-18T00:51:30","slug":"shell32-dll-44-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/05\/18\/shell32-dll-44-lolbin\/","title":{"rendered":"Shell32.dll, #44 lolbin"},"content":{"rendered":"\n<p>There is a well known shell32.dll lolbas that relies on a function called <a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Libraries\/Shell32\/\">Control_RunDLL<\/a>. BUT, there is one more. The shell32.dll library exports a function called Control_RunDLLNoFallback under ordinal #44. <\/p>\n\n\n\n<p>We can use it to launch CPL files using the syntax below:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\"C:\\windows\\SysWOW64\\rundll32.exe\" \"C:\\windows\\SysWOW64\\shell32.dll\",#44 \"&lt;localpath>.cpl\"<\/pre>\n\n\n\n<p>I didn&#8217;t discover this technique &#8211; it was observed being used by various malware families including RaspberryRobin. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>There is a well known shell32.dll lolbas that relies on a function called Control_RunDLL. BUT, there is one more. The shell32.dll library exports a function called Control_RunDLLNoFallback under ordinal #44. We can use it to launch CPL files using the &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/05\/18\/shell32-dll-44-lolbin\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10023"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10023"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10023\/revisions"}],"predecessor-version":[{"id":10026,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10023\/revisions\/10026"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10023"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}