{"id":10032,"date":"2025-05-31T23:09:23","date_gmt":"2025-05-31T23:09:23","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10032"},"modified":"2025-05-31T23:09:23","modified_gmt":"2025-05-31T23:09:23","slug":"mscoree-dll-rundll32shimw-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/05\/31\/mscoree-dll-rundll32shimw-lolbin\/","title":{"rendered":"mscoree.dll, RunDll32ShimW lolbin"},"content":{"rendered":"\n<p>Executing this function via rundll32.exe leads to loading of <em>mscoreei.dll<\/em> from one of the default .NET directories.<\/p>\n\n\n\n<p>However&#8230;<\/p>\n\n\n\n<p>The <em>RunDll32ShimW<\/em> function takes into account the value of the environmental variable <em>COMPlus_InstallRoot<\/em> when it searches for the <em>mscoreei.dll<\/em> file.<\/p>\n\n\n\n<p>So&#8230;<\/p>\n\n\n\n<p>If we change the value of the <em>COMPlus_InstallRoot<\/em> variable to point to a directory of our choice, place the payload in a subdirectory associated with the .NET version installed on the system, we can sideload our payload like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">set COMPLUS_InstallRoot=c:\\test\\<br>rundll32.exe mscoree.dll, RunDll32ShimW<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/05\/mscoreei.png\"><img decoding=\"async\" loading=\"lazy\" width=\"403\" height=\"45\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/05\/mscoreei.png\" alt=\"\" class=\"wp-image-10033\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/05\/mscoreei.png 403w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/05\/mscoreei-300x33.png 300w\" sizes=\"(max-width: 403px) 100vw, 403px\" \/><\/a><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Executing this function via rundll32.exe leads to loading of mscoreei.dll from one of the default .NET directories. However&#8230; The RunDll32ShimW function takes into account the value of the environmental variable COMPlus_InstallRoot when it searches for the mscoreei.dll file. So&#8230; If &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/05\/31\/mscoree-dll-rundll32shimw-lolbin\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10032"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10032"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10032\/revisions"}],"predecessor-version":[{"id":10034,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10032\/revisions\/10034"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}