{"id":10036,"date":"2025-06-14T23:14:00","date_gmt":"2025-06-14T23:14:00","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10036"},"modified":"2025-06-14T23:14:00","modified_gmt":"2025-06-14T23:14:00","slug":"wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/06\/14\/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin\/","title":{"rendered":"wpr.exe boottrace phantom dll axeonoffhelper.dll lolbin"},"content":{"rendered":"\n

Today I have discovered the PipelineFilterHook<\/em> Registry entry only to find out that this blog post<\/a> has already described it in detail. Nice work!<\/p>\n\n\n\n

So, I decided to take a look at my favorite phantom DLLs again, and came up with this finding…<\/p>\n\n\n\n

The wpr.exe<\/em> program accepts many command line arguments:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

The ‘boottrace’ command line argument is one of them, and if we provide some reasonable, even non-sensical second command line argument to the program, we can trigger the execution of wpr.exe<\/em> program’s path that will lead to loading of axeonoffhelper.dll<\/em> from System32 directory. As it happens, axeonoffhelper.dll<\/em> is a phantom DLL.<\/p>\n\n\n\n

So, placing your payload in:<\/p>\n\n\n\n

C:\\Windows\\System32\\axeonoffhelper.dll<\/pre>\n\n\n\n
and then executing f.ex.:<\/p>\n\n\n\n
wpr -boottrace -stopboot foo<\/pre>\n\n\n\n
will lead to C:\\Windows\\System32\\axeonoffhelper.dll<\/em> being executed.<\/p>\n","protected":false},"excerpt":{"rendered":"
Today I have discovered the PipelineFilterHook Registry entry only to find out that this blog post has already described it in detail. Nice work! So, I decided to take a look at my favorite phantom DLLs again, and came up … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10036"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10036"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10036\/revisions"}],"predecessor-version":[{"id":10038,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10036\/revisions\/10038"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}