{"id":10214,"date":"2025-11-16T20:53:51","date_gmt":"2025-11-16T20:53:51","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10214"},"modified":"2025-11-16T21:15:37","modified_gmt":"2025-11-16T21:15:37","slug":"some-unusual-run-time-rundll32-exe-artifacts","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/11\/16\/some-unusual-run-time-rundll32-exe-artifacts\/","title":{"rendered":"Some unusual run-time rundll32.exe artifacts"},"content":{"rendered":"\n<p>If you use Process Monitor as often as I do, you probably know that loading a DLL via <em>rundll32.exe<\/em> produces this curious set of events:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/11\/rundll32_actctx.png\"><img decoding=\"async\" loading=\"lazy\" width=\"533\" height=\"136\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/11\/rundll32_actctx.png\" alt=\"\" class=\"wp-image-10215\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/11\/rundll32_actctx.png 533w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/11\/rundll32_actctx-300x77.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/11\/rundll32_actctx-500x128.png 500w\" sizes=\"(max-width: 533px) 100vw, 533px\" \/><\/a><\/figure>\n\n\n\n<p>It turns out that the code of <em>rundll32.exe<\/em> includes a routine called <span style=\"text-decoration: underline;\"><em>RunDLL_InitActCtx<\/em><\/span> that tries to load these manifests one by one (via <em>CreateActCtxW<\/em> API). I was hoping this may bring some unusual sideloading opportunities, but so far, I have not found any way to abuse this feature; still, I am documenting it here &#8211; perhaps you will be more successful!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you use Process Monitor as often as I do, you probably know that loading a DLL via rundll32.exe produces this curious set of events: It turns out that the code of rundll32.exe includes a routine called RunDLL_InitActCtx that tries &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/11\/16\/some-unusual-run-time-rundll32-exe-artifacts\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10214"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10214"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10214\/revisions"}],"predecessor-version":[{"id":10217,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10214\/revisions\/10217"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}