{"id":10257,"date":"2025-11-27T23:28:55","date_gmt":"2025-11-27T23:28:55","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10257"},"modified":"2025-11-27T23:28:55","modified_gmt":"2025-11-27T23:28:55","slug":"a-silly-rundll-ish-feature-of-shellabout-function","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/11\/27\/a-silly-rundll-ish-feature-of-shellabout-function\/","title":{"rendered":"A silly rundll-ish feature of ShellAbout function…"},"content":{"rendered":"\n

When you run winver<\/em> it calls the shell32.dll!ShellAbout<\/a> function to display the following dialog box:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

It turns out the ShellAbout<\/em> function’s declaration makes it a potential target for calling it from rundll32.exe<\/em>, even if its prototype doesn’t follow the rundll32 calling protocol.<\/p>\n\n\n\n

The function accepts the following parameters:<\/p>\n\n\n\n

INT ShellAboutA(\n  [in, optional] HWND   hWnd,\n  [in]           LPCSTR szApp,\n  [in, optional] LPCSTR szOtherStuff,\n  [in, optional] HICON  hIcon\n);<\/pre>\n\n\n\n
and the rundll32 callback is declared as:<\/p>\n\n\n\n
RunDll32EntryPoint(\nHWND hwnd, \nHINSTANCE hinst, \nLPSTR lpszCmdLine, \nint nCmdShow\n);<\/pre>\n\n\n\n
In other words, the mapping of the function arguments looks like this:<\/p>\n\n\n\n
HWND   hWnd -> HWND hwnd\nLPCSTR szApp -> HINSTANCE hinst\nLPCSTR szOtherStuff -> lpszCmdLine\nHICON  hIcon -> nCmdShow<\/pre>\n\n\n\n
So, by calling:<\/p>\n\n\n\n
rundll32.exe shell32.dll, ShellAbout Visit http:\/\/extend-windows-license-by-10-years-for-free.com now!<\/pre>\n\n\n\n
we fill-in the following bit:<\/p>\n\n\n\n
LPCSTR szOtherStuff -> lpszCmdLine<\/pre>\n\n\n\n
with a string provided via a command line.<\/p>\n\n\n\n
And as the API documentation describes, this parameter is:<\/p>\n\n\n\n
A pointer to a null-terminated string that contains text to be displayed in the dialog box after the version and copyright information. This parameter can be NULL.<\/pre>\n\n\n\n
Thanks to that coincidence, the result of our rundl32 invocation is the following dialog box:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
If you paid attention, you probably noticed that the title of the dialog box got corrupted:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
but that’s a side-effect of szApp<\/em> parameter getting some random value from the stack\/rdx register (if you follow the calling conventions of x86\/x64).<\/p>\n\n\n\n
Rest assured that this is not a security risk, but just yet another example of using Windows API in a slightly unorthodox way, similar to this example<\/a> I posted about a few years back… <\/p>\n","protected":false},"excerpt":{"rendered":"
When you run winver it calls the shell32.dll!ShellAbout function to display the following dialog box: It turns out the ShellAbout function’s declaration makes it a potential target for calling it from rundll32.exe, even if its prototype doesn’t follow the rundll32 … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10257"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10257"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10257\/revisions"}],"predecessor-version":[{"id":10263,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10257\/revisions\/10263"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}