{"id":10276,"date":"2025-12-07T00:01:10","date_gmt":"2025-12-07T00:01:10","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10276"},"modified":"2025-12-07T00:01:10","modified_gmt":"2025-12-07T00:01:10","slug":"1-little-secret-of-sqlsrv32-dll","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/12\/07\/1-little-secret-of-sqlsrv32-dll\/","title":{"rendered":"1 little secret of sqlsrv32.dll"},"content":{"rendered":"\n

This post is not really about sqlsrv32.dll<\/em>, but since it is poking in this library’s code that led me to rediscover the BidInterface<\/a><\/em> interface for the third time (I even described it twice<\/a> before<\/a>, without anyone noticing!), it ended up in a title of this post…<\/p>\n\n\n\n

Anyway, back to the rediscovery bit… I am actually quite surprised that I was able to not only rediscover it for the 3rd time, but also find a new way to abuse it. And as usual, it is the Procmon logs that did most of the work here…<\/p>\n\n\n\n

When you attempt to load sqlsrv32.dll<\/em> via rundll32.exe<\/em> and execute any of its exported functions f.ex.:<\/p>\n\n\n\n

rundll32 sqlsrv32.dll, TestDlgProc<\/pre>\n\n\n\n
the sqlsrv32.dll<\/em> library will try to activate that aforementioned BidInterface libraries:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
As we can see, not only the :Path<\/em> is being looked at, but also a few more other things:<\/p>\n\n\n\n