{"id":4276,"date":"2017-07-31T23:00:39","date_gmt":"2017-07-31T23:00:39","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4276"},"modified":"2017-10-25T18:28:34","modified_gmt":"2017-10-25T18:28:34","slug":"the-wizard-of-x-oppa-plugx-style","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/07\/31\/the-wizard-of-x-oppa-plugx-style\/","title":{"rendered":"The Wizard of X – Oppa PlugX style"},"content":{"rendered":"

Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve.<\/p>\n

Why?<\/p>\n

When you run it with a ‘\/h’ command line parameter, you will get this info:<\/p>\n

\"\"<\/a>
\nSomething about the unusual command line parameters described there caught my eye.<\/p>\n

After a quick inspection I discovered why. The arguments are actually… names of functions exported from xwizards.dll!<\/p>\n

\"\"<\/a><\/p>\n

Very nice!<\/p>\n

And even nicer is the fact the LoadLibraryEx that loads that xwizards.dll finds its conveniently in the current path…<\/p>\n

Ouch…<\/p>\n

So… all you have to do is copy c:\\WINDOWS\\system32\\xwizard.exe to your folder, drop your xwizards.dll DLL there and call xwizard.exe with at least two arguments.<\/p>\n

And the Microsoft-signed xwizards.exe will load xwizards.dll of your choice…<\/p>\n","protected":false},"excerpt":{"rendered":"

Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve. Why? When you run it with a ‘\/h’ command … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,15,19,46,56,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4276"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4276"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4276\/revisions"}],"predecessor-version":[{"id":4282,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4276\/revisions\/4282"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}