{"id":8999,"date":"2023-12-28T23:14:48","date_gmt":"2023-12-28T23:14:48","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8999"},"modified":"2024-12-25T23:20:00","modified_gmt":"2024-12-25T23:20:00","slug":"1-little-known-secret-of-regsvr32-exe-take-three","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/12\/28\/1-little-known-secret-of-regsvr32-exe-take-three\/","title":{"rendered":"1 little known secret of regsvr32.exe, take three"},"content":{"rendered":"\n

In the past I wrote<\/a> a<\/a> few<\/a> times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories.<\/p>\n\n\n\n

Regsvr32.exe<\/em> is not different. If you run a 32-bit Regsvr32.exe<\/em> with a command line argument being a path to a 64-bit DLL or OCX, it will spawn its 64-bit twin Regsvr32.exe<\/em> to handle the request:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

I am happy to report that regsvr32.exe<\/em> is using GetSystemDirectoryW<\/em> and GetSystemWow64Directory2W<\/em> APIs instead of relying on environmental variables to build the paths for respective binaries, so there is definitely less chances for lolbinish abuse.<\/p>\n\n\n\n

Now, this is not the little known secret yet.<\/p>\n\n\n\n

The secret is this:<\/p>\n\n\n\n

When you force the regsvr32.exe<\/em> for one architecture to spawn the other regsvr32.exe<\/em> with the other architecture, the command line argument that you started with will be passed to children regsvr32.exe<\/em> process, in full.<\/p>\n\n\n\n

Do you see where it is going?<\/p>\n\n\n\n

Based on the idea from the post number one in this series<\/a>, we now know we can pass a list of library names (limit is 256) to regsvr32.exe<\/em> and it will load them all one by one. What if we passed a command line argument that interleaves 32-bit and 64-bit libraries?<\/p>\n\n\n\n

The result will be a never-ending, chain reaction-like tree of interleaving regsvr32.exe<\/em> processes executed one bye one!<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Do you want to test it at home?<\/p>\n\n\n\n

Warning: do not try this at home!<\/p>\n\n\n\n

regsvr32.exe c:\\WINDOWS\\system32\\hhctrl.ocx c:\\WINDOWS\\syswow64\\hhctrl.ocx c:\\WINDOWS\\sysnative\\hhctrl.ocx<\/pre>\n\n\n\n
As far as I can tell this is the first documented case where c:\\WINDOWS\\system32\\<\/em>, c:\\WINDOWS\\syswow64\\<\/em>, and c:\\WINDOWS\\sysnative\\<\/em> have ever been used together in a command line of any program.<\/p>\n\n\n\n
And yes, you can add \/s<\/em> parameter to it too, that is – if you don’t want any control over it (\/s<\/em>  stands for silent<\/em><\/span> and is disabling any GUI feedback from regsvr32.exe<\/em>)! <\/p>\n\n\n\n
regsvr32.exe \/s c:\\WINDOWS\\system32\\hhctrl.ocx c:\\WINDOWS\\syswow64\\hhctrl.ocx c:\\WINDOWS\\sysnative\\hhctrl.ocx<\/pre>\n\n\n\n
Be warned tough! This is a regsvr32.exe<\/em> bomb! And it’s a possible DOLBIN<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"
In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories. Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[117,126,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8999"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8999"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8999\/revisions"}],"predecessor-version":[{"id":9016,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8999\/revisions\/9016"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}