{"id":9419,"date":"2024-09-04T21:00:46","date_gmt":"2024-09-04T21:00:46","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9419"},"modified":"2024-09-04T21:00:46","modified_gmt":"2024-09-04T21:00:46","slug":"rundll32-and-phantom-dll-lolbins-32-bit-version","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/09\/04\/rundll32-and-phantom-dll-lolbins-32-bit-version\/","title":{"rendered":"Rundll32 and Phantom DLL lolbins, 32-bit version"},"content":{"rendered":"\n<p>As I have shown in the last <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/09\/03\/rundll32-and-phantom-dll-lolbins\/\" data-type=\"post\" data-id=\"9414\">post<\/a>, there exists a class of DLLs on Windows OS that load other libraries via import table, and sometimes these needed imported libraries do not exist. This creates an opportunity that we can leverage f.ex. by using <em>rundll32.exe<\/em> to load these &#8216;broken&#8217; libraries, and to avoid them failing to load because of missing libraries &#8211; we provide these as a payload, saved in an appropriately named DLL files (in essence, they are phantom DLLs) .<\/p>\n\n\n\n<p>The previous post discussed 64-bit libraries, and here I will demo a single instance of a 32-bit library like this:<\/p>\n\n\n\n<p><strong>uxlib.dll<\/strong>  on Windows 11 Pro 22H2<\/p>\n\n\n\n<p>It imports <em>IsCrossArchitectureInstall<\/em> API from <em>WDSUTIL.dll<\/em>, so providing our own will lead to this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/09\/rundll32_phantomdll32.gif\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/09\/rundll32_phantomdll32.gif\" alt=\"\" class=\"wp-image-9421\" width=\"500\"\/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>As I have shown in the last post, there exists a class of DLLs on Windows OS that load other libraries via import table, and sometimes these needed imported libraries do not exist. This creates an opportunity that we can &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/09\/04\/rundll32-and-phantom-dll-lolbins-32-bit-version\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,53,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9419"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9419"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9419\/revisions"}],"predecessor-version":[{"id":9422,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9419\/revisions\/9422"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}