{"id":9463,"date":"2024-09-11T22:08:46","date_gmt":"2024-09-11T22:08:46","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9463"},"modified":"2024-09-12T08:18:32","modified_gmt":"2024-09-12T08:18:32","slug":"rundll32-exe-bomb","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/09\/11\/rundll32-exe-bomb\/","title":{"rendered":"Rundll32.exe bomb"},"content":{"rendered":"\n

Update<\/strong><\/p>\n\n\n\n

Turns out @sixtyvividtails<\/a> has already discovered<\/a> the very same issue via a minimalist PE file back in June. Touche!<\/p>\n\n\n\n

Old Post<\/strong><\/p>\n\n\n\n

This is a silly example of a basic mistake leading to a funny discovery…<\/p>\n\n\n\n

When I was experimenting with the imported<\/a> phantom DLLs<\/a> I accidentally placed a dummy 64-bit DLL in a place of a 32-bit phantom DLL called WDSUTIL.dll<\/em> that was imported by the 32-bit uxlib.dll<\/em>. I then attempted to enforce loading of uxlib.dll<\/em> with a 32-bit version of rundll32.exe by referencing its full path c:\\WINDOWS\\SysWOW64\\rundll32.exe:<\/p>\n\n\n\n

c:\\windows\\syswow64\\rundll32 uxlib.dll bar<\/pre>\n\n\n\n
Turns out that loading of the 32-bit library with an import that points to DLL that is actually 64-bit creates a chain of never-ending executions of the very same command line!<\/p>\n\n\n\n
What happens is that when the 32-bit DLL (uxlib.dll<\/em>) is loaded, the importing fails on the 64-bit phantomDLL (WDSUTIL.dll<\/em>) which leads rundll32.exe<\/em> to receive the ERROR_BAD_EXE_FORMAT error from the loading attempt, which in turn leads it to follow the internal _TryWow64Scenario<\/em> path in its code, which… literally means creating a new SysWow64’s rundll32.exe<\/em> process with the very same command line passed to it – aka repeating the cycle that we have started this test with!<\/p>\n\n\n\n
This leads to a cascade of new rundll32.exe<\/em> processes being spawn, and it’s similar in nature to regsvr32.exe<\/em> bomb<\/a>:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Yes, it is a dolbin!<\/p>\n","protected":false},"excerpt":{"rendered":"
Update Turns out @sixtyvividtails has already discovered the very same issue via a minimalist PE file back in June. Touche! Old Post This is a silly example of a basic mistake leading to a funny discovery… When I was experimenting … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,117,56],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9463"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9463"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9463\/revisions"}],"predecessor-version":[{"id":9468,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9463\/revisions\/9468"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}