{"id":9685,"date":"2024-11-28T22:28:01","date_gmt":"2024-11-28T22:28:01","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9685"},"modified":"2024-11-28T23:44:44","modified_gmt":"2024-11-28T23:44:44","slug":"windows-storage-lol","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/11\/28\/windows-storage-lol\/","title":{"rendered":"Windows.Storage.lol"},"content":{"rendered":"\n<p>This is a bit surprising, but the recent versions of <em>windows.storage.dll<\/em> export a number of functions identical with <em>shell32.dll<\/em>. In fact, <em>shell32.dll<\/em> imports these <em>windows.storage.dll<\/em> functions and is basically forwarding the execution to them, and just acting as a proxy.<\/p>\n\n\n\n<p>Thanks to that, one can now call some of the <em>shell32.dll<\/em> functions directly from <em>windows.storage.dll<\/em>, f.ex. this well-known lolbin:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rundll32 c:\\WINDOWS\\system32\\shell32.dll, ShellExec_RunDLL calc.exe<\/pre>\n\n\n\n<p>can be converted to:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rundll32 c:\\WINDOWS\\system32\\windows.storage.dll, ShellExec_RunDLL calc.exe<\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a bit surprising, but the recent versions of windows.storage.dll export a number of functions identical with shell32.dll. In fact, shell32.dll imports these windows.storage.dll functions and is basically forwarding the execution to them, and just acting as a proxy. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/11\/28\/windows-storage-lol\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9685"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9685"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9685\/revisions"}],"predecessor-version":[{"id":9690,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9685\/revisions\/9690"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}