Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

DLL Minesweeper

Not just a game for software developers, (penetration) testers and administrators only.

Purpose

Build and use a (digital) minefield of forwarder DLLs as testbed for Windows® applications, in order to detect those vulnerable to DLL hijacking.

Reason

Although DLL spoofing alias DLL preloading, binary planting and DLL side-loading is well-known and well-documented since more than 20 years, and despite MSDN articles like Dynamic-Link Library Security and Dynamic-Link Library Search Order giving advice to avoid this beginner’s error, the vast majority of Windows programs are still vulnerable to it!
For examples see Carpet Bombing and Directory Poisoning, Downloads Folder: A Binary Planting Minefield and Bypassing Application Whitelisting.

In executable installation programs, which typically need or request administrative privileges and are run from unsafe locations like the user’s Downloads directory or a %TEMP% directory where this vulnerability is trivial to exploit, it becomes especially dangerous.

Operation

When loaded by a vulnerable application, each forwarder DLL ‹filename›.dll acts as transparent proxy or static redirector to its corresponding target DLL %SystemRoot%\System32\‹filename›.dll located in Windows’ system directory, accomplished through the relative pathname System32\‹filename› of the target DLL used in the forwarded exports.

Note: export forwarding is a feature of Windows’ module loader and used in quite some Windows system DLLs; an application or a(nother) DLL which references a forwarded export receives the address of the targeted export.

Active use

Perform one or more of the following tests:

Passive use

Copy (or hardlink) the forwarder DLLs into the system’s %TEMP% directory %SystemRoot%\Temp\ and your own %TEMP% directory %USERPROFILE%\AppData\Local\Temp\, then wait: sooner or later a poorly written program will be run in one of the %TEMP% directories and load some of the DLLs placed there.

Limitation

export forwarding is limited to target DLLs with the .dll file extension.

Note: to include DLLs with file extension .acm, .ax, .cpl, .drv, .ime, .ocx, .tsp etc. in the testbed, for example WinSPOOL.drv, MSCTFIME.ime or HHCtrl.ocx, build forwarder DLLs for them and create hardlinks ‹filename›.dll of the target DLLs in Windows’ system directory.

Bug

ShlWAPI.dll from Windows 7 and newer versions of Windows NT exports SHCreateStreamWrapper as an invalid forward to SHUNIMPL.#UNIMPL_SHCreateStreamWrapper!

Note: ShUnimpl.dll is a graveyard for obsolete and now unimplemented functions of Windows’ shell from prior versions of Windows NT.

Prerequisites

The following prerequisites are necessary to prepare the testbed: Note: for details and reference see the MSDN article Prepare Your Development Environment.

Preparation

Perform the following 9 (plus 14 optional) simple steps to build DLLs ‹filename›.dll with exports (both by name and by ordinal) forwarded to their corresponding target DLLs %SystemRoot%\System32\‹filename›.dll located in Windows’ system directory, using import libraries and export files generated from the exports of the target DLLs.

For some of the details see the MSDN article Working with Import Libraries and Export Files.

Note: the forwarder DLLs are pure Win32 executables and build without the MSVCRT libraries, for use on Windows XP and newer versions of Windows NT as well as Windows PE.

Note: the sample console output shown below every command line was produced with the Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, using the header files, import libraries and utility programs from the Windows SDK v7.1.

  1. Create the text file DLLDUMMY.C with the following content in an arbitrary, preferable empty directory:

    // Copyright © 2004-2018, Stefan Kanthak <‍stefan.kanthak‍@‍nexgo‍.‍de‍>
    
    #define STRICT
    #define WIN32_LEAN_AND_MEAN
    
    #include <windows.h>
    
    __declspec(dllimport)
    INT	WINAPI	MessageBoxTimeoutA(HWND   hwnd,
    		                   LPCSTR lpText,
    		                   LPCSTR lpCaption,
    		                   UINT   uType,
    		                   WORD   wLanguageId,
    		                   DWORD  dwMilliseconds);
    
    BOOL	WINAPI	_DllMainCRTStartup(HINSTANCE hinstDLL,
    		                   DWORD     fdwReason,
    		                   LPVOID    lpvReserved)
    {
    #ifdef REASON
    	static	const	LPCSTR	szReason[4] = {"DLL_PROCESS_DETACH",
    				               "DLL_PROCESS_ATTACH",
    				               "DLL_THREAD_ATTACH",
    				               "DLL_THREAD_DETACH"};
    #endif
    #ifdef INTERNAL
    	extern	const	IMAGE_DOS_HEADER	__ImageBase;
    
    	LPCSTR			szModule = "<unknown>";
    	IMAGE_NT_HEADERS	*ntHeader = (IMAGE_NT_HEADERS *) ((LPBYTE) &__ImageBase + __ImageBase.e_lfanew);
    	DWORD			dwRVA = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
    	DWORD			dwSize = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
    
    	if ((dwRVA != 0L)
    	 && (dwSize >= sizeof(IMAGE_EXPORT_DIRECTORY)))
    	{
    		dwRVA = ((IMAGE_EXPORT_DIRECTORY *) ((LPBYTE) &__ImageBase + dwRVA))->Name;
    		if (dwRVA != 0L)
    			szModule = (LPCSTR) ((LPBYTE) &__ImageBase + dwRVA);
    	}
    #else
    	CHAR	szModule[MAX_PATH];
    	DWORD	dwModule = GetModuleFileName(hinstDLL, szModule, sizeof(szModule));
    
    	if (dwModule == 0L)
    		szModule[0] = '\0';
    	else if (dwModule >= sizeof(szModule))
    		szModule[sizeof(szModule) - 1] = '\0';
    #endif
    	MessageBoxTimeoutA(HWND_DESKTOP,
    #ifdef REASON
    	                   szReason[fdwReason],
    #else
    	                   GetCommandLineA(),
    #endif
    	                   szModule,
    	                   MB_OK | MB_ICONINFORMATION,
    	                   MAKELANGID(LANG_ENGLISH, SUBLANG_NEUTRAL),
    	                   12345L);
    
    	return TRUE;
    }
    
    __declspec(dllexport)
    const	CHAR	Data[] = "The Magic Words are Squeamish Ossifrage";
    For details and reference see the MSDN articles DllMain entry point and Dynamic-Link Library Entry-Point Function, plus IMAGE_NT_HEADERS structure, IMAGE_OPTIONAL_HEADER structure and IMAGE_DATA_DIRECTORY structure.

    Note: modification of the source file DLLDUMMY.C to retrieve and display more or other information than only the DLL’s (internal) name from its export directory and the reason of the call or the process’ command line is left as an exercise to the reader.

    Note: follow the guidance given in the MSDN article Dynamic-Link Library Best Practices when you modify the source code!

  2. Compile the object file DLLDUMMY.OBJ from the source file DLLDUMMY.C created in step 1.:

    CL.EXE /c /DINTERNAL /DREASON /GA /GF /Gy /O1 /Os /Oy- /wd4100 /TcDLLDUMMY.C /Zl
    For details and reference see the MSDN article Compiler Options.
    Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    DLLDUMMY.C
    
  3. Note: the following substeps are optional!

  4. Link the DLL DLLDUMMY.DLL from the object file DLLDUMMY.OBJ compiled in step 2.:
    LINK.EXE /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /EXPORT:Data,DATA /LARGEADDRESSAWARE /NODEFAULTLIB /NXCOMPAT /OPT:REF /OSVERSION:‹major›.‹minor› /OUT:DLLDUMMY.DLL /RELEASE /SUBSYSTEM:WINDOWS /SWAPRUN:CD,NET /VERSION:1.0 DLLDUMMY.OBJ USER32.LIB
    For details and reference see the MSDN article Linker Options.

    Note: use the value of the /OSVERSION: argument to indicate the targeted version of Windows NT.

    Microsoft (R) Incremental Linker Version 10.00.40219.01
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
       Creating library DLLDUMMY.lib and object DLLDUMMY.exp
    
  5. [Screenshot of DLLDUMMY.DLL loaded and executed via MSIEXEC.EXE, REGSVR32.EXE or RUNDLL32.EXE] Load the DLL DLLDUMMY.DLL linked in substep 3. a. explicitly, implicitly calling its entry point function:
    MSIEXEC.EXE /Y "%CD%\DLLDUMMY.DLL"
    REGSVR32.EXE "%CD%\DLLDUMMY.DLL"
    RUNDLL32.EXE "%CD%\DLLDUMMY.DLL",* DLL minesweeper
    For details and reference see the MSDN article Run-Time Dynamic Linking.

    Note: it’s sufficient to run just one command line.

    Note: the error message boxes displayed from RegSvr32.exe and RunDll32.exe are expected: DLLDUMMY.DLL does neither implement any of the functions DllInstall(), DllRegisterServer() and DllUnregisterServer() called from the Regsvr32 tool, nor the Rundll32 Interface.

  6. Overwrite the text file DLLDUMMY.C created in step 1. with the following content:
    // Copyright © 2004-2018, Stefan Kanthak <‍stefan.kanthak‍@‍nexgo‍.‍de‍>
    
    #define STRICT
    #define WIN32_LEAN_AND_MEAN
    
    #include <windows.h>
    
    __declspec(dllimport)
    extern	const	CHAR	Data[];
    
    __declspec(noreturn)
    VOID	WINAPI	WinMainCRTStartup(VOID)
    {
    	INT	i = MessageBoxExA(HWND_DESKTOP,
    		                  Data,
    		                  "DLLDUMMY.EXE",
    		                  MB_OK | MB_ICONINFORMATION,
    		                  MAKELANGID(LANG_ENGLISH, SUBLANG_NEUTRAL));
    
    	ExitProcess(i);
    }
  7. Compile the object file DLLDUMMY.TMP from the source file DLLDUMMY.C overwritten in substep 3. c.:
    CL.EXE /c /FoDLLDUMMY.TMP /GA /GF /Gy /O1 /Os /Oy- /TcDLLDUMMY.C /Zl
    For details and reference see the MSDN article Compiler Options.
    Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    DLLDUMMY.C
    
  8. Link the application DLLDUMMY.EXE from the object file DLLDUMMY.TMP compiled in substep 3. d. and the import library DLLDUMMY.LIB created in substep 3. a.:
    LINK.EXE /LINK /DYNAMICBASE /ENTRY:WinMainCRTStartup /FIXED:NO /LARGEADDRESSAWARE /NODEFAULTLIB /NXCOMPAT /OPT:REF /OSVERSION:‹major›.‹minor› /OUT:DLLDUMMY.EXE /RELEASE /SUBSYSTEM:WINDOWS /SWAPRUN:CD,NET /VERSION:1.0 DLLDUMMY.TMP DLLDUMMY.LIB KERNEL32.LIB USER32.LIB
    For details and reference see the MSDN articles Entry-Point Symbol and Linker Options.

    Note: use the value of the /OSVERSION: argument to indicate the targeted version of Windows NT.

    Microsoft (R) Incremental Linker Version 10.00.40219.01
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    
  9. [Screenshot of DLLDUMMY.EXE displaying the text string exported from DLLDUMMY.DLL] Execute the application DLLDUMMY.EXE linked in substep 3. e., implicitly loading and executing the DLL DLLDUMMY.DLL linked in substep 3. a.:
    .\DLLDUMMY.EXE
    For details and reference see the MSDN article Load-Time Dynamic Linking.

    Note: the Dynamic-Link Library Entry-Point Function _DllMainCRTStartup() is called before the application’s entry point function WinMainCRTStartup(), which displays the text string The Magic Words are Squeamish Ossifrage exported from DLLDUMMY.DLL.

  10. Create the text file DLLDUMMY.XML with the following content:
    <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
      <file name="Kernel32.dll" />
      <file name="User32.dll" />
    </assembly>
    For details and reference see the MSDN article Application Manifests.

    Note: the file element overrides Windows’ known DLLs!

  11. Embed the application manifest DLLDUMMY.XML created in substep 3. g. in the application DLLDUMMY.EXE linked in substep 3. e.:
    MT.EXE /manifest DLLDUMMY.XML /outputresource:DLLDUMMY.EXE;#1
    Microsoft (R) Manifest Tool version 6.1.7716.0
    Copyright (c) Microsoft Corporation 2009.
    All rights reserved.
    
    
  12. Execute the application DLLDUMMY.EXE modified in substep 3. h.:
    .\DLLDUMMY.EXE
    Note: this fails since Windows’ module loader needs to load the dependent DLLs Kernel32.dll and User32.dll from the application directory!

  13. Copy the dependent DLLs from Windows’ system directory into the application directory, which happens to be the current (working) directory ., then repeat the previous substep 3. i.:
    Copy "%SystemRoot%\System32\Kernel32.dll"
    Copy "%SystemRoot%\System32\User32.dll"
    .\DLLDUMMY.EXE
  14. Overwrite the text file DLLDUMMY.XML created in substep 3. g. with the following content:
    <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
      <file loadFrom="%SystemDrive%\Temp\Kernel32.dll" name="Kernel32.dll" />
      <file loadFrom="%SystemDrive%\Temp\User32.dll"   name="User32.dll" />
    </assembly>
    For details and reference see the MSDN article Application Manifests.

    Note: the loadFrom attribute of the file element is not documented by Microsoft!

  15. Embed the application manifest DLLDUMMY.XML overwritten in substep 3. k. in the DLL DLLDUMMY.DLL linked in substep 3. a.:
    MT.EXE /manifest DLLDUMMY.XML /outputresource:DLLDUMMY.DLL;#2
    Microsoft (R) Manifest Tool version 6.1.7716.0
    Copyright (c) Microsoft Corporation 2009.
    All rights reserved.
    
    
  16. Execute the application DLLDUMMY.EXE again:
    .\DLLDUMMY.EXE
    Note: this fails since Windows’ module loader can’t load the modified dependents’ DLLDUMMY.DLL dependents Kernel32.dll and User32.dll from the path specified in its embedded application manifest!

    Note: the trivial fix is left as an exercise to the reader!

  17. Create the text file DLLDUMMY.CMD with the following content:

    @Echo Off
    
    Rem Copyright © 2004-2018, Stefan Kanthak <‍stefan.kanthak‍@‍nexgo‍.‍de‍>
    
    Echo LIBRARY "%~n1"
    Echo.
    Echo EXPORTS
    
    SetLocal
    For /F "Delims= Skip=16 UseBackQ" %%@ In ("%~2") Do If "%%@" == "  Summary" (Exit /B) Else Call :EXPORTS "%~n1" "%%@"
    EndLocal
    Exit /B
    
    :EXPORTS
    Set LIBRARY=System32\%~1
    Set LINE=%~2
    Set ORDINAL=%LINE:~4,7%
    Set ORDINAL=%ORDINAL: =%
    Set HINT=%LINE:~12,4%
    Set RVA=%LINE:~17,8%
    Set NAME=%LINE:~26%
    
    If "%HINT%" == "    " Goto :ORDINAL
    If "%NAME%" == "[NONAME]" Goto :ORDINAL
    If "%RVA%" == "        " Goto :FORWARD
    
    :NAME
    Echo  %NAME%=%LIBRARY%.%NAME% @%ORDINAL%
    Goto :EOF
    
    :ORDINAL
    Echo  @%ORDINAL%=%LIBRARY%.#%ORDINAL% @%ORDINAL% NONAME
    Goto :EOF
    
    :FORWARD
    Set NAME=%NAME: (forwarded to ==%
    Echo  %NAME:~0,-1% @%ORDINAL%
    Goto :EOF
    For details and reference see the MSDN articles Rules for Module-Definition Statements, EXPORTS and LIBRARY.

    Note: modification of the batch script DLLDUMMY.CMD to target DLLs located in subdirectories of the system directory is left as an exercise to the reader.

  18. Dump the exports of an arbitrary DLL ‹filename›.dll located in Windows’ system directory %SystemRoot%\System32\ to the temporary text file DLLDUMMY.TXT:

    LINK.EXE /DUMP /EXPORTS /OUT:DLLDUMMY.TXT "%SystemRoot%\System32\‹filename›.dll"
    Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    
  19. Generate the intermediary module definition file DLLDUMMY.DEF from the text file DLLDUMMY.TXT dumped in step 5., using the batch script DLLDUMMY.CMD created in step 4.:

    CALL DLLDUMMY.CMD ‹filename› DLLDUMMY.TXT >DLLDUMMY.DEF
    Note: for DLLs without exports but more than 9 sections†, like the native DLLs mcupdate_AuthenticAMD.dll and mcupdate_GenuineIntel.dll, the batch script DLLDUMMY.CMD fails to generate a valid module definition file, which typically leads to a linker error in the next two steps.

    † For details and reference see the MSDN articles PE Format, Peering Inside the PE: A Tour of the Win32 Portable Executable File Format, An In-Depth Look into the Win32 Portable Executable File Format and An In-Depth Look into the Win32 Portable Executable File Format, Part 2.

  20. Build the intermediary import library DLLDUMMY.LIB and the intermediary export file DLLDUMMY.EXP from the module definition file DLLDUMMY.DEF generated in step 6.:

    LINK.EXE /LIB /DEF:DLLDUMMY.DEF /NODEFAULTLIB /OUT:DLLDUMMY.LIB
    For details and reference see the MSDN article Building an Import Library and Export File.
    Microsoft (R) Library Manager Version 10.00.40219.01
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    LINK : warning LNK4068: /MACHINE not specified; defaulting to X86
       Creating library DLLDUMMY.LIB and object DLLDUMMY.exp
    
    Note: (contrary to common misinformation) forwarder DLLs built for the I386 alias x86 processor architecture of Windows NT work on the AMD64 alias x64 processor architecture as well: Windows’ module loader loads them and resolves their forwarded exports, but does not call their _DllMainCRTStartup() routine.
  21. Build the DLL ‹filename›.dll from the object file DLLDUMMY.OBJ compiled in step 2., using the import library DLLDUMMY.LIB and the export file DLLDUMMY.EXP built in step 7.:

    LINK.EXE /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /LARGEADDRESSAWARE /NODEFAULTLIB /NXCOMPAT /OPT:REF /OSVERSION:‹major›.‹minor› /OUT:"‹filename›.dll" /RELEASE /SUBSYSTEM:WINDOWS /SWAPRUN:CD,NET /VERSION:1.0 DLLDUMMY.OBJ DLLDUMMY.LIB DLLDUMMY.EXP USER32.LIB
    For details and reference see the MSDN articles Using an Import Library and Export File and Linker Options.

    Note: use the value of the /OSVERSION: argument to indicate the targeted version of Windows NT.

    Microsoft (R) Incremental Linker Version 10.00.40219.01
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    
  22. Repeat the steps 5. through 8. for every DLL located in Windows’ system directory %SystemRoot%\System32\ to build a complete minefield.

  23. Erase all intermediary and temporary files:

    Erase DLLDUMMY.DEF DLLDUMMY.DLL DLLDUMMY.EXE DLLDUMMY.EXP DLLDUMMY.LIB DLLDUMMY.TMP DLLDUMMY.TXT DLLDUMMY.XML
  24. Optionally sign and timestamp all forwarder DLLs built in steps 5. through 9.:

    SIGNTOOL.EXE Sign /A /D "DLL Minesweeper" /DU "https://skanthak.homepage.t-online.de/minesweeper.html" /T "http://timestamp.verisign.com/scripts/timstamp.dll" /V *.dll
    SIGNTOOL.EXE Sign /AS /D "DLL Minesweeper" /DU "https://skanthak.homepage.t-online.de/minesweeper.html" /FD SHA256 /TD SHA256 /TR "http://timestamp.verisign.com/scripts/timstamp.dll" /V *.dll
    For details and reference see the MSDN articles Using SignTool to Sign a File and SignTool.

Download

The makefile DLLDUMMY.MAK performs the (mandatory) steps 1. through 10. shown above.
It contains the sources for an enhanced variant of the forwarder DLL as inline files, localized for English and German, and needs the icon DLLDUMMY.ICO.

Note: translations of the MESSAGETABLE and STRINGTABLE resources into other languages are welcome!

The enhanced variant of the forwarder DLL displays a dialog box with detailed information and writes a message to Windows’ Event Log, using the source Vulnerability and Exploit Detector.

Download both files into an arbitrary, preferably empty directory, then run the following command line:

NMAKE.EXE /R /F DLLDUMMY.MAK test sign all
Note: if you don’t have a code-signing certificate, omit the sign target!

Microsoft (R) Program Maintenance Utility Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.

	MC.EXE /b /c /n /u /v /U DLLDUMMY.MC
MC: Compiling DLLDUMMY.MC
DLLDUMMY.MC(3) : warning : Redefining value of English
Writing .\DLLDUMMY_GER.bin
    [a0000001 .. a0000001] - 688 bytes
    [a0000003 .. a0000003] - 1216 bytes
    Total of 2 messages, 1932 bytes
Writing .\DLLDUMMY_ENU.bin
    [a0000001 .. a0000001] - 600 bytes
    [a0000003 .. a0000003] - 1104 bytes
    Total of 2 messages, 1732 bytes
	CL.EXE /Bv /c /DCALLER /DEVENTLOG /DGSCOOKIE /DNOTHREAD /DSOUND /DUSERICON /FoDLLDUMMY.OBJ /GA /GF /GS /Gy /nologo /O1 /Os /Oy- /Tc.\nm4D8.tmp /W4 /Zl
Compiler Passes:
 C:\Program Files\Microsoft Visual Studio 10.0\VC\Bin\cl.exe:        Version 16.00.40219.1
 C:\Program Files\Microsoft Visual Studio 10.0\VC\Bin\c1.dll:        Version 16.00.40219.1
 C:\Program Files\Microsoft Visual Studio 10.0\VC\Bin\c1xx.dll:      Version 16.00.40219.1
 C:\Program Files\Microsoft Visual Studio 10.0\VC\Bin\c2.dll:        Version 16.00.40219.1
 C:\Program Files\Microsoft Visual Studio 10.0\VC\Bin\link.exe:      Version 10.00.40219.1
 C:\Program Files\Microsoft Visual Studio 10.0\VC\Bin\mspdb100.dll:  Version 10.00.40219.1
 C:\Program Files\Microsoft Visual Studio 10.0\VC\Bin\1033\clui.dll: Version 16.00.40219.1

nm4D8.tmp
.\nm4D8.tmp(109) : warning C4047: 'initializing' : 'DWORD' differs in levels of indirection from 'DWORD_PTR *'
.\nm4D8.tmp(110) : warning C4047: 'initializing' : 'DWORD' differs in levels of indirection from 'LPVOID *'
.\nm4D8.tmp(111) : warning C4047: 'initializing' : 'DWORD' differs in levels of indirection from 'BYTE *'
.\nm4D8.tmp(252) : warning C4201: nonstandard extension used : nameless struct/union
.\nm4D8.tmp(613) : warning C4090: 'function' : different 'const' qualifiers
.\nm4D8.tmp(624) : warning C4090: 'function' : different 'const' qualifiers
.\nm4D8.tmp(816) : warning C4090: 'function' : different 'const' qualifiers
	RC.EXE /DUNICODE /FoDLLDUMMY.RES /N /R /V .\nm4D9.tmp
Microsoft (R) Windows (R) Resource Compiler Version 6.1.7600.16385
Copyright (C) Microsoft Corporation.  All rights reserved.

Using codepage 1252 as default
Creating DLLDUMMY.RES
RC: RCPP -CP 1252 -f .\RCa07820 -g \RDa07820 -DRC_INVOKED -D_WIN32 -pc\:/ -E -I. -I .\ -I . -I C:\Program Files\Microsoft Visual Studio 10.0\VC\Include -I C:\Program Files\Microsoft SDKs\Windows\v7.1\Include -D UNICODE
C:\Program Files\Microsoft Visual Studio 10.0\VC\Include/string.h(54) : warning RC4011: identifier truncated to '_CRT_SECURE_CPP_OVERLOAD_STANDA'
C:\Program Files\Microsoft Visual Studio 10.0\VC\Include/string.h(76) : warning RC4011: identifier truncated to '_CRT_SECURE_CPP_OVERLOAD_SECURE'

.\nm4D9.tmp.
Writing MESSAGETABLE:1, lang:0x7,       size 1932.
Writing MESSAGETABLE:1, lang:0x9,       size 1732...
Writing ICON:1, lang:0x0,       size 9640
Writing ICON:2, lang:0x0,       size 4264
Writing ICON:3, lang:0x0,       size 1128
Writing GROUP_ICON:1,   lang:0x0,       size 48.
Writing 24:1,   lang:0x0,       size 1249.
Writing VERSION:1,      lang:0x0,       size 2336
Writing STRING:1,       lang:0x7,       size 470
Writing STRING:1,       lang:0x9,       size 376
	CVTRES.EXE /NOLOGO /OUT:DLLDUMMY.CVT /READONLY DLLDUMMY.RES
CVTRES : warning CVT4001: machine type not specified; assumed X86
	LINK.EXE /LINK /ALLOWBIND:NO /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /LARGEADDRESSAWARE /NODEFAULTLIB /NOLOGO /NXCOMPAT /OPT:REF /OSVERSION:5.1 /OUT:DLLDUMMY.DLL /RELEASE /SUBSYSTEM:WINDOWS /SWAPRUN:CD,NET /TEST /VERSION:1.0 DLLDUMMY.OBJ DLLDUMMY.CVT ADVAPI32.LIB KERNEL32.LIB USER32.LIB
LINK : file alignment: 512, section alignment: 4096
LINK : section '.sdata' (C0000040) merged into '.data' (C0000040)
LINK : section '.xdata' (40000040) merged into '.rdata' (40000040)
	RUNDLL32.EXE ".\DLLDUMMY.DLL",* Vulnerability and Exploit Detector
	SIGNTOOL.EXE Sign /A /D "Vulnerability and Exploit Detector" /DU "https://skanthak.homepage.t-online.de/minesweeper.html" /T "http://timestamp.verisign.com/scripts/timstamp.dll" /V DLLDUMMY.DLL
The following certificate was selected:
    Issued to: Stefan Kanthak
    Issued by: WEB.DE TrustCenter E-Mail Certification Authority
    Expires:   15.12.2018 02:16:19
    SHA1 hash: 8C5B7521404177AC54131302066BB069102E830E


Attempting to sign: DLLDUMMY.DLL
Successfully signed and timestamped: DLLDUMMY.DLL

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
	Call DLLDUMMY.CMD
…

Demonstration

  1. Call the PrintUIEntry entry point of PrintUI.dll:

    RUNDLL32.EXE PRINTUI.DLL,PrintUIEntry /?
    Note: for details and reference see the MSKB article 189105 and the TechNet article Rundll32 printui.dll,PrintUIEntry.
  2. Call the PrintUIEntry entry point of PrintUI.dll through the forwarder DLL PRINTUI.DLL to test its proper function:

    RUNDLL32.EXE "%CD%\PRINTUI.DLL",PrintUIEntry /?
  3. Copy RunDll32.exe into the minefield, then use it to call the PrintUIEntry function of PrintUI.dll located in Windows’ system directory:

    Copy "%SystemRoot%\System32\RUNDLL32.EXE"
    .\RUNDLL32.EXE "%SystemRoot%\System32\PRINTUI.DLL",PrintUIEntry /?
    Note: enjoy the fireworks!

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, errors, inaccuracies, omissions, vulnerabilities or weaknesses, …:
don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Notes: I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!
Copyright © 1995–2018 • Stefan Kanthak • <‍stefan.kanthak‍@‍nexgo‍.‍de‍>