Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rundll32.exe javascript

Tags:

javascript

mshtml

rundll32

I've just (August 2014) seen a report of a program that uses the command line

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"

How does that work? I thought the first parameter was supposed to be the name of a DLL (mshtml), but how does rundll32 parse that command line?

rundll reference: http://support.microsoft.com/kb/164787

like image 645
david Avatar asked Aug 05 '14 05:08

david

People also ask

What is Rundll32.exe malware?

Today, we are going to dwell on a Microsoft tool, the infamous rundll32.exe, which allows you to load and execute code. It is often used by adversaries during their offensive operations to execute malicious code through a process which we will explain in detail.

What is Rundll32.exe and why is it running?

Rundll32.exe is a crucial part of Microsoft Windows that's made to launch functionality based in Windows DLL (dynamic linked library) files. For example if you're using a Windows app that needs a DLL rundll32.exe will make it possible for that app to use the DLL it needs to operate.

What is Rundll32.exe command?

Run a 32 bit DLL function. Rundll32 is available on all version of Windows from Windows 95 onwards, but only runs in 32 bit mode. Syntax RUNDLL32. EXE dll_name,EntryPoint [optional_arguments] Key dll_name A full path to the DLL to ensure that the correct one is found.

Is Windows Host process Rundll32 virus?

The official Windows Rundll32.exe is safe and cannot harm your computer; there is no need to remove it or stop the process from running. Rundll32.exe is a critical Windows process that launches other 32-bit DLLs that reside on your computer.

1 Answers

There's a great explanation of this here: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/

To summarize using the same example of:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
  1. RunDll32
    1. Parses the command and decides the intended DLL is: javascript:"\..\mshtml
    2. Fails at loading that as an absolute path.
    3. Fails to find a match in the working directory or on the path.
    4. Fails to find a manifest javascript:"\..\mshtml.manifestfor the module.
    5. Calls LoadLibrary
  2. LoadLibrary
    1. Adds the extension and attempts to load javascript:"\..\mshtml.dll
    2. Treats this as relative, so it goes up from the fake javascript:"\ directory.
    3. Searches for mshtml.dll which it finds in the System directory.
    4. Loads the DLL using RunHTMLApplication as the entry point.
  3. RunHTMLApplication
    1. Attempts to execute the command ";alert('foo');
    2. As that's invalid Javascript it calls GetCommandLine for the original command which returns javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
    3. Attempts to open this URI so it asks the system how to handle the javascript protocol which is typically set to Microsoft HTML Javascript Pluggable Protocol in the registry.
    4. Then executes the Javascript: "..\mshtml,RunHTMLApplication ";alert('foo');
  4. Javascript
    1. The first statement creates a string and does nothing with it which is valid enough to not cause an error.
    2. Continues executing the rest of the script.
like image 152
TheQwerty Avatar answered Oct 12 '22 00:10

TheQwerty
Sign in to Comment

Related questions

Find which JS added CSS style to element using Chrome
how to display multiple videos one by one dynamically in loop using HTML5 and javascript
JQuery .done on a click event
addEventListener after appendChild
How to get elements of specific class inside a div already found in JavaScript?
How to use Chain Pattern with Self Revealing Module Pattern in JavaScript?
Retrieving values in crossfilter.dimension
passin raw data to pdfJS instead of url?
Downloading files with node.js, streams, and promises
javascript for loop counter coming out as string
How to use angular-google-maps <markers> directive?
How can I execute code that a user inputs into my ACE editor on my page
Using "onmouseover" to display a tooltip in JavaScript
Call Method from Constructor: Error: Uncaught TypeError: undefined is not a function
Storing data to DOM - Element value vs data attribute
"Failed to instantiate module ngSanitize" when pre-rendering AngualrJS site with PhantomJS
How do I get the x and y positions of an element in an AngularJS directive
How can I set up common functions that are available for my test suites with Protractor / Selenium?
Check if div is scrolled to bottom, leave alone if not
Chart.js - Multiple Line Charts - Only Show Last Chart

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!