Rundll32 64bit

0 views

Skip to first unread message

Henrietta Naughton

unread,

Aug 3, 2024, 5:27:26 PM8/3/24

to radasora

Today, we are going to dwell on a Microsoft tool, the infamous rundll32.exe, which allows you to load and execute code. It is often used by adversaries during their offensive operations to execute malicious code through a process which we will explain in detail.

Rundll32.exe is a Microsoft-signed binary used to load dynamic link libraries (DLLs) in Windows. It is native to Windows and present in both 32 and 64 bit versions, respectively present in these places:

On the one hand, rundll32.exe is an executable signed by Microsoft which is natively present on all Windows systems; on the other hand, it is also very flexible and efficient for loading code into memory, acting as a proxy for this purpose. Moreover, because rundll32.exe benefits from a certain degree of trust, it could be a possible AppLocker and Software Restriction Policies (SRP) bypass.

Last but not least, rundll32.exe is also able to help to dump the memory of processes, such as the LSASS (Local Security Authority Subsystem Service) process to retrieve credentials, which we will demonstrate.

Although rundll32.exe has frequent and undeniable legitimate use, it is also taken advantage of by many attackers, ranging from state-affiliated groups (APTs) to cybercriminal groups to proxy execution of malicious code.

We could also note that tools such as Cobalt Strike can use rundll32.exe to load DLL from the command line. This list could be much longer but the idea is to briefly summarize the importance, dangerousness and diversity of these groups that rely on rundll32.exe, so it is important to understand its mechanism to detect it.

Even if the entry point does not exist, the system will calls the DllMain function with the DLL_PROCESS_ATTACH value first and the relevant code will be executed followed by an error message because of the missing entry point.

Note: As per Microsoft API documentation, when rundll32.exe calls the DllMain function with any specific entry point, (i.e. a value other than DLL_PROCESS_ATTACH), the return value is ignored. If the return value is FALSE when DllMain is called during process initialization, the process terminates with an error and GetLastError is called to provide extended error information.

Note: This behavior was previously discussed, it is related to the dwFlags set to LOAD_WITH_ALTERED_SEARCH_PATH when calling LoadLibraryExW from rundll32.exe (this flag is not under control).

Finally, please note that it is not a good practice to call CreateProcess within DllMain, as it could lead to improper synchronization and cause an application to deadlock as creating a process can load another DLL.

As result, we could notice a spawned cmd.exe with non-existing parent because the rundll32.exe process (PID 1844) is terminated and cmd.exe process (PID 10904) was created as a new and independent process:

However, thanks to the Cybereason Defense Platform, we could examine the history, all loaded modules and all other relevant information and also visualize the processes tree to notice that rundll32.exe is the parent of cmd.exe:

We have seen that rundll32.exe is a powerful asset for adversaries to proxy execution of arbitrary and malicious code. This binary has another ace in the hole, it could leverage comsvcs.dll (a Microsoft-signed DLL) which exports a function called MiniDumpW that rely on MiniDumpWriteDump to dump lsass.exe (Local Security Authority Subsystem Service) process memory to retrieve credentials.

Indeed, on the one hand, we already noticed that Cybereason is able to avoid false positives about benign use of rundll32.exe, using our test DLL to spawn another Windows binary which is not causing any harm to the system:

Note: For the following tests, we configured the EDR with features and options in "detection" mode only to demonstrate detection capabilities without immediately blocking the attacks ("prevention" mode).

To continue our examples, we could now create a malicious DLL using msfvenom to initiate a reverse shell to an adversary-controlled system. We will select a staged Reverse TCP Meterpreter payload and name it sample.dll:

The queries provided in this section can be used to hunt for possible malicious rundll32.exe processes. First of all, the following query provide all instances of rundll32.exe (including non-malicious ones), to have an overview of activities:

Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about the AI-driven Cybereason Defense Platform here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

The Cybereason Blue Team is a global unit focused on mitigating advanced adversarial techniques leveraged by high level Threat Actors and Red Teams across the globe. The Blue Team is comprised of experts in Red Teaming, Penetration Testing, Digital Forensics and Incident Response, giving them a unique insight into both sides of the coin. Working alongside customers and third-party Red Teams, and leveraging the Cybereason platform, the Blue Team is able to push the boundaries of detection and response well beyond commonly known Tactics, Techniques and Procedures (TTPs), reversing the adversarial advantage long before new techniques are adopted by mainstream Threat Actors. As part of Cybereason Threat Intelligence, the Blue Team is able to quickly translate these findings into MalOp detections, ensuring our entire customer base is protected.

The Cybereason GSOC delivers details on three recently observed attack scenarios where fast-moving malicious actors used the malware loaders IcedID, QBot and Emotet to deploy the Cobalt Strike framework on the compromised systems...

Loads and runs 32-bit dynamic-link libraries (DLLs). There are no configurable settings for Rundll32. Help information is provided for a specific DLL you run with the rundll32 command.

Example:
In this case the DLL file is named RehW.txt and this is a malicious file because no legitimate DLL file (even if renamed to .TXT) should be loaded from one's Document folder. Thus it is an illegitimate location for a DLL type file to be loaded from [ The Virus Total report for RehW.txt which Malwareytes detects it as Trojan.Injector ].

Any file can have any name so we look at the location. If for example the file is; c:\Windows\system32\rundll32.exe that's legitimate. However a malicious file may have the same name but executed from an illegitimate location like; C:\Users\User_Name\AppData\Local\Temp\rundll32.exe then the chances are this EXE is malicious or at the very minimum suspicious.

Lately, I've been noticing my computer slowing down, until it freezes completely, allowing only mouse movement and no other interaction (until eventually, sometimes, the mouse freezes too).Having a look around, I've noticed this happens when a massive amount of rundll32.exe processes suddenly activate at the same time. This usually happens just a few minutes after startup, however, it occasionally doesn't happen at all.

After a fair amount of research, coming to assume this is a virus, I've run full scans with both my antivirus (Immunet) and Malwarebytes, and quarantined any threat found. However, the issue persists. I've also run an sfc scan with it being unable to repair some of the files. The failed output was the following:

add the Command Line column to task manager and look for what's being executed it may give you a hint, in my case it was a bad Nvidia driver that was not communication well with "Sandboxie" application, I had to reinstall it.

My fix was to zip that dll file then kill all processes of rundll32.exe then remove the rundll32.exe executable, it fixed the cpu usage problem although I can't open the GeForce Experience Nvidia App now, not that I need it anyways...

If I want to change the Folder Options and go to start and type Folder, it brings up the Folder that you click on to open the Options, but I get the error. If I go to Control Panel and click on the Folder Options it will open as normal and I can make the change.

I believe that is caused by UAC and how the Admin account is subjected to UAC per say.
I have done the below to resolve that.
You can also create a short-cut to the area you are blocked and it worked that way for me to.
Do a search on the rundll32.exe and UAC to see more info about it.

Where I noticed, the rundll32.exe file does not have the verified signature flag like the rest of the system32 files - it is as almost like it is faked. Which gave me worry, because it is very easy to swap system32 files in Windows by any program which you gave administrator permission (e.g. many setup files).

It appears this is a pretty simple thing. Windows builtin files aren't individually signed and stored in the binary, they use catalogs to store their signatures. See here: (it's old but mostly still true: -case-of-the-missing-digital-signatures-tab/)