What Is Windows Host Process Rundll32

Posted on

What Is Windows Host Process Rundll32 – Today we will introduce a tool from Microsoft, the infamous rundll32.exe, that allows you to load and run code. It is often used by adversaries in their attacks to execute malicious code through a process that we explain in detail. What is Rundll32.exe? Rundll32.exe is a signed Microsoft binary used to load dynamic link libraries (DLLs) in Windows. It is native to Windows and exists in both 32 and 64 bit versions at the following locations respectively: C:WindowsSystem32rundll32.exe C:WindowsSysWOW64rundll32.exe Here are the signing details: Figure 1 – Rundll32 exe signature summary Figure 2 – Rundll32.exe signature details On the one hand, rundll32.exe is a Microsoft-signed executable native to all Windows systems. On the other hand, it is very flexible and efficient to load code into memory as a proxy for this task. Also, because rundll32.exe uses a certain amount of trust, it can bypass AppLocker and Software Restriction Policies (SRP). Last but not least, rundll32.exe can also help free up memory in processes such as the LSASS (Local Security Authority Subsystem Service) credential acquisition process, as we’ll show. For these reasons, it is a very interesting and frequently used tool by adversaries to execute arbitrary malicious code and dump LSASS memory. This technique is mapped and described in the MITER ATT&CK™ Enterprise Framework, rundll32.exe has its subcategory as follows: virus, application control, digital certificate validation Who is currently abusing Rundll32.exe? While rundll32.exe has frequent and undeniably legitimate uses, it is also exploited by many attackers, from state-aligned groups (APTs) to cybercriminal groups using malicious code proxies. Some of these threat operators are more sophisticated attackers and still rely on rundll32.exe in their operations. To name a few we can have: HAFNIUM. A possible cyberespionage group operating from China targeting US institutions in a variety of industries, including infectious disease researchers, law firms, higher education institutions, defense, contractors, politics. analytical centers and public organizations.organizations. APT29 (aka Cozy Bear). A threat group attributed to Russia’s Foreign Intelligence Service (SVR) that often targets government networks, research institutions, and think tanks in Europe and NATO member states. APT29 has reportedly compromised the Democratic National Committee since the summer of 2015 and was responsible for the SolarWinds breach and resulting supply chain attack in 2020. America, Europe, Asia and the Middle East. Carbanak. An international cybercriminal group that has been targeting financial institutions since at least 2013, they have been installing VNC client software that runs through rundll32. We might mention that tools like Cobalt Strike can use rundll32.exe to load DLLs from the command line. This list could be very long, but the idea is to briefly summarize the importance, danger and diversity of these rundll32.exe dependent groups, so it is important to understand its identification mechanism. How does Rundll32.exe work? Microsoft does not provide detailed information about rundll32.exe, but they state the following syntax: Figure 3: Microsoft documentation Rundll32.exe syntax is not completely correct, you must specify an entry point in a dynamic link library (DLL). as follows (otherwise nothing will happen): rundll32.exe , When the DLL is located on a partition that is accessible using UNC (Universal Naming Convention), can be either local or remote : ) paths in the second case. Even if the entry point is missing, the system will first call the DllMain function with the DLL_PROCESS_ATTACH value, and the corresponding code will be executed with an error message because the entry point is missing. In fact, the rundll32.exe process uses the LoadLibraryExW function called DllMain (DLL’s entry point) and loads the DLL into the virtual address space of the rundll32.exe process, as we can see below: Figure 4 – Rundll32.exe depends on the LoadLibraryExW function. . stack, we see a LoadLibraryExW call. push values. Look at the syntax of the LoadLibraryExW function (from libloaderapi.h): HMODULE LoadLibraryExW( // In this example: dwFlags // 8); The following parameters are used: lpLibFileName. This line specifies the name of the module file to load hFile into; It is theoretically possible to load a DLL module without calling the DllMain function, but in this case rundll32.exe uses dwFlags set to 8, which does not cause this behavior. The code looks like this: hLibModule = LoadLibraryExW(, (HANDLE)0x0, 8); if (hLibModule == (HMODULE)0x0) { res = GetLastError(); if (res == 0xc1) { // … } else { arguments = (LPCWSTR *)0x0; dwFlags = 0x1200; // … } // … Note: according to the Microsoft API documentation, when rundll32.exe calls the DllMain function with any specified entry point (ie, a value other than DLL_PROCESS_ATTACH), the return value is ignored. If the return value is false when DllMain is called during process startup, the process terminates with an error and GetLastError is called to provide extended error information. Can we create a DLL to test it? Now we’ll create a simple 32-bit C++ DLL called RUNDLL32_TEST.dll that will run calc.exe after the DLLMain function is called with the DLL_PROCESS_ATTACH value, and we’ll create a custom export entry point to run cmd.exe. We provide debugging information using a MessageBox: #include “pch.h” #include // Ref. // https://docs.microsoft.com/en-us/windows/win32/dlls/dllmain // https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library -entry-point-function BOOL APIENTRY DllMain( HMODULE hModule, // Handle to DLL module (same as HINSTANCE) DWORD fdwReason, // Reason for calling LPVOID function lpReserved // Reserved ) { STARTUPINFOA si = { sizeof(STARTUPINFOA)}; PROCESS_INFORMATION pi; LPCSTR appCalc = “C:\Windows \System32 \calc.exe”; // Perform actions based on reason switch call ( fdwReason ) { case DLL_PROCESS_ATTACH . // The process loads the DLL (starts once for each new process) // Return FALSE to fail to load the DLL // “calc.exe begin ChildProcess if (!CreateProcessA(appCalc, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) { MessageBox(NULL, TEXT(“CreateProcessA() failedn”) + GetLastError( ), TEXT (“ERROR”), MB_OK | MB_ICONINFORMATION); return FALSE; } MessageBox(NULL, TEXT(“Hello, DLL attached”), TEXT(“Hello!”), MB_OK | MB_ICONINFORMATION); return TRUE; case DLL_THREAD_ATTACH. // do thread specific initialization break; DLL_THREAD_DETACH case. case DLL_PROCESS_DETACH. // The process releases the DLL // Do any necessary cleanup breaks; } return TRUE; // Successful DLL_PROCESS_ATTACH } // Export function extern “C” __declspec(dllexport) void SpecificEntryPoint() { MessageBox(NULL, TEXT(“Hello from DLL exported function”), TEXT(“Hi!”), MBIC_OK; STARTUPINFOA si = { sizeof(STARTUPINFOA)}; PROCESS_INFORMATION pi; LPCSTR appCmd​= “C:\Windows\System32\cmd.exe”; // (!CreateProcessA(appCmd, NULL, NULL, NULL, FALSE, 0 , NULL, NULL , &si, &pi)) { MessageBox(NULL, TEXT(“Start a child process “cmd.exe” if CreateProcessA() failed’. n”) + GetLastError(), TEXT(“error “), MB_OK | MB_ICONINFORMATION) ; } } It is important to note that even when targeting a custom entry point (a DLL-exported function), the code inside the DllMain function from DLL_PROCESS_ATTACH is still executed. calling is associated with dwFlags set to LOAD_WITH_ALTERED_SEARCH_PATH (this flag is not monitored) With our DLL, when using SpecificEntryPoint we have two applications (cal c.exe and cmd.exe) and a case two message boxes are thrown. Finally, please note that calling CreateProcess inside a DllMain is not a good practice, it may lead to improper synchronization and may cause the application to crash because creating a process may load another DLL. Let’s play with our DLL. Let’s first run calc.exe (with the DLL_PROCESS_ATTACH value of the DLLMain function and a fictitious but mandatory entry point): rundll32.exe RUNDLL32_TEST.dll, ThisEntryDoesNotExists This command targets the dummy function entry point (in the nLL-calcexporting clause). to the fact that was mentioned earlier during the implementation. Note: Without an entry point, even one that doesn’t exist, the DLL won’t load (despite what the Microsoft documentation says). Now, let’s play with our DLL-export function called SpecificEntryPoint to run cmd.exe using the following command: rundll32.exe RUNDLL32_TEST.dll, SpecificEntryPoint We made an observation earlier about LoadLibraryExW, which is important because module is specified. In the calling process (rundll32.exe), we can therefore retrieve the loaded modules that check the thread stack as follows: seen .exe with nonexistent parent due to Rundll32.exe process (PID 1844)

File is open in windows host process rundll32, windows host process rundll32 startup, windows host process rundll32 download, windows host process rundll32 not responding, windows host program rundll32, what is windows host process rundll32 startup, how to fix windows host process rundll32 has stopped working, windows host process rundll32 bluetooth, windows host process rundll32 cpu usage, windows host process rundll32 has stopped working, rundll32 windows host process, windows host process rundll32 pop up