Rundll32 question

#19022 by Vrtule
Sun Apr 21, 2013 10:13 am

Hello,

I know that the Rundll32 program allows anybody to execute a function exported by a dynamic link library (DLL). The syntax of the command is the following:

Code: Select all

RunDll32 <DllName>,<FunctionName> <StringsPassedToTheDll>

I thought the DllName argument must point to a valid dynamic link library file. However, I recently found RunDll32 command where the argument pointed to a binary file. The binary file contained only a number written as unicode (wide character) string.

Does anybody have any information about using the RunDll32 with this "type" of the RunDll argument?

Thanks in advance

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: Rundll32 question

#19024 by EP_X0FF
Sun Apr 21, 2013 1:15 pm

Example of command and file content.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rundll32 question

#19026 by Vrtule
Sun Apr 21, 2013 2:39 pm

Hello,

the command is:

Code: Select all

rundll32 C:\Users\Martin\AppData\Roaming\PkgMgrr.dll,Okheh

and conent of the PkgMgrr.dll file is (in hex):

Code: Select all

00: 31 00 33 00 31 00 33 00 39 00 31 00 34 00 30 00 
10: 33 00 39 00

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: Rundll32 question

#19027 by EP_X0FF
Sun Apr 21, 2013 2:45 pm

That's Reveton.

http://www.kernelmode.info/forum/viewto ... 867#p18867

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact