Didier Stevens

Monday 8 February 2010

Excel with cmd.dll & regedit.dll

Filed under: Hacking,My Software — Didier Stevens @ 21:17

I modified the source code of ReactOS‘ cmd and regedit for the following trick:

Let me summarize how I did this, as this is the combined result of several techniques I blogged about before.

You can download regedit.dll here and the new version of cmd.dll with the DLL command here. The DLL command I added allows you to load a DLL with LoadLibrary or directly into memory (/m option). When loaded with LoadLibrary, the library will be unloaded with FreeLibrary unless you use option /k to keep it loaded.

The DLL command assumes that your DLLs execute via the DllMain entry-point when they get loaded.

15 Comments »

  1. [...] Excel with cmd.dll & regedit.dll – didierstevens.com Stevens modified source code from ReactOS to transform cmd.exe into cmd.dll and regedit into a dll. [...]

    Pingback by Week 6 in Review – 2010 | Infosec Events — Monday 15 February 2010 @ 6:04

  2. [...] My Software, Shellcode — Didier Stevens @ 0:40 The DLL-loading shellcode I used in my cmd.xls spreadsheet was generated with a method I worked out to generate WIN32 shellcode with a C-compiler. You can [...]

    Pingback by MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens — Tuesday 16 February 2010 @ 0:41

  3. That is pretty neat – an attacker can hide processes. Can you launch programs with admin privileges?

    Comment by Tom — Thursday 18 February 2010 @ 13:33

  4. Assuming you run under a LUA? No, you need to exploit an elevation vulnerability to achieve this.

    Comment by Didier Stevens — Thursday 18 February 2010 @ 16:55

  5. [...] a DLL and embedded it with my memory loading shellcode into Excel macros (the same technique as I developed for cmd.dll and regedit.dll). I imagine that a simple game like Solitaire in Excel can go viral inside a company, when you know [...]

    Pingback by Frisky Solitaire – Another Info Stealer « Didier Stevens — Tuesday 9 March 2010 @ 0:01

  6. cool stuff. Is the regedit in godmode (admin)?

    Comment by sgt Pepper — Friday 19 March 2010 @ 16:17

  7. @sgt Pepper Regedit.dll and cmd.dll run inside the Excel process with new threads. Provided Excel runs under the (elevated) Admin account, regedit will too.

    Comment by Didier Stevens — Friday 19 March 2010 @ 16:36

  8. [...] and wscript.exe? It's also worth mentioning that even after you have done the above, it is still very easy to bypass these restrictions via process injection. I reckon a student could easily do this if they [...]

    Pingback by Prevent Files With These Extensions Running From These Locations... — Sunday 11 July 2010 @ 10:20

  9. [...] to block this DLL with SRP or AppLocker. But now I found out it’s also easy to bypass this, much easier than what I’ve done before. I just have to replace a call to LoadLibrary with a call to LoadLibraryEx, and pass it argument [...]

    Pingback by Circumventing SRP and AppLocker, By Design « Didier Stevens — Monday 24 January 2011 @ 0:04

  10. [...] Remember my Excel with cmd.dll & regedit.dll? [...]

    Pingback by Signed Spreadsheet with cmd.dll & regedit.dll « Didier Stevens — Tuesday 19 April 2011 @ 14:05

  11. Can u pls give me an example where I could use this thing? Apart from demonstrating all these techniques. In what situation would that this be useful? Keep “wow-ing” us Didier.

    Comment by teo — Thursday 21 April 2011 @ 18:30

  12. @teo I’ve used it in 2 situations:
    1) you administer LUA users, you’ve restricted them from using cmd.exe and/or regedit, and now you need to debug an issue in a LUA context.
    2) cleaning up an infected PC where the malware prevents you from running tools like cmd.exe and regedit.

    Comment by Didier Stevens — Friday 22 April 2011 @ 8:10

  13. Hi There, will you be making your completed spreadsheet with all the macro configuration in it available for download? Great work by the way :)

    Comment by danielweis — Thursday 15 December 2011 @ 22:28

  14. @danielweis A Kiwi neighbor of yours has done that ;-) http://blog.didierstevens.com/2011/04/19/signed-spreadsheet-with-cmd-dll-regedit-dll/

    Comment by Didier Stevens — Thursday 15 December 2011 @ 22:34

  15. [...] Excel with cmd.dll & regedit.dll [...]

    Pingback by Exploit writing tutorial part 11 : Heap Spraying Demystified | Corelan Team — Sunday 1 January 2012 @ 6:53


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 227 other followers

%d bloggers like this: