Skip to content
This repository was archived by the owner on Mar 30, 2026. It is now read-only.

Db0109 system binary proxy execution rundll32 (improved) #92

Open
db0109 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Db0109 system binary proxy execution rundll32 (improved) #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
883cdc3
Create README.md
db0109 Dec 18, 2024
8adbf2e
Add files via upload
db0109 Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions techniques/System Binary Proxy Execution: Rundll32/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Technique Name: System Binary Proxy Execution: Rundll32

## Author Information: Dino Dunn

- Nickname: Dino
- First Name: Dino
- Last Name: Dunn
- GitHub: https://github.com/db0109
- LinkedIn: https://www.linkedin.com/in/dino-dunn-cyber/

## Technique Information

- Technique Category: Defense Evasion [MITRE]/ System Binary Proxy Execution Rundll32
- Technique Tags: #Defense Evasion #rundll32.exe {DLLname DLLfunction}
- Technique General Detail: Adveraries abused rundll32.exe to proxy executtion of malicious code, the goal is to bypass security tools by utilizing a legitimate process. for our example we will run a simple .dll file that displays an Ascii cat as a proof of concept.

```
> Utilizing RunDLL32.exe a trusted windows binary, attackers are able to execute code within a potentially malicious .dll file. This can allow attackers to bypass security tools as it is being run with a trusted windows binary.

~Markdown Supported~
```rundll32.exe evil.dll, run'''

* Technique Platform Specific Detail: Optional

@Windows:
```
> Start with creating a .dll file with malicious code in it. Our example .dll file is going to produce an Ascii cat but can be used for any number of malicious purpouses.

~Markdown Supported~
```


- [Resource 1]https://github.com/PacktPublishing/Malware-Development-for-Ethical-Hackers/blob/main/chapter01/04-pefile-exe-dll/hack4.c (You can find a precompiled version of the file here if you don't want to compile it https://github.com/PacktPublishing/Malware-Development-for-Ethical-Hackers/blob/main/chapter02/01-traditional-injection/evil.dll)
- [Resource 2]https://hadess.io/system-binary-proxy-execution/
- ...
- [Resource n]https://attack.mitre.org/techniques/T1218/011/
- [Resource 4] rundll32.exe evil.dll, run

Binary file added techniques/System Binary Proxy Execution: Rundll32/evil.dll
View file
Open in desktop
Binary file not shown.
28 changes: 28 additions & 0 deletions techniques/System Binary Proxy Execution: Rundll32/hack4.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/*
* Malware Development for Ethical Hackers
* hack4.c
* simple DLL
* author: @cocomelonc
*/
#include <windows.h>
#pragma comment (lib, "user32.lib")

BOOL APIENTRY DllMain(HMODULE moduleHandle, DWORD actionReason, LPVOID reservedPointer) {
switch (actionReason) {
case DLL_PROCESS_ATTACH:
MessageBox(
NULL,
"Hello from evil.dll!",
"=^..^=",
MB_OK
);
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}