Db0109 system binary proxy execution rundll32 (improved)

[db0109]

No description provided.

[fr0gger]

Hi, thank you for your contribution. Rundll32.exe is designed to call a function explicitly exported from a DLL. However, in your current implementation, there is no exported function, only DllMain. Additionally, the code does not demonstrate any features typically exploited by malware.

While your code might technically work, it does not showcase practical value as it stands.

Here are some suggestions for improvement:

• Modify your DLL to include an exported function.
• Use an ordinal reference to call the function instead of its name.
• Study real-world malware examples, such as NotPetya, which has been thoroughly documented. (you can even get the code or reproduce the code from this malware.)

I hope this feedback is helpful, and we look forward to see your next iteration. 😊

[DarkCoderSc]

Hi, thank you for your contribution. Rundll32.exe is designed to call a function explicitly exported from a DLL. However, in your current implementation, there is no exported function, only DllMain. Additionally, the code does not demonstrate any features typically exploited by malware.

While your code might technically work, it does not showcase practical value as it stands.

Here are some suggestions for improvement:

• Modify your DLL to include an exported function.
• Use an ordinal reference to call the function instead of its name.
• Study real-world malware examples, such as NotPetya, which has been thoroughly documented. (you can even get the code or reproduce the code from this malware.)

I hope this feedback is helpful, and we look forward to see your next iteration. 😊

I just added a snippet demonstrating the definition and usage of an exported function via rundll32 : https://unprotect.it/snippet/system-binary-proxy-execution-rundll32/240/

OP, feel free to port to your favorite language(s)