Merge pull request #22 from giMini/master

Update Shell32.md
master
Oddvar Moe 2018-06-04 07:51:34 +02:00 committed by GitHub
commit 063f634f2c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 2 deletions

View File

@ -5,6 +5,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
# OS LIBRARIES
[Advpack.dll](OSLibraries/Advpack.md)
[Desk.cpl.dll](OSLibraries/Desk.cpl.md)
[Ieadvpack.dll](OSLibraries/Ieadvpack.md)
[Ieframe.dll](OSLibraries/Ieframe.md)
[Mshtml.dll](OSLibraries/Mshtml.md)

25
OSLibraries/Desk.md Normal file
View File

@ -0,0 +1,25 @@
## Desk.cpl
* Functions: Execute
```
rundll32.exe Desk.cpl,InstallScreenSaver c:\temp\calc.scr
```
Acknowledgements:
* Pierre-Alexandre Braeken - @pabraeken
Resources:
* https://twitter.com/pabraeken/status/998627081360695297
Full path:
```
c:\windows\system32\Desk.cpl
c:\windows\sysWOW64\Desk.cpl
```
Notes:
Detection:

View File

@ -5,17 +5,20 @@
```
rundll32.exe shell32.dll,Control_RunDLL payload.dll
rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
rundll32.exe shell32.dll,OpenAs_RunDLL c:\temp\calc.hta
```
Acknowledgements:
* Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL)
* Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL + OpenAs_RunDLL)
Code sample:
*
Resources:
* https://twitter.com/pabraeken/status/991768766898941953
* https://twitter.com/pabraeken/status/998625299976867840
Full path:
```