# Executing Code as a Control Panel Item through an Exported Cplapplet Function

This is a quick note that shows how to execute code in a .cpl file, which is a regular DLL file representing a Control Panel item.

The .cpl file needs to export a function `CplApplet` in order to be recognized by Windows as a Control Panel item.

Once the DLL is compiled and renamed to .CPL, it can simply be double clicked and executed like a regular Windows .exe file.

## Code

{% code title="item.cpl" %}

```cpp
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <Windows.h>

//Cplapplet
extern "C" __declspec(dllexport) LONG Cplapplet(
	HWND hwndCpl,
	UINT msg,
	LPARAM lParam1,
	LPARAM lParam2
)
{
	MessageBoxA(NULL, "Hey there, I am now your control panel item you know.", "Control Panel", 0);
	return 1;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
	{
		Cplapplet(NULL, NULL, NULL, NULL);
	}
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
```

{% endcode %}

Once the DLL is compiled, we can see our exported function `Cplapplet`:

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LrkA_xbW26oB0PzwAuB%2F-LrkCfYWSlA0SE-F9Cbs%2Fimage.png?alt=media\&token=16ab16cd-aa4d-40a0-a744-d2b983cbac77)

## Demo

Below shows that double-clicking the .cpl item is enough to launch it:

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LrkA_xbW26oB0PzwAuB%2F-LrkBJ0N_SxV9o7zZMKE%2Fcplexecution.gif?alt=media\&token=d28e3a80-c691-4311-ace0-81ff5a13fe41)

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LrkEDGxWjJNyLsV12mn%2F-LrkGKjLUP72YIdIcUAE%2Fimage.png?alt=media\&token=aa6df764-364b-4265-a1a1-2885c0bf9dc6)

CPL file can also be launched with `control.exe <pathtothe.cpl>` like so:

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LrkDLelVcbUGmZWJW7m%2F-LrkDrDA4g0FyE6-g1YP%2Fimage.png?alt=media\&token=9b13d22f-be66-4c3a-8ec4-d1bec558d522)

or with rundll32:

{% code title="attacker\@target" %}

```
rundll32 shell32, Control_RunDLL \\VBOXSVR\Experiments\cpldoubleclick
\cpldoubleclick\Debug\cpldoubleclick.cpl
```

{% endcode %}

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LrkEDGxWjJNyLsV12mn%2F-LrkF4kFelWcedTuQ11R%2Fimage.png?alt=media\&token=763772ea-57ba-47d7-8653-ad3e26614554)

## References

{% embed url="<https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html>" %}

{% embed url="<https://github.com/fireeye/DueDLLigence/blob/master/DueDLLigence/DueDLLigence.cs>" %}

{% embed url="<https://docs.microsoft.com/en-us/windows/win32/shell/using-cplapplet>" %}