Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… so that you can come back to it one day.

For CompatTelRunner.exe this day is today.

When I looked at this program a few years ago I saw it has a great LOLBIN potential. It takes two arguments -m for module, and -f for exported API function name. Nothing could be better than that, right?

You just invoke:

CompatTelRunner.exe -m:foo.dll -f:bar

and it will load foo.dll and call the bar api!

The problem is that programmers of this tool anticipated this sort of abuse and built-in some code to block it, and:

• made sure the DLLs are loaded from the system directory, and
• path to the system directory is retrieved via GetSystemDirectory API, and
• they also check the -m argument is one of:
  • appraiser.dll
  • generaltel.dll
  • invagent.dll
  • devinv.dll
  • aeinv.dll
  • aepic.dll
  • pcasvc.dll, and
• finally they also check the -f argument is one of:
  • DoScheduledTelemetryRun
  • UpdateAvStatus
  • RunGeneralTelemetry
  • DoCensusRun
  • RunInUserCxtW
  • RunUpdate
  • GetFileSigningInfo
  • CreateDeviceInventory
  • UpdateSoftwareInventoryW
  • UpdateSoftwareInventory
  • GetCITData
  • QueryEncapsulationSettings

Bummer.

Today it crossed my mind that I never checked if we can find these DLLs in both System32 and SysWOW64 directories. I hypothesized that maybe one of the 32-bit ones is missing and we could place our own there. I quickly checked and found out far more than I anticipated – from the list of all .exe and .dll listed above I could only find the following:

• \Windows\System32\CompatTelRunner.exe
• \Windows\System32\appraiser.dll
• \Windows\System32\generaltel.dll
• \Windows\System32\invagent.dll
• \Windows\System32\devinv.dll
• \Windows\System32\aeinv.dll
• \Windows\System32\aepic.dll
• \Windows\System32\pcasvc.dll
• \Windows\SysWOW64\aepic.dll

As you can see, almost none of these allowed DLLs are present in the SysWow64 directory. And, there is no sign of 32-bit CompatTelRunner.exe either.

Since…

I decided to borrow one from 32-bit version of Windows 10 and placed it in c:\test. I then created my test c:\WINDOWS\SysWOW64\appraiser.dll and ran:

CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun

Once my test 32-DLL got loaded, I could see its debug message in Debug View:

It’s nothing groundbreaking and I abused subtle differences between Syswow64 and System32 many times before it’s still fun to discover more of them over and over again.