- Apr 24, 2016
It is almost unbelievable what can be hidden behind Windows functions and commands. The format command for formatting disks, which has been available in the command prompt for ages, has a side effect. With a parameter the call of an arbitrary DLL can be forced, which is then loaded from the search path. I could hardly believe this when it was brought to my attention.
The facts came to my attention from Grzegorz Tworek on Twitter in a short post. The statement in the following tweet is: If you specify the name of any DLLs with a preceding letter U at the parameter /FS in the command line, the DLL is loaded from the search path.
The DOS format command allows various parameters which are described in this Microsoft document. With the switch /FS:filesystem the desired file system can be specified. According to Microsoft, the following file systems can be specified for formatting via the switch: FAT, FAT32, NTFS, exFAT, ReFS, or UDF.
Grzegorz Tworek has now noticed that there is an undocumented possibility, over which theoretically arbitrary file systems can be used when formatting. Only an appropriate DLL must be present, which takes over the formatting. As parameter for /FS then the name of this DLL with a prefix U is to be indicated. A command line of the type:
format I: /fs:UMyDll.dll
would then load the library file MyDll.dll and cause it to be listed. This DLL is then executed in the search path, i.e. the program folder and other folders. Grzegorz Tworek has demonstrated this on his own DLL called Pwning.dll, which then displays a message box with the word Pwned! There are certainly a few ways in which this can be abused.