A CPL file is a Windows DLL with a CPlApplet exported entrypoint, designed to be loaded by the Control Panel (shell32.dll!Control_RunDLL). When a user double-clicks a .cpl, Windows hosts the DLL inside rundll32.exe and calls its CPlApplet dispatch function with init/run messages.
Exploit Builder produces a properly-exported CPL DLL where the CPlApplet handler executes your payload during initialization, presenting either a fake system dialog or silent termination as decoy.
rundll32.exe — Microsoft-signed loader, broadly whitelistedsysdm.cpl or themes.cplEmbed-only. Drop in a local PE or shellcode blob — bytes are encrypted into the CPL's resource section and decrypted in-memory at CPL_INIT. CPL does not support remote URL fetch.
Choose icon & metadata: System Properties, Themes, Display, or custom.
Decoy dialog or silent run; sandbox checks; persistence options.
Output: signed-or-unsigned .cpl (x86 or x64) ready for delivery.
Exports the CPlApplet entry handling CPL_INIT, CPL_GETCOUNT, CPL_INQUIRE, CPL_DBLCLK, CPL_STOP, CPL_EXIT messages.
Payload fires on CPL_INIT or CPL_DBLCLK — both occur before any UI is rendered, so the user sees execution context immediately.
Embeds icon + version-info resources matching sysdm.cpl, themes.cpl, desk.cpl, or other selectable system applets.
x86 and x64 builds. x86 runs in WoW64 rundll32; x64 runs in native rundll32. Builder picks based on payload requirements.
Optional fake "Settings cannot be loaded" / "Initializing..." MessageBox so the user perceives a normal-looking failure or progress window.
Per-build randomization: import name re-ordering, string XOR, junk-block injection, ordinal/named export shuffling.
LONG APIENTRY CPlApplet(HWND hWnd, UINT uMsg, LPARAM lp1, LPARAM lp2) { switch (uMsg) { case CPL_INIT: RunPayload(); // fires before UI return 1; case CPL_GETCOUNT: return 0; // no applets advertised } return 0; }
| Output Format | Control Panel Applet (.cpl) — PE/DLL with CPlApplet export |
|---|---|
| Delivery Mode | Local embed only — payload bytes encrypted in the applet's resource section, decrypted in-memory. No URL/stager mode. |
| Architectures | x86 · x64 |
| OS Compatibility | Windows 7 / 8.1 / 10 / 11 |
| Host Process | rundll32.exe shell32.dll,Control_RunDLL |
| Trigger | CPL_INIT (or CPL_DBLCLK) message handling |
| Visual Spoof | Icon & metadata cloning of system applets |
| Decoy | Fake "Initializing"/"Cannot load settings" dialog |
| Anti-Analysis | Cursor activity · Hostname filter · Sleep skewing · Sandbox detection |
| Polymorphism | Exports · String XOR · Junk-blocks · Resource layout |
Validate rules over rundll32.exe spawning unusual children, or CPlApplet entrypoint exports in non-system DLLs.
Targeted at admin/IT recipients used to interacting with Control Panel applets; very high trust signal.
Demonstrate that "settings files" can be just as dangerous as executables.
Many sandboxes don't fully execute the CPlApplet dispatch. Use to measure detonation depth.
Reproduce TTPs from campaigns leveraging .cpl initial access (notably observed in LATAM banking trojans).
Bundle inside .zip, .iso, or .img to bypass MOTW where applicable.
All tiers include unlimited builds (x86 + x64), every visual spoof, full polymorphism engine, and updates within the term.
Bundle option. Need multiple builders? The All Modules Bundle covers every builder + both launchers at a steep discount.
Pick a tier above or talk to us — we'll match the right configuration to your engagement.
