aDLL : Adventure of Dynamic Link Library

aDLL is a binary analysis tool focused on the automatic discovery of DLL Hijacking vulnerabilities. The tool analyzes the image of the binary loaded in memory to search for DLLs loaded at load-time and makes use of the Microsoft Detours library to intercept calls to the Load Library/Load LibraryEx functions to analyze the DLLs loaded at run-time. The purpose is to obtain a list of DLLs that are not found by the executable in those folders where they are searched.

Getting Started

To start using aDLL a compiled executable is available in the Binaries folder. It is recommended to use the version whose architecture (32-bit or 64-bit) matches the version of the executable to be analyzed.

For the correct functioning of the tool, it is necessary that the DLLs “hook32”, “hook64”, “informer32” and “informer64” are located in the same directory as the executable aDLL.exe.

Prerequisites

aDLL has been developed and tested on Windows 10 systems. If the system is old and/or Visual Studio is not installed, it is possible that the tool will throw an error like “VCRUNTIME140.dll not found”. In this case the Visual C++ Redistributable update must be installed. Update can be found here: https://www.microsoft.com/es-ES/download/details.aspx?id=49984.

Compilation

To modify/recompile the tool it is recommended the use of Visual Studio 2015 or later. The Visual Studio solution consists of three projects: aDLL, Hook e Informer. _ -aDLL: must be compiled as an executable. If linking errors occur, it will be necessary to add the shlwapi.lib library using the Visual Studio linker as an additional dependency._ _ -Hook: must be compiled as a DLL with the same architecture as the executable to be analyzed. The resulting Hook file must be renamed to hook32.dll or hook64.dll as appropriate. If you wish to analyze executables of both architectures it will be necessary to have both DLLs in the same directory as aDLL.exe._ _ -Informer: same as Hook. Must be compiled as a DLL and renamed to informer32.dll or informer64.dll._

Usage

The tool has a -h option to print a brief description of the available options on the screen..

.\aDLL -h

As a common example of usage aDLL should receive at least the path to the executable to be analyzed.

.\aDLL -e “C:\System32\notepad.exe”

OPTIONS:

-h Displays the tool’s help with a brief description of each option.
-e Specifies the path to the executable to be analyzed by aDLL.
-t Specifies a path to a text file with a list of executable paths.
-o Specifies a path to a directory in which a report will be stored for each executable scanned.
-m Searches for the executable’s manifest and displays it on the screen. aDLL searches for the manifest embedded in the binary, it will not find the manifest if it exists as an external file.
-w Defines the number of seconds the executable process will be kept open while searching for DLLs loaded at runtime. The default time is 20 seconds.
-aDLL will automatically test if a malicious DLL is executed by impersonating the legitimate DLL in the search order if a candidate DLL has been found.
-d Used in conjunction with the -a option, this option allows you to select a path to a DLL that will be used as the malicious DLL.
-r Each DLL imported by the executable can in turn import other DLLs as dependencies. A search “n” times recursive will be made on all those DLLs found by aDLL that are not redirected (ApiSetSchema or WinSxS) and do not belong to the list of Known DLL of the system.